How Can I Find Out *HOW* My Site Was Hacked? How Do I Find Site Vulnerabilities?

萝らか妹 提交于 2019-12-03 02:43:39

It appears that the attack on your website was part of a mass defacement carried out by SWAN on 21 November, 2008 against Windows 2003 and Windows 2000 boxes running IIS 6.0. Others here have suggested a number of things. I would only add that whenever you decide to bring up the website, please format the box and reinstall from scratch. Once a box is compromised, it cannot be trusted, at all, however you clean and purify it.

IIS Process

Check that your ASPNET process does not have privilage to write files on the server. If you need the process to have write permissions, allow them only to do so on a specific folder, and deny execute permissions on that folder for all User accoutns.

SQL Injection

To see people looking for SQL vunrabilities have a look in your log files for the following text, "CAST(".

Do you have any places where you build up SQL in the code behind to query the database? These can be prone to SQL injection attacks. By replacing code such as the following you will be more safe.

Dim strSQL As String = "Select * FROM USERS Where name = '" & Response.Querystring("name") "'"

then consider an alternative like the following.

Dim strSQL As String = "Select * FROM USERS Where name = @name"

and then adding the corresponding SQL PArameter to the sql command.

Hopefully you've had your IIS logfiles turned on and hopefully the hacker didn't erase them. By default they're located here: c:\winnt\system32\LogFiles\W3SVC1 and will generally be named after the date.

Then it's probably helpful to figure out how to use log parser (from Microsoft), which is free. Then use this guide to help you with looking forensically at your logfiles. Do you have a firewall because it's syslogs might be helpful.

Another decent tool to help you find sql injection issues is to go here and download HP's Scrawlr.

If you have any more questions about what you've found, come back and ask.

Lasse Vågsæther Karlsen

Well, for starters:

  • Have you patched your server?
  • Do you have lingering remnants of things like FrontPage Server Extensions, Office extensions for web, etc.?
  • Have you made sure you don't have SQL Injection vulnerabilities?
  • Have you googled for that text, "Hacked by swan"? There are many hits, perhaps one of them has figured out his entrance

If you do have, or is unsure about, whether you have SQL Injection problems or not, then you can ask further here, but otherwise I would get some security experts to help you.

This is indeed a programming site, so unless your problem is programming-related, it will most likely be closed again.

bdd

You might want to give try it using a penetration toolkit like Metasploit to discover any obvious holes.

Also, please post your log files if they are untampered with.

The first thing you should do is check your log files. You could paste them here,and we'll tell you if we recognize an attack .

Set up Google Analytics and review all requests that were made to your website. If you are dealing with SQL injection through the query string you an easily find out what they did, and how they found your vulnerabilities.

Is FTP turned on?

I once had a customer's who had left their FTP turned on for some reason, and the hacker had just set a bot running, trying random/common user/password combinations. That hack was worse than yours because it didn't show on the web pages, but tried to install an ActiveX...

So, you could check your FTP log.

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!