For the past 3 days now I've had some little script kiddies in Brazil replacing my companies main webpage with a page that says "You are owned"
I can't for the life of me figure out how that they are getting in. Google searches tell me that these guys use PHP bugs quite often to run scripts on the server that do it, but the server isn't running any PHP scripts on it.
So anyways, my question for those in the know.
How can you log file access\changes on a Win2k server?
I've already enabled all IIS logging, but that seems to be pretty inconclusive as to how they're doing it.
I'm hoping that if I can find out who or what is accessing that file that it may point me towards what I need to patch up.
I've gotten a whole 10 or so hours of sleep since Sunday because of this... the little bastards!
Seeking IIS\Win2k Server help...
Moderator: Akira
-
Kibeth[CotC]
- Posts: 194
- Joined: Sat Apr 23, 2005 7:30 pm
Wow sounds terrible. Theres a couple things to do but nothing you'd want to that I could tell you, I'm no expert or anything. Running firewalls? I'd assume so. Got backups of the server or way to rewind it at all? Could erase some of the trouble their causing. Completely lock it down or shut it down, although it may be unwanted, I don't know what you use your server for. Those are just the easy, I have no experience in whats going on that just seems like it might help suggestions, I know people here can give MUCH beter advice.
-
Akira
- Eagle / Forum Admin
- Posts: 1509
- Joined: Tue Feb 25, 2003 12:52 pm
- Location: Ontario, Canada
- Contact:
Pretty much a back door, vulnerability possibly within Windows. I do know/remember that phpBB was a source of this too, as we had it happen here through this very message board.
You pretty much need to search text in all files for keywords of the replaced files themselves, and have to then delete all of those replaced files. Double check Windows updates, and do search on anything PHP in the server.
You pretty much need to search text in all files for keywords of the replaced files themselves, and have to then delete all of those replaced files. Double check Windows updates, and do search on anything PHP in the server.
What service pack?
Have you run IIS Lockdown on it yet?
Are you running anti-virus on the server?
I assume that you have a firewall with only port 80 open to the server. Any other ports open, perhaps FTP accounts on this server? I've had kiddies in that area hammering the Administrator account on my FTP server to the point where the event log overloaded.
Most CGI interfaces that can be exploited. Including the ones that came from Microsoft for Server Side Includes (SSI) and Front Page extensions.
Assuming that they came in from IIS, any folder on your server marked Script or Executable would have something of interest running that they will try to exploit.
The IIS logs page hits, so that won't tell you how they are getting in. Once they find something to exploit, they place a backdoor on your server that allows them file level access. It might be a hidden process, but then again you might be able to catch it running in task manager.
Browse http://www.sysinternals.com/ in their security section for root kit revealer, process explorer, and other tools that might help you track down how they're accessing the box. Change your Administrator passwords and check any networked drives for suspicious files.
If you have to, connect a packet sniffer to a hub on the same interface as the server. And look for the commands that they used to put the file on the server.
Have you run IIS Lockdown on it yet?
Are you running anti-virus on the server?
I assume that you have a firewall with only port 80 open to the server. Any other ports open, perhaps FTP accounts on this server? I've had kiddies in that area hammering the Administrator account on my FTP server to the point where the event log overloaded.
Most CGI interfaces that can be exploited. Including the ones that came from Microsoft for Server Side Includes (SSI) and Front Page extensions.
Assuming that they came in from IIS, any folder on your server marked Script or Executable would have something of interest running that they will try to exploit.
The IIS logs page hits, so that won't tell you how they are getting in. Once they find something to exploit, they place a backdoor on your server that allows them file level access. It might be a hidden process, but then again you might be able to catch it running in task manager.
Browse http://www.sysinternals.com/ in their security section for root kit revealer, process explorer, and other tools that might help you track down how they're accessing the box. Change your Administrator passwords and check any networked drives for suspicious files.
If you have to, connect a packet sniffer to a hub on the same interface as the server. And look for the commands that they used to put the file on the server.
Neophyte[CotC]
Member since 1996
Member since 1996
-
Baron[CotC]
- Caesar
- Posts: 1711
- Joined: Wed Feb 26, 2003 1:29 am
- Xfire Username: redbaroncotc
- Location: Alberta, Canada
- Contact:
Running SP4 on the server, with all windows updates and IIS patches.
I re-ran the IIS lockdown on it yesterday, but they still got in after.
I just realized that it didn't have anti-virus on there other than McAfee Groupshield for exchange (it used to be an exchange 2000 server that's been replaced by a newer Exchange 2003 server). Installing that now!
Only port 80 is open for this server, correct
I did disable frontpage extensions earlier today as we never use those on this server.
I have checked system manager and didn't see anything suspect, but at the same time, with all port blocked to the server except 80, I didn't really expect to.
I will try checking the http://www.sysinternals.com/ site now...
Thanks Neo!
I re-ran the IIS lockdown on it yesterday, but they still got in after.
I just realized that it didn't have anti-virus on there other than McAfee Groupshield for exchange (it used to be an exchange 2000 server that's been replaced by a newer Exchange 2003 server). Installing that now!
Only port 80 is open for this server, correct
I did disable frontpage extensions earlier today as we never use those on this server.
I have checked system manager and didn't see anything suspect, but at the same time, with all port blocked to the server except 80, I didn't really expect to.
I will try checking the http://www.sysinternals.com/ site now...
Thanks Neo!
Neophyte wrote:What service pack?
Have you run IIS Lockdown on it yet?
Are you running anti-virus on the server?
I assume that you have a firewall with only port 80 open to the server. Any other ports open, perhaps FTP accounts on this server? I've had kiddies in that area hammering the Administrator account on my FTP server to the point where the event log overloaded.
Most CGI interfaces that can be exploited. Including the ones that came from Microsoft for Server Side Includes (SSI) and Front Page extensions.
Assuming that they came in from IIS, any folder on your server marked Script or Executable would have something of interest running that they will try to exploit.
The IIS logs page hits, so that won't tell you how they are getting in. Once they find something to exploit, they place a backdoor on your server that allows them file level access. It might be a hidden process, but then again you might be able to catch it running in task manager.
Browse http://www.sysinternals.com/ in their security section for root kit revealer, process explorer, and other tools that might help you track down how they're accessing the box. Change your Administrator passwords and check any networked drives for suspicious files.
If you have to, connect a packet sniffer to a hub on the same interface as the server. And look for the commands that they used to put the file on the server.
-
Baron[CotC]
- Caesar
- Posts: 1711
- Joined: Wed Feb 26, 2003 1:29 am
- Xfire Username: redbaroncotc
- Location: Alberta, Canada
- Contact:
Re: Seeking IIS\Win2k Server help...
Working on it, I asked the smart guys at work, hope to have anKrAzYdAvE said
For the past 3 days now I've had some little script kiddies in Brazil replacing my companies main webpage with a page that says "You are owned"
I can't for the life of me figure out how that they are getting in. Google searches tell me that these guys use PHP bugs quite often to run scripts on the server that do it, but the server isn't running any PHP scripts on it.
So anyways, my question for those in the know.
How can you log file access\changes on a Win2k server?
I've already enabled all IIS logging, but that seems to be pretty inconclusive as to how they're doing it.
I'm hoping that if I can find out who or what is accessing that file that it may point me towards what I need to patch up.
I've gotten a whole 10 or so hours of sleep since Sunday because of this... the little bastards!
answer in the next day.
From the sig team:
"It is difficult to say if [Cisco sensors] cover what is happening,
although I think we would. The first thing I'd verify is that they are
completely patched and up to date. After that I'd look at any applications
are running and look for vulnerabilities in those.
It is quite possible they are already backdoored and patching won't fix the
problem. The pcaps will help, but I imagine they will be VERY difficult to
sift through. What he really needs is a windows expert to do a quality
audit on the machine and figure how how the attack is happening."
All I would add to that is alternatively, replace the server with one built
from scratch, put a sensor in front of it and you should be able to catch
the initial attack.
"It is difficult to say if [Cisco sensors] cover what is happening,
although I think we would. The first thing I'd verify is that they are
completely patched and up to date. After that I'd look at any applications
are running and look for vulnerabilities in those.
It is quite possible they are already backdoored and patching won't fix the
problem. The pcaps will help, but I imagine they will be VERY difficult to
sift through. What he really needs is a windows expert to do a quality
audit on the machine and figure how how the attack is happening."
All I would add to that is alternatively, replace the server with one built
from scratch, put a sensor in front of it and you should be able to catch
the initial attack.
More info: here are some recommended tools from sysinternals,
to load and run on the server. These won't catch the damage
already done, but may catch it the next time a new attack
is made.
autoruns - list programs set to load on next boot, can find backdoors
loaders
filemon - monitors file system activity in real time
processexplorer - more details about what processes are running
tcpview - view detailed info about tcp connections and open ports
regmonnt - monitors registry for modifications
to load and run on the server. These won't catch the damage
already done, but may catch it the next time a new attack
is made.
autoruns - list programs set to load on next boot, can find backdoors
loaders
filemon - monitors file system activity in real time
processexplorer - more details about what processes are running
tcpview - view detailed info about tcp connections and open ports
regmonnt - monitors registry for modifications