+ Post New Thread
Results 1 to 13 of 13
Windows Server 2000/2003 Thread, Server 2003 - IIS 6 - Hacked in Technical; Hi all, We've been having a bit of trouble with some Iranian hackers (calling themselves the Iran Security Team) hitting ...
  1. #1
    powert's Avatar
    Join Date
    Oct 2010
    Location
    Dorset
    Posts
    12
    Thank Post
    3
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Angry Server 2003 - IIS 6 - Hacked

    Hi all,

    We've been having a bit of trouble with some Iranian hackers (calling themselves the Iran Security Team) hitting our school's webserver repeatedly. When it started, they were just dumping phoney 'index.html' and 'index.php' files to the root folder of our website (luckily our ACTUAL index page runs within a nested folder, so there was no interruption). Then they stepped it up and left hacking tools embedded in web pages. Now they've left files which open web pages requiring a password - having done some research it seems hackers can use a loophole in IIS which means that a site requiring password authentication can be used to step up privillages...so now they're getting WRITE privileges and managed to delete a whole bunch of important files! So it's getting worse!

    We deleted all their files (after gathering as much info as we could from them) and ran a system update on the server. Loads of security updates got patched, but they still hit us again. I've run the update service once more and there was one more patch, but that's it. I don't have faith that this single patch will save the day, so does anyone have any suggestions?

    We are running IIS 6 on Server 2003. All of the erroneous files were created by the IIS Anonymous User Account (IUSR_*serverName*) - so I suspect it's something to do with tying that down. I determined this by right-clicking the phoney files - the Security tab showed permissions set for IUSR_*serverName*...however this account does not show for any of our legitimate files...

    Is it something to do with the Anonymous IIS Account? Am I barking up the wrong tree?

    ...suggestions are much appreciated!

    Many thanks,

    Tom
    Last edited by powert; 23rd May 2013 at 10:37 AM.

  2. #2

    Join Date
    Apr 2011
    Location
    Manchester, United Kingdom
    Posts
    33
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    I think the answer to this problem is in your title.... Server 2003 - IIS 6

  3. #3
    SovietRussia's Avatar
    Join Date
    Mar 2013
    Location
    Powys, Wales
    Posts
    615
    Thank Post
    69
    Thanked 132 Times in 103 Posts
    Rep Power
    43
    Turn off your server! Then get IIS 7/8

  4. #4
    cpjitservices's Avatar
    Join Date
    Jul 2010
    Location
    Hessle
    Posts
    2,478
    Thank Post
    515
    Thanked 287 Times in 263 Posts
    Rep Power
    81
    Either that or use a Linux web server, if you install CentOS you can select web server on installation and once its rebooted you have a working web server and its secure and will be up to date, having IIS6 on the net now isnt a very good idea at all.

  5. #5
    kevin_lane's Avatar
    Join Date
    Mar 2007
    Location
    Derby
    Posts
    506
    Thank Post
    23
    Thanked 20 Times in 20 Posts
    Blog Entries
    5
    Rep Power
    20
    their is a tool called IIS lockdown you could try if this server is connected to your main lan then yet you def have a problem you should really keep this server in a different segment of the network (if it is then scratch what I have just said) however you also want to make sure that your services accounts are turned off and that you have basically only the lowest user account to access the site they most prob use some Unicode to do a buffer overflow on the iis server or something of that nature my if you really want a secure web server then you either get it hosted some were else or you use apache or go along down the server core route

  6. #6

    Join Date
    Dec 2009
    Posts
    605
    Thank Post
    8
    Thanked 36 Times in 34 Posts
    Rep Power
    17
    Wasnt IIS 6 prone to the Unicode Exploit also ?

    Id suggest changing over to Apache/Centos . Only reason we use IIS is for anything asp related such as Home Access Plus

  7. #7

  8. #8
    powert's Avatar
    Join Date
    Oct 2010
    Location
    Dorset
    Posts
    12
    Thank Post
    3
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Thanks for all the suggestions folks - I'd say that if you forgive the patronising demeanour of 'Deanuk', there are all some really useful ideas. So thanks very much for that!

  9. #9
    cpjitservices's Avatar
    Join Date
    Jul 2010
    Location
    Hessle
    Posts
    2,478
    Thank Post
    515
    Thanked 287 Times in 263 Posts
    Rep Power
    81
    Most if not all those bugs in Apache have been patched.

  10. #10
    Marci's Avatar
    Join Date
    Jun 2008
    Location
    Wakefield, West Yorkshire
    Posts
    895
    Thank Post
    84
    Thanked 235 Times in 194 Posts
    Rep Power
    82
    If the exploit may have enabled them to read anything sensitive, make sure you notify your school's Data Protection Officer.

  11. #11

    Dos_Box's Avatar
    Join Date
    Jun 2005
    Location
    Preston, Lancashire
    Posts
    10,387
    Thank Post
    600
    Thanked 2,168 Times in 992 Posts
    Blog Entries
    23
    Rep Power
    629
    Server 2003/IIS6 hasn't been supported for about 6 years now. As the others have said, whatever exploits are being used will most likely never be patched.
    i would seriously suggest looking to upgrade/migrate it to a newer version of Windows Server/IIS with haste.

  12. #12
    SovietRussia's Avatar
    Join Date
    Mar 2013
    Location
    Powys, Wales
    Posts
    615
    Thank Post
    69
    Thanked 132 Times in 103 Posts
    Rep Power
    43
    Just dont go for XAMPP - Full of security holes.

  13. #13

    Michael's Avatar
    Join Date
    Dec 2005
    Location
    Birmingham
    Posts
    9,262
    Thank Post
    242
    Thanked 1,568 Times in 1,250 Posts
    Rep Power
    340
    I'd say in the short term, disable your website in IIS6 and migrate it to either IIS7.5 in Server 2008 R2 or IIS8 in Server 2012. By default both of these are harder, as a lot of options/services are turned off by default.

SHARE:
+ Post New Thread

Similar Threads

  1. Can't connect to FTP server (Server 2003, IIS) Updated 8.6.10
    By networkingNut in forum Windows Server 2000/2003
    Replies: 0
    Last Post: 7th June 2010, 07:32 PM
  2. PHP to work with IIS 6 in 64bit Windows Server 2003
    By MattGibson in forum Windows Server 2000/2003
    Replies: 8
    Last Post: 31st July 2009, 11:50 AM
  3. Allow ASP .Net 2 in IIS Server 2003 R2
    By FN-GM in forum Windows
    Replies: 8
    Last Post: 17th January 2009, 08:23 PM
  4. SiteAtSchool / IIS / PHP / MySQL / Server 2003
    By OutToLunch in forum Windows
    Replies: 4
    Last Post: 5th February 2007, 02:19 PM
  5. Setting up IIS on Server 2003 SP1
    By tosca925 in forum Windows
    Replies: 4
    Last Post: 5th February 2006, 11:52 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •