| Groups | Blog | Home |
iis security : HACKER visits my web site
Hardware: Pentium 4 2.53 Ghz with 512 RAM Operating System: Windows XP Pro w/Service Pack 1 IIS V5.1 is installed and operating Server Extensions are now turned OFF My personal webpage was recently hacked/defaced. I would like to determine how 1) this happened; and 2) how this type of intrusion can be prevented in the feature. Background: I have had a personal webpage that I have been hosting myself for 6 months without problems. However, recently the Hit Counter on my homepage got "stuck" at "1". I went on the Microsoft Office FrontPage Client support page (http://support.microsoft.com/newsgroups/default.aspx? NewsGroup=microsoft.public.frontpage.client&SLCID=US&ICP=G SS3&sd=GN&id=fh;en-us;newsgroups) to ask for help. I received a few suggestions that did not help. The next morning a woke up and found that not only was my Hit Counter now working, but also the background on the webpage has changed from a pale yellow to a blue shade. I had had an overnight visitor/hacker! I fixed the color, went back on the support group to report these issues-and a short time later the page was back to yellow again. Viewing my web log found an unwanted action: 2004-01-11 07:57:03 66.77.73.170 80 GET /robots.txt 404 - I have never heard of robots.txt. It is not in my webpage now. Also I have never heard of 66.77.73.170. While I am inexperienced in IIS, I believe that the hacker somehow used FrontPage extensions to access my webpage and then inserted the .txt file (I have the log(s) if anyone needs them). I then turned off Front Page Extensions-the Hit Counter now does not work (box with red X) - but the intruder has not returned. The MVPs on the FrontPage support page strongly recommended several times that I do NOT host my own webpage because of security issues. But I suspect that members of this group may feel that IIS with FP Extensions will work just fine--- so.. 1) how did this happen; and 2) how can this type of intrusion be prevented in the feature?
Hello,
Unfortunately you have been intruded upon but as a previous user of XP IIS 5.1 the security is really good but I recommend this http://www.eeye.com/html/ along with URLscan 2.1or 2.5 I am not sure which is the newest version. However, I would reinstall/reformat windows and use the server extensions 2002. just chalk it up to experience and never let your gaurd down. Make sure your firewall is up ICF in Windows XP. Just remember when you turn your personal machine into a web server all the other crap comes with it. Just a thought Best wishes Joseph www.Immoralbalance.com [quoted text, click to view] >-----Original Message-----
>HACKER! > >Hardware: Pentium 4 2.53 Ghz with 512 RAM >Operating System: Windows XP Pro w/Service Pack 1 >IIS V5.1 is installed and operating >Server Extensions are now turned OFF > >My personal webpage was recently hacked/defaced. I would >like to determine how 1) this happened; and 2) how this >type of intrusion can be prevented in the feature. > >Background: I have had a personal webpage that I have >been hosting myself for 6 months without problems. >However, recently the Hit Counter on my homepage >got "stuck" at "1". I went on the Microsoft Office >FrontPage Client support page >(http://support.microsoft.com/newsgroups/default.aspx? >NewsGroup=microsoft.public.frontpage.client&SLCID=US&ICP=G >SS3&sd=GN&id=fh;en-us;newsgroups) >to ask for help. I received a few suggestions that did >not help. The next morning a woke up and found that not >only was my Hit Counter now working, but also the >background on the webpage has changed from a pale yellow >to a blue shade. I had had an overnight visitor/hacker! >I fixed the color, went back on the support group to >report these issues-and a short time later the page was >back to yellow again. > >Viewing my web log found an unwanted action: > >2004-01-11 07:57:03 66.77.73.170 80 GET /robots.txt 404 - > >I have never heard of robots.txt. It is not in my webpage >now. Also I have never heard of 66.77.73.170. While I am >inexperienced in IIS, I believe that the hacker somehow >used FrontPage extensions to access my webpage and then >inserted the .txt file (I have the log(s) if anyone needs >them). > >I then turned off Front Page Extensions-the Hit Counter >now does not work (box with red X) - but the intruder has >not returned. > >The MVPs on the FrontPage support page strongly >recommended several times that I do NOT host my own >webpage because of security issues. But I suspect that >members of this group may feel that IIS with FP >Extensions will work just fine--- so.. > >1) how did this happen; and 2) how can this type of >intrusion be prevented in the feature? > > >.
Not sure bout the rest of it being new to IIS myself but, robots.txt isn't
anything particularly fascinating. It's used by search engine spiders to allow you to tell them which folders they can and can't go into. -- Regards Steven Burn Ur I.T. Mate Group www.it-mate.co.uk Keeping it FREE! Disclaimer: I know I'm probably wrong, I just like taking part ;o) [quoted text, click to view] Chrsi Grady <anonymous@discussions.microsoft.com> wrote in message news:18c801c3dfc8$4ac9fab0$a601280a@phx.gbl... > HACKER! > > Hardware: Pentium 4 2.53 Ghz with 512 RAM > Operating System: Windows XP Pro w/Service Pack 1 > IIS V5.1 is installed and operating > Server Extensions are now turned OFF > > My personal webpage was recently hacked/defaced. I would > like to determine how 1) this happened; and 2) how this > type of intrusion can be prevented in the feature. > > Background: I have had a personal webpage that I have > been hosting myself for 6 months without problems. > However, recently the Hit Counter on my homepage > got "stuck" at "1". I went on the Microsoft Office > FrontPage Client support page > (http://support.microsoft.com/newsgroups/default.aspx? > NewsGroup=microsoft.public.frontpage.client&SLCID=US&ICP=G > SS3&sd=GN&id=fh;en-us;newsgroups) > to ask for help. I received a few suggestions that did > not help. The next morning a woke up and found that not > only was my Hit Counter now working, but also the > background on the webpage has changed from a pale yellow > to a blue shade. I had had an overnight visitor/hacker! > I fixed the color, went back on the support group to > report these issues-and a short time later the page was > back to yellow again. > > Viewing my web log found an unwanted action: > > 2004-01-11 07:57:03 66.77.73.170 80 GET /robots.txt 404 - > > I have never heard of robots.txt. It is not in my webpage > now. Also I have never heard of 66.77.73.170. While I am > inexperienced in IIS, I believe that the hacker somehow > used FrontPage extensions to access my webpage and then > inserted the .txt file (I have the log(s) if anyone needs > them). > > I then turned off Front Page Extensions-the Hit Counter > now does not work (box with red X) - but the intruder has > not returned. > > The MVPs on the FrontPage support page strongly > recommended several times that I do NOT host my own > webpage because of security issues. But I suspect that > members of this group may feel that IIS with FP > Extensions will work just fine--- so.. > > 1) how did this happen; and 2) how can this type of > intrusion be prevented in the feature? > >
You need to be prepared for hacking before it happens. If you're not, you
probably don't have sufficient evidence to find out who did it. You would want to check your firewall logs. If you don't have a firewall, you NEED one. Even a free one like www.kerio.com or www.sygate.com or the XP ICF firewall. I suspect the log entry you're looking at is not the hacking. You can look up IP addresses at www.network-tools.com and http://visualroute.visualware.com 66.77.73.170 = cr011r01-3.sac2.fastsearch.net, so that was likely just a normal search engine indexing your web site. If the hack was done via an unpatched IIS buffer overflow, you would not necessarily see anything at all in your IIS logs. Ditto if the attack was done through another vector besides IIS. Further information on how to research hacking events are here: http://securityadmin.info/faq.asp#hacked http://securityadmin.info/faq.asp#re-secure http://securityadmin.info/faq.asp#harden Front page extensions should be disabled if you're not using them, especially if you have done nothing to make it more secure. Yes, they can be a huge vulnerability, many web sites are hacked through them. The FrontPage support team would probably have good advice on how you might make it more secure, as would www.microsoft.com/support. Make sure your machine is fully patched whenever new Microsoft patches come out, use a firewall, and follow one or more hardening checklists for both Windows and IIS starting with the ones at www.microsoft.com/technet/security You also absolutely need to be running URLScan which is free from Microsoft. That might have prevented your hacking. I am pretty sure you are missing a patch. Run the free MBSA from the above Microsoft link to look for bad settings and missing patches. If you don't get enough information about missing patches, run it a second time in command line HFNETCHK mode to confirm all patches you think are installed were successfully installed. Search web sites that list web site defacements, such as www.zone-h.org to see if your hacker reported his success. Posting the contents of the defaced page here or looking at the contents yourself might be another clue as to who did this. By the way, XP is not a good web server. It has a limit of 10 max concurrent incoming network connections at a time, which translates into more or less 2 maximum web site visitors at a time. You need Windows 2000 Server or Windows 2003 Server to get around this limitation, or find a web site hosting service, some of which may be available for free. [quoted text, click to view] "Chrsi Grady" <anonymous@discussions.microsoft.com> wrote in message news:18c801c3dfc8$4ac9fab0$a601280a@phx.gbl... > HACKER! > > Hardware: Pentium 4 2.53 Ghz with 512 RAM > Operating System: Windows XP Pro w/Service Pack 1 > IIS V5.1 is installed and operating > Server Extensions are now turned OFF > > My personal webpage was recently hacked/defaced. I would > like to determine how 1) this happened; and 2) how this > type of intrusion can be prevented in the feature. > > Background: I have had a personal webpage that I have > been hosting myself for 6 months without problems. > However, recently the Hit Counter on my homepage > got "stuck" at "1". I went on the Microsoft Office > FrontPage Client support page > (http://support.microsoft.com/newsgroups/default.aspx? > NewsGroup=microsoft.public.frontpage.client&SLCID=US&ICP=G > SS3&sd=GN&id=fh;en-us;newsgroups) > to ask for help. I received a few suggestions that did > not help. The next morning a woke up and found that not > only was my Hit Counter now working, but also the > background on the webpage has changed from a pale yellow > to a blue shade. I had had an overnight visitor/hacker! > I fixed the color, went back on the support group to > report these issues-and a short time later the page was > back to yellow again. > > Viewing my web log found an unwanted action: > > 2004-01-11 07:57:03 66.77.73.170 80 GET /robots.txt 404 - > > I have never heard of robots.txt. It is not in my webpage > now. Also I have never heard of 66.77.73.170. While I am > inexperienced in IIS, I believe that the hacker somehow > used FrontPage extensions to access my webpage and then > inserted the .txt file (I have the log(s) if anyone needs > them). > > I then turned off Front Page Extensions-the Hit Counter > now does not work (box with red X) - but the intruder has > not returned. > > The MVPs on the FrontPage support page strongly > recommended several times that I do NOT host my own > webpage because of security issues. But I suspect that > members of this group may feel that IIS with FP > Extensions will work just fine--- so.. > > 1) how did this happen; and 2) how can this type of > intrusion be prevented in the feature? > >
On Tue, 20 Jan 2004 18:43:03 -0800, "Chrsi Grady"
[quoted text, click to view] <anonymous@discussions.microsoft.com> wrote: >Hardware: Pentium 4 2.53 Ghz with 512 RAM >Operating System: Windows XP Pro w/Service Pack 1 >IIS V5.1 is installed and operating >Server Extensions are now turned OFF No mention of critical updates and security fixes. [quoted text, click to view] >My personal webpage was recently hacked/defaced. I would >like to determine how 1) this happened; and 2) how this >type of intrusion can be prevented in the feature. See: http://securityadmin.info/faq.asp#hackerstoc http://securityadmin.info/faq.asp#iis [quoted text, click to view] >Background: I have had a personal webpage that I have >been hosting myself for 6 months without problems. >However, recently the Hit Counter on my homepage >got "stuck" at "1". I went on the Microsoft Office >FrontPage Client support page >(http://support.microsoft.com/newsgroups/default.aspx? >NewsGroup=microsoft.public.frontpage.client&SLCID=US&ICP=G >SS3&sd=GN&id=fh;en-us;newsgroups) >to ask for help. I received a few suggestions that did >not help. The next morning a woke up and found that not >only was my Hit Counter now working, but also the >background on the webpage has changed from a pale yellow >to a blue shade. I had had an overnight visitor/hacker! >I fixed the color, went back on the support group to >report these issues-and a short time later the page was >back to yellow again. Okay, none of this says "hacker" as much as "user error". [quoted text, click to view] >Viewing my web log found an unwanted action: > >2004-01-11 07:57:03 66.77.73.170 80 GET /robots.txt 404 - Normal, and not a hacker. [quoted text, click to view] >I have never heard of robots.txt. See: http://www.robotstxt.org/ And Google of course... [quoted text, click to view] >It is not in my webpage >now. Also I have never heard of 66.77.73.170. These guys have: http://ws.arin.net/cgi-bin/whois.pl It's Quest Cybercenters search engine. [quoted text, click to view] >While I am >inexperienced in IIS, I believe that the hacker somehow >used FrontPage extensions to access my webpage and then >inserted the .txt file (I have the log(s) if anyone needs >them). Logs help. But not the line you posted. [quoted text, click to view] >I then turned off Front Page Extensions-the Hit Counter >now does not work (box with red X) - but the intruder has >not returned. Doubt one was ever there... [quoted text, click to view] >The MVPs on the FrontPage support page strongly >recommended several times that I do NOT host my own >webpage because of security issues. But I suspect that >members of this group may feel that IIS with FP >Extensions will work just fine--- so.. > >1) how did this happen; and 2) how can this type of >intrusion be prevented in the feature? Go back to the beginning and read again.
Don't see what you're looking for? Try a search.
|
June 2003
July 2003
August 2003
September 2003
October 2003
November 2003
December 2003
January 2004
February 2004
March 2004
April 2004
May 2004
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
December 2007
January 2008
February 2008
March 2008
April 2008
May 2008
June 2008
| home · blog · groups | Questions? Comments? Contact the dn |