| View previous topic :: View next topic |
| Author |
Message |
ricc
Just Arrived
Joined: 27 Mar 2007
Posts: 0
|
 Posted: Tue Mar 27, 2007 12:57 pm Post subject: Windows 2003, website hacked? |
 |
|
I have a site hosted on windows 2003 server. the site is running asp.net 1.1
The site is fine apart from one page. The page in question is in a "admin area" and uses Forms Authentication.
When you are logged in and try to go to the page you are redirected to 09ali.sitemynet dot com
If you are not logged in you are taken to the sites usual "you need to login page" as normal
Any ideas what I can do??
Thanks
Last edited by ricc on Tue Mar 27, 2007 4:24 pm; edited 2 times in total |
|
| Back to top |
|
 |
dannyboy 950
Lurker
Joined: 27 Dec 2004
Posts: 10
Location: Port Arthur Texas
|
| Posted: Tue Mar 27, 2007 3:21 pm Post subject: |
|
|
Basicaly you been hacked. First off edit the post and break that link
Pull your pages off line and begin running security scans and check your logs all of them and see if ya can find him.
|
|
| Back to top |
|
|
ricc
Just Arrived
Joined: 27 Mar 2007
Posts: 0
|
| Posted: Tue Mar 27, 2007 4:23 pm Post subject: |
|
|
| dannyboy 950 wrote: |
Pull your pages off line and begin running security scans and check your logs all of them and see if ya can find him. |
Thanks for the reply. What should I be looking for in the files? Never been hacked b4
|
|
| Back to top |
|
|
stimpy99
Just Arrived
Joined: 11 Sep 2005
Posts: 0
|
| Posted: Tue Mar 27, 2007 8:57 pm Post subject: |
|
|
| ricc wrote: |
| Thanks for the reply. What should I be looking for in the files? Never been hacked b4 |
This is like asking "how long is a piece of string" but will try to help by asking a few questions.
It depends how far you want to take it and what you would then want to do about it. If it were my corporate server I would look at finding out how they got in and if there was anyway to trace them (i.e. was it an inside job) Would you want to:
try and trace the hackers - nigh on impossible.?
just get the thing patched and up and working again as soon as possible?
find out how they got in their to help shore up your defenses for next time?
My initial advise would be to take the server down - I assume you have physical access to it and it is not hosted by a third party (if it is see below) and take a copy of the logs so you can look at them "offline" while the server is back up and running - I assume that you do not want to run a full forensics job on this box.
Then patch it with all the latest MS patches. If you wanted to just get it up and running then patch everything MS, Firewall etc. Remove the hacked page and stick it back on the web. Then have a look at the logs. You would need MS event logs, HTTP logs, Firewall logs, any proxy logs and see if you can find any anomolies in the logs.
If it is hosted ask your service provider to investigate.
|
|
| Back to top |
|
|
alt.don
SF Boss
Joined: 04 Mar 2003
Posts: 58
|
| Posted: Tue Mar 27, 2007 9:08 pm Post subject: |
|
|
Hello ricc,
The way I see it is that if you have been successfully compromised you don't have much choice but to format the drive and reinstall everything. You will never know if you have caught any and all malware installed by the attacker. I wouldn't take any chances. Wipe the drive and start over.
|
|
| Back to top |
|
|
stimpy99
Just Arrived
Joined: 11 Sep 2005
Posts: 0
|
| Posted: Tue Mar 27, 2007 9:11 pm Post subject: |
|
|
| alt.don wrote: |
Hello ricc,
The way I see it is that if you have been successfully compromised you don't have much choice but to format the drive and reinstall everything. You will never know if you have caught any and all malware installed by the attacker. I wouldn't take any chances. Wipe the drive and start over. |
Sorry ricc that was one of the things that I meant to add but forgot. You could have anything on there. Rootkits that aren't detected in AV software or anything. The above line that says patch MS should have been patch it to the hilt *after* rebuild of OS
|
|
| Back to top |
|
|
stimpy99
Just Arrived
Joined: 11 Sep 2005
Posts: 0
|
| Posted: Tue Mar 27, 2007 9:15 pm Post subject: |
|
|
Sorry don't know what is wrong with me tonight!
Take a backup of all the logs first before you flat the box out otherwise you will have nothing to analysis
|
|
| Back to top |
|
|
ricc
Just Arrived
Joined: 27 Mar 2007
Posts: 0
|
| Posted: Tue Mar 27, 2007 9:17 pm Post subject: |
|
|
Thanks for the replies... really appreciate the help
One last question.. the effect of the hack only seems to affect one url within one of my sites, in that when this url is requested it redirect to external site. Any ideas n what I should be looking for? How would they achieve this?
Thanks again
|
|
| Back to top |
|
|
stimpy99
Just Arrived
Joined: 11 Sep 2005
Posts: 0
|
| Posted: Tue Mar 27, 2007 9:26 pm Post subject: |
|
|
| ricc wrote: |
Thanks for the replies... really appreciate the help
One last question.. the effect of the hack only seems to affect one url within one of my sites, in that when this url is requested it redirect to external site. Any ideas n what I should be looking for? How would they achieve this?
Thanks again |
Difficult without knowing your site. Do you run IIS, do you run an SQL Db for example. There are so many attack vectors that could have been employed here - give us some more info and I'm sure we can point you in the right direction - hopefully
|
|
| Back to top |
|
|
ricc
Just Arrived
Joined: 27 Mar 2007
Posts: 0
|
| Posted: Tue Mar 27, 2007 9:37 pm Post subject: |
|
|
Site is running in IIS v6, using asp.net framework 1.1, and using MS SQL 2000 dbs.
Would you achieve such as hack by altering the aspx page that has the url that is redirected or would it be somthing within IIS?
In the process of changing server anyway, just want to fix this one symptom until I get the new servers up and running.
|
|
| Back to top |
|
|
stimpy99
Just Arrived
Joined: 11 Sep 2005
Posts: 0
|
| Posted: Tue Mar 27, 2007 9:45 pm Post subject: |
|
|
| ricc wrote: |
| Would you achieve such as hack by altering the aspx page that has the url that is redirected or would it be somthing within IIS? |
You would need to find out how they altered the code - was it an SQL injection or did they do it by hacking your login or an IIS bug? That is what you need to trawl through the logs to find out - and hopefully there is a clue there - looking for strange POSTs or whatever that should not be there in normal HTTP traffic.
When rebuilding the box make sure to patch it. Also if you are running 2003 SP1 run the security configuration wizard and turn off anything you do not need.
ps: does the code change often? If not think about cutting your wwwroot directory onto a write once cd and serving your site from that. If you have enough memory Windows should cache most the the content after it is first used
|
|
| Back to top |
|
|
hax0r26
Just Arrived
Joined: 20 Feb 2007
Posts: 0
Location: United States of America
|
| Posted: Wed Mar 28, 2007 6:11 am Post subject: |
|
|
I think its safe to assume this person already *altered your log files* to insure he cant be tracked. What would it look like something like this (if your running apache 2.2.4);
| Quote: |
0.0.0.0- - [22/Mar/2007:23:31:33 -0300] "get http:1.1/" 400
0.0.0.0- - [22/Mar/2007:23:35:38 -0300] "GET /etc//shadow HTTP/1.0" 404 209
0.0.0.0 - - [22/Mar/2007:23:56:44 -0300] "JUNK /HTTP/1.0" 501 214
0.0.0.0 - - [22/Mar/2007:23:57:01 -0300] "HEAD /HTTP/1.1" 400 226
0.0.0.0 - - [22/Mar/2007:23:57:18 -0300] "OPTIONS /HTTP/1.0" 500 539
0.0.0.0 - - [22/Mar/2007:23:57:30 -0300] "HEAD /HTTP/1.0" 400 226
0.0.0.0 - - [23/Mar/2007:00:04:33 -0300] "GET httpd.conf" 400 226
0.0.0.0 - - [23/Mar/2007:00:17:10 -0300] "DELETE / HTTP/1.0" 405 234
0.0.0.0 - - [23/Mar/2007:00:17:27 -0300] "DELETE / HTTP/1.0" 405 234
0.0.0.0 - - [23/Mar/2007:00:18:48 -0300] "HTTPRINT" 501 220
0.0.0.0 - - [23/Mar/2007:00:20:38 -0300] "TRACE" 200 9
0.0.0.0 - - [23/Mar/2007:00:21:18 -0300] "CONNECT" 400 226
0.0.0.0 - - [23/Mar/2007:00:21:27 -0300] "OUT" 501 215 |
If you have a database like you claim. My guess is he downloaded your whole DB without you knowing about it. Me personally, I would have rooted their server(s), downloaded their database and then changed/modify the logs files and I would have never went back and left alone.
Best advice i've seen in this whole thread is;
| Quote: |
Hello ricc,
The way I see it is that if you have been successfully compromised you don't have much choice but to format the drive and reinstall everything. You will never know if you have caught any and all malware installed by the attacker. I wouldn't take any chances. Wipe the drive and start over. |
Totally agree. Your security has been breached. Again, Wipe the drive and start over.
|
|
| Back to top |
|
|
|
