A hacker upload files on server
Dear all,
recently our online server ( Hosting server with more then 200 web sites) attacked by hacker which separate some files all over the directories of our clients ,
I need to know how he upload such a files to our server?
thanks,
recently our online server ( Hosting server with more then 200 web sites) attacked by hacker which separate some files all over the directories of our clients ,
I need to know how he upload such a files to our server?
thanks,
Joe Howard
I'm afraid nobody but that hacker can answer that. As to how it is possible, I don't think that can be answered before knowing the specifics of the server and it's security.
ASKER
I meant the possible way ...
As I wrote:
As to how it is possible, I don't think that can be answered before knowing the specifics of the server and it's security.
ASKER
do you have a specific question?
if you don't , no need to reply or answer me ... just give a chance to me and others to find a solution ....
if you don't , no need to reply or answer me ... just give a chance to me and others to find a solution ....
Good luck!
It could be as simple as easy password to guess or anonymous access is granted, perhaps you have ports open that you shouldn't. Forms can be abused, php/asp and others can be abused. There are too many ways to name, the site could have a backdoor on it.
I would use Skipfish to scan your site and maybe it will help you pinpoint a few problems. Download and extract skipfish, open cmd promt, and use a command like this:
skipfish,exe -o c:\temp\mywebsite http://mywebsite.com
You should create the c:\temp\mywebsite folder (doesn't have to be that name) and then change mywebsite.com to your sites address.
The windows version of skipfish can be found here: http://didasec.wordpress.com/2012/12/17/skipfish-2-10b-for-windows/
-rich
I would use Skipfish to scan your site and maybe it will help you pinpoint a few problems. Download and extract skipfish, open cmd promt, and use a command like this:
skipfish,exe -o c:\temp\mywebsite http://mywebsite.com
You should create the c:\temp\mywebsite folder (doesn't have to be that name) and then change mywebsite.com to your sites address.
The windows version of skipfish can be found here: http://didasec.wordpress.com/2012/12/17/skipfish-2-10b-for-windows/
-rich
How was it done? Could be FTP. Or scp. Or sftp. Or HTTP upload. Or telnet. Or SQL injection. Or malware. Or... Well, who knows how many possible ways? All we could do is list every possible way that files can be created and populated over a network. Technically, there are probably many thousands of possible ways.
In order to limit the number, we'd need to know details of every service and every app on your servers that can accept connections and write data to your local file systems. And then we'd have to know of vulnerabilities in the apps, ones that might be generally known only to the developers. (And maybe not even known to them.)
Tom
In order to limit the number, we'd need to know details of every service and every app on your servers that can accept connections and write data to your local file systems. And then we'd have to know of vulnerabilities in the apps, ones that might be generally known only to the developers. (And maybe not even known to them.)
Tom
ASKER
Thank you guys for replies ,
I think its a sql injection , cuz many resons :
- All application ( web sites) running on our server we had developed it.
- unusual activities on SQL server last 2 3 days before the seeing the effect of attack.
- the attack is very limited its send 5 files with a html contents :
index.asp , default.cfm, default.htm, default.html, default.php, index.cfm, index.htm, index.php
- Those files separated all over the hosting account in all folders except the www folder
I have this folder structure :
D:\HC\ResellerName\ClientN
I notics that hacker can write the 8 files (mentioned above) on all folder except www , + he able to write those 8 files on sub folders under www.
- Also we notices many SQL keywords in LOF file like : convert() , version , db_name, user_name substring() ,isnull ,ascii, lower
- But my understanding that sql injection effect only DB not files , if it effect the files can you please tell me how to stop such a service of try to prevent its effect.
I use windows server 2003 + sql server 2008, + iis 6
I think its a sql injection , cuz many resons :
- All application ( web sites) running on our server we had developed it.
- unusual activities on SQL server last 2 3 days before the seeing the effect of attack.
- the attack is very limited its send 5 files with a html contents :
index.asp , default.cfm, default.htm, default.html, default.php, index.cfm, index.htm, index.php
- Those files separated all over the hosting account in all folders except the www folder
I have this folder structure :
D:\HC\ResellerName\ClientN
I notics that hacker can write the 8 files (mentioned above) on all folder except www , + he able to write those 8 files on sub folders under www.
- Also we notices many SQL keywords in LOF file like : convert() , version , db_name, user_name substring() ,isnull ,ascii, lower
- But my understanding that sql injection effect only DB not files , if it effect the files can you please tell me how to stop such a service of try to prevent its effect.
I use windows server 2003 + sql server 2008, + iis 6
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I don't use or run wordpress, phpbb, durpal or any other system, we develop our own only..
Yes I know it may have some vulnerabilities ...
Yes my case exactly like the one you mentioned I will check it and come back to you ...
I use asp and asp.net only. which is make the attack very limited..
Yes I know it may have some vulnerabilities ...
Yes my case exactly like the one you mentioned I will check it and come back to you ...
I use asp and asp.net only. which is make the attack very limited..
Any vulnerability is fine.
Since you mention website - it could be httpd that can write data directories among others...
Since you mention website - it could be httpd that can write data directories among others...