Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

A hacker upload files on server

Posted on 2014-01-14
11
Medium Priority
?
637 Views
Last Modified: 2014-01-26
Dear all,
recently our online server ( Hosting server with more then 200 web sites) attacked by hacker which separate some files all over the directories of our clients ,


I need to know how he upload such a files to our server?

thanks,
0
Comment
Question by:ethar1
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
  • +2
11 Comments
 
LVL 27

Expert Comment

by:MacroShadow
ID: 39779646
I need to know how he upload such a files to our server?
I'm afraid nobody but that hacker can answer that. As to how it is possible, I don't think that can be answered before knowing the specifics of the server and it's security.
0
 

Author Comment

by:ethar1
ID: 39779841
I meant the possible way ...
0
 
LVL 27

Expert Comment

by:MacroShadow
ID: 39779863
As I wrote:
As to how it is possible, I don't think that can be answered before knowing the specifics of the server and it's security.
0
Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

 

Author Comment

by:ethar1
ID: 39779898
do you have a specific question?
if you don't , no need to reply or answer me ... just give a chance to me and others to find a solution ....
0
 
LVL 27

Expert Comment

by:MacroShadow
ID: 39779918
Good luck!
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 39781101
It could be as simple as easy password to guess or anonymous access is granted, perhaps you have ports open that you shouldn't. Forms can be abused, php/asp and others can be abused. There are too many ways to name, the site could have a backdoor on it.

I would use Skipfish to scan your site and maybe it will help you pinpoint a few problems. Download and extract skipfish, open cmd promt, and use a command like this:
skipfish,exe -o c:\temp\mywebsite http://mywebsite.com
You should create the c:\temp\mywebsite folder (doesn't have to be that name) and then change mywebsite.com to your sites address.
The windows version of skipfish can be found here: http://didasec.wordpress.com/2012/12/17/skipfish-2-10b-for-windows/
-rich
0
 
LVL 27

Expert Comment

by:tliotta
ID: 39781452
How was it done? Could be FTP. Or scp. Or sftp. Or HTTP upload. Or telnet. Or SQL injection. Or malware. Or... Well, who knows how many possible ways? All we could do is list every possible way that files can be created and populated over a network. Technically, there are probably many thousands of possible ways.

In order to limit the number, we'd need to know details of every service and every app on your servers that can accept connections and write data to your local file systems. And then we'd have to know of vulnerabilities in the apps, ones that might be generally known only to the developers. (And maybe not even known to them.)

Tom
0
 

Author Comment

by:ethar1
ID: 39782368
Thank you guys for replies ,

I think its a sql injection , cuz many resons  :
 - All application ( web sites) running on our server we had developed it.
 - unusual activities on SQL server last 2 3 days before the seeing the effect of attack.
 - the attack is very limited   its send 5 files with a html contents  :
   index.asp ,  default.cfm, default.htm, default.html, default.php, index.cfm, index.htm, index.php
-  Those files separated all over the hosting account in all folders except the www folder
I have this folder structure :

D:\HC\ResellerName\ClientName \ www \ ( some other folders depend on the application)

I notics that hacker can write the 8 files (mentioned above) on all folder except www , + he able to write those 8 files on sub folders under www.
 - Also we notices many SQL keywords in LOF file like : convert()  , version  , db_name, user_name substring() ,isnull ,ascii, lower

- But my understanding that sql injection effect only DB not files  , if it effect the files can you please tell me how to stop such a service of try to prevent its effect.

I use windows server 2003 + sql server 2008, + iis 6
0
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 2000 total points
ID: 39782432
Again there is sooo much it could be, and SQL injection doesn't often result in file uploads. If you run wordpress, phpbb, durpal or many other forum or framework they all have exploits.
Take a very popular and well maintained framework like wordpress:
http://www.exploit-db.com/search/?action=search&filter_page=1&filter_description=wordpress&filter_exploit_text=&filter_author=&filter_platform=0&filter_type=0&filter_lang_id=0&filter_port=&filter_osvdb=&filter_cve=
There are thousands of exploits for it. now think about one "your buddy" wrote for you... Coding is hard to do right and easy to do wrong. Security is often an after thought until you get burned. I'd find some tools or hire an individual to scan your site.
Unpatched versions of the webserver, apache, iis and others can be a cause, the programming language can be too, they need security updates and tight security settings.

Your case seems similar to this:
http://www.davidorlo.com/articles/it-admin/iis-hacked-index-default-files-replaced Good tips if you have the same setup.
-rich
0
 

Author Comment

by:ethar1
ID: 39782492
I don't use or run wordpress, phpbb, durpal  or any other system, we develop our own only..

Yes I know it may have some vulnerabilities ...

Yes my case exactly like the one you mentioned I will check it and come back to you ...

I use asp and asp.net only. which is make the attack very limited..
0
 
LVL 62

Expert Comment

by:gheist
ID: 39789039
Any vulnerability is fine.
Since you mention website - it could be httpd that can write data directories among others...
0

Featured Post

Q2 2017 - Latest Malware & Internet Attacks

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out our latest Quarterly Internet Security Report!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Hey fellow admins! This time, I have a little fairy tale for you. As many tales do, it starts boring and then gets pretty gory. I hope you like it. TL;DR: It is about an important security matter, you should read it if you run or administer Windows …
Tech spooks aren't just for those who are tech savvy, it also happens to those of us running a business. Check out the top tech spooks for business owners.
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

609 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question