How Can I Find Out *HOW* My Site Was Hacked? How Do I Find Site Vulnerabilities?
Asked Answered
U

8

19

One of my custom developed ASP.NET sites was hacked today: "Hacked By Swan (Please Stop Wars !.. )" It is using ASP.NET and SQL Server 2005 and IIS 6.0 and Windows 2003 server. I am not using Ajax and I think I am using stored procedures everywhere I am connecting to the database so I dont think it is SQL injection. I have now removed the write permission on the folders.

How can I find out what they did to hack the site and what to do to prevent it from happening again?

The server is up to date with all Windows updates.

What they have done is uploading 6 files (index.asp, index.html, index.htm,...) to the main directory for the website.

What log files should I upload? I have log files for IIS from this folder: c:\winnt\system32\LogFiles\W3SVC1. I am willing to show it to some of you but don't think it is good to post on the Internet. Anyone willing to take a look at it?

I have already searched on Google but the only thing I find there are other sites that have been hacked - I haven't been able to see any discussion about it.

I know this is not strictly related to programming but this is still an important thing for programmers and a lot of programmers have been hacked like this.

Undervalue answered 21/11, 2008 at 10:49 Comment(7)
Seems like a valid question to me...Orourke
I also thing this is a very valid and relevant question. I have updated the title to perhaps improve.Matchmaker
The updated question is a vast improvement...Words
Edited tags so that question shows up on more generalised feeds. 'swan' isn't exactly a category tag that hits anyone's radar.Vanessa
Is this a custom developed ASP.NET site or do you use some framework or CMS package?Champaigne
You should post the logs on a free filehosting website , and post here a link to them.Notepaper
"Please Stop Wars !" Ha ha The solution is right there: you just need to stop wars!Steck
V
13

It appears that the attack on your website was part of a mass defacement carried out by SWAN on 21 November, 2008 against Windows 2003 and Windows 2000 boxes running IIS 6.0. Others here have suggested a number of things. I would only add that whenever you decide to bring up the website, please format the box and reinstall from scratch. Once a box is compromised, it cannot be trusted, at all, however you clean and purify it.

Viscus answered 21/11, 2008 at 13:9 Comment(1)
I would like to reiterate what ayaz says....Rebuild the web server from scratch after you've taken it off-line to study it forensically. This webserver cannot be trusted once it's been compromised. The only safe route is to reimage it.Chaussure
B
5

IIS Process

Check that your ASPNET process does not have privilage to write files on the server. If you need the process to have write permissions, allow them only to do so on a specific folder, and deny execute permissions on that folder for all User accoutns.

SQL Injection

To see people looking for SQL vunrabilities have a look in your log files for the following text, "CAST(".

Do you have any places where you build up SQL in the code behind to query the database? These can be prone to SQL injection attacks. By replacing code such as the following you will be more safe.

Dim strSQL As String = "Select * FROM USERS Where name = '" & Response.Querystring("name") "'"

then consider an alternative like the following.

Dim strSQL As String = "Select * FROM USERS Where name = @name"

and then adding the corresponding SQL PArameter to the sql command.

Beat answered 21/11, 2008 at 12:39 Comment(0)
P
2

Well, for starters:

  • Have you patched your server?
  • Do you have lingering remnants of things like FrontPage Server Extensions, Office extensions for web, etc.?
  • Have you made sure you don't have SQL Injection vulnerabilities?
  • Have you googled for that text, "Hacked by swan"? There are many hits, perhaps one of them has figured out his entrance

If you do have, or is unsure about, whether you have SQL Injection problems or not, then you can ask further here, but otherwise I would get some security experts to help you.

This is indeed a programming site, so unless your problem is programming-related, it will most likely be closed again.

Petulant answered 21/11, 2008 at 11:3 Comment(1)
1. Yes 2. I think I have removed all extensions. 3. I am using procedures so I think that is not the problem. 4. Yes I have - havent found anything useful.Undervalue
C
2

Hopefully you've had your IIS logfiles turned on and hopefully the hacker didn't erase them. By default they're located here: c:\winnt\system32\LogFiles\W3SVC1 and will generally be named after the date.

Then it's probably helpful to figure out how to use log parser (from Microsoft), which is free. Then use this guide to help you with looking forensically at your logfiles. Do you have a firewall because it's syslogs might be helpful.

Another decent tool to help you find sql injection issues is to go here and download HP's Scrawlr.

If you have any more questions about what you've found, come back and ask.

Chaussure answered 21/11, 2008 at 13:5 Comment(0)
U
1

You might want to give try it using a penetration toolkit like Metasploit to discover any obvious holes.

Also, please post your log files if they are untampered with.

Undershorts answered 21/11, 2008 at 12:47 Comment(0)
N
0

The first thing you should do is check your log files. You could paste them here,and we'll tell you if we recognize an attack .

Notepaper answered 21/11, 2008 at 11:28 Comment(0)
L
0

Set up Google Analytics and review all requests that were made to your website. If you are dealing with SQL injection through the query string you an easily find out what they did, and how they found your vulnerabilities.

Lamentable answered 19/3, 2010 at 9:53 Comment(1)
SQL injection that uploads files to the main directory of the website sounds impressive to me, how do they do that? :)Sisera
S
0

Is FTP turned on?

I once had a customer's who had left their FTP turned on for some reason, and the hacker had just set a bot running, trying random/common user/password combinations. That hack was worse than yours because it didn't show on the web pages, but tried to install an ActiveX...

So, you could check your FTP log.

Sisera answered 19/3, 2010 at 9:59 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.