2003 web server keeps getting hacked/infected

Discussion in 'Business & Enterprise Computing' started by yorky, Mar 25, 2013.

  1. mwil7034

    mwil7034 Member

    Joined:
    Jan 15, 2003
    Messages:
    612
    Location:
    Woy Woy
    Echoing IACSecurity's sentiments

    As far as I would be concerned, its a fresh install and someone needs to trawl through the source.

    As soon as anything touches the net you need at a minimum an application firewall, logging and separate security zones for App tiers. Id even go as far as IPS and some proxies as well depending on how complex or critical the server is.

    What you've inadvertently done is provided a testing ground for some script kiddie somewhere to mess about in. Unfortunately the maturity of today's even entry level rootkits, mean detecting what has changed etc is nigh on impossible especially if you have no IPS or known good reference state.
     
  2. FiShy

    FiShy Member

    Joined:
    Aug 15, 2001
    Messages:
    9,682
    You forgot the installing firewall via dousing the server in petrol and lighting it.

    Worked 9 out of 10 times for me.
     
  3. WhaleVPS

    WhaleVPS New Member

    Joined:
    Mar 25, 2013
    Messages:
    5
    Yea, you need to format the system and reinstall everything!
     
  4. -Antiskeptic-

    -Antiskeptic- Member

    Joined:
    Aug 14, 2006
    Messages:
    955
    Location:
    Reservoir, VIC
    Yeah I agree with this and the thoughts above, but OP, is that really an option in this case? Can you buy an outage with the business to rebuild this as suggested?

    Is there anything else in this DMZ that could potentially be affected?
     
  5. NSanity

    NSanity Member

    Joined:
    Mar 11, 2002
    Messages:
    18,141
    Location:
    Canberra
    Can you buy lost business/confidence based on a hack/exploit leading to loss of company/customer information?

    Can you buy what it will cost you if they go right through everything and purge the lot?
     
  6. AzonIc

    AzonIc Member

    Joined:
    Jan 7, 2002
    Messages:
    1,373
    Location:
    Adelaide
  7. OP
    OP
    yorky

    yorky Member

    Joined:
    Sep 23, 2002
    Messages:
    2,743
    Location:
    Perth
    Just an update and thanks AzonIc, that was basically the issue.

    Since blocking the CFIDE folders the issue hasn't come back up so I can concentrate on upgrading this sucker from scratch.

    Kaspersky (before I plugged the hole when these files were getting created) did manage to flag and delete most of them, better than nothing although it did miss some I'm guessing 0 day variations.

    The system is backed up twice a day and then copied to an unplugged hard drive and stored separately each day so worst case the server gets flattened I can restore and keep working.

    I'm not an expert in this field, everyone's comments are welcome and I do agree on blowing it away and starting again but for me that is not an overnight option at all, yes money can be spent but it must be spent wisely not just saying omg omg get someone in to upgrade it and it doesn't turn out how you'd like it at such short notice without planning.
     
  8. NSanity

    NSanity Member

    Joined:
    Mar 11, 2002
    Messages:
    18,141
    Location:
    Canberra
    If only just because it increases the resources you need...

    This is before you get to the point of how ineffective it is.
     
  9. Gunna

    Gunna Member

    Joined:
    Dec 25, 2001
    Messages:
    7,727
    Location:
    Brisbane
    For future reference use: http://hackmycf.com/

    It generates a report letting you know issues with your CF server. I think it allows one free one. Client sent the report to us, I had never used CF but managed to lock it down based on the info it provided. Client had the same issue that you had with a file placed in the CFIDE folder.
     
  10. OP
    OP
    yorky

    yorky Member

    Joined:
    Sep 23, 2002
    Messages:
    2,743
    Location:
    Perth
    Yep I think I mentioned that in a previous post, great tool and let me use more than once.
     
  11. ir0nhide

    ir0nhide Member

    Joined:
    Oct 24, 2003
    Messages:
    4,505
    Location:
    Adelaide
    Do you really want a server that's been owned still running on your network?? :wired:
     
  12. Gunna

    Gunna Member

    Joined:
    Dec 25, 2001
    Messages:
    7,727
    Location:
    Brisbane
    It seems the issue appears to be with public access to key folders in IIS allowing an attacker to run infected files giving access to databases etc, tighten them up and it seems ok.
     

Share This Page

Advertisement: