Recommendations for intruder alert software for Windows Server 2008

We recently had some files uploaded to some sites on our server by black hat SEO hackers. They even managed to slightly modify some key files such as web.config.

Can anyone recommend any software we can install on our Windows 2008 server which can detect when such exploits take place and send an alert?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Dan McFaddenSystems EngineerCommented:
There is more to this issue than just installing software to catch/prevent the issue.  You don't want to react to issues like this, you need to be proactive and work to close as many of the attackable vectors that exist.

I recommend doing the following:
1. web server audit
--- what is the OS patch level, what is installed above default, why is additional SW installed
2. firewall audit
--- what is allowed in, to what destination and why
3. build list of action items
4. strengthen the configuration of Internet exposed servers based on items ID'ed in the audits
5. scan server for known hacker utilities or known weak software utils.

From an IIS standpoint:
1. how many websites are hosted on the server?
2. has the IIS installation been hardened?  Enhanced the config past default?
2a. are you using inetpub to store content?
2b. SSL certs being used?
2c. http logging enabled & configured?
3. what frameworks are required to operate those sites? (ASP.NET, PHP, etc)
3a. what custom applications are required?
4. what 3rd party CMS are required (Wordpress, Drupal, Joomla, etc.)
5. how are the site bound to IPs?
6. what protocols are supported?  http, https, ftp, smtp?
7. how are the individual websites configured?
7a. is directory browsing allowed?
7b. 3rd party ISAPI modules installed?
8. are you analyzing your http logs?
9. are you analyzing your event logs?
9a.  Application Log 1309 events are typically an indication of undesirable activity on your server.

My point is to find out how they compromised your site and whether or not they have taken over your server.  If it is only a website defacement (best case scenario), figure out how to close that opening and secure the site/server again.

Then I would look into monitoring & detection packages.  Though, doing an audit and understanding your environment is urgent!

for example (this is the 1st that came to mind):



Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
mike99cAuthor Commented:
Thanks for this feedback Dan. I actually have a separate post requesting information about how the exploit occurred. This post was specifically about recommendations for detection software but thanks anyway as it is all useful. I will wait for a few more responses before awarding points.
Dan McFaddenSystems EngineerCommented:
OK, I reposted my IIS questions there.

Also, you might want to check out CloudFlare (link: which could help with preemptive monitoring and protection.

Depending on budget and requirements, the free service level may help.

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.