Windows Server 2000/2003 Thread, Server 2003 - IIS 6 - Hacked in Technical; Hi all,
We've been having a bit of trouble with some Iranian hackers (calling themselves the Iran Security Team) hitting ...
23rd May 2013, 10:44 AM #1
Server 2003 - IIS 6 - Hacked
We've been having a bit of trouble with some Iranian hackers (calling themselves the Iran Security Team) hitting our school's webserver repeatedly. When it started, they were just dumping phoney 'index.html' and 'index.php' files to the root folder of our website (luckily our ACTUAL index page runs within a nested folder, so there was no interruption). Then they stepped it up and left hacking tools embedded in web pages. Now they've left files which open web pages requiring a password - having done some research it seems hackers can use a loophole in IIS which means that a site requiring password authentication can be used to step up privillages...so now they're getting WRITE privileges and managed to delete a whole bunch of important files! So it's getting worse!
We deleted all their files (after gathering as much info as we could from them) and ran a system update on the server. Loads of security updates got patched, but they still hit us again. I've run the update service once more and there was one more patch, but that's it. I don't have faith that this single patch will save the day, so does anyone have any suggestions?
We are running IIS 6 on Server 2003. All of the erroneous files were created by the IIS Anonymous User Account (IUSR_*serverName*) - so I suspect it's something to do with tying that down. I determined this by right-clicking the phoney files - the Security tab showed permissions set for IUSR_*serverName*...however this account does not show for any of our legitimate files...
Is it something to do with the Anonymous IIS Account? Am I barking up the wrong tree?
...suggestions are much appreciated!
Last edited by powert; 23rd May 2013 at 11:37 AM.
23rd May 2013, 04:37 PM #2
- Rep Power
I think the answer to this problem is in your title.... Server 2003 - IIS 6
23rd May 2013, 04:41 PM #3
Turn off your server! Then get IIS 7/8
23rd May 2013, 05:32 PM #4
Either that or use a Linux web server, if you install CentOS you can select web server on installation and once its rebooted you have a working web server and its secure and will be up to date, having IIS6 on the net now isnt a very good idea at all.
23rd May 2013, 10:34 PM #5
their is a tool called IIS lockdown you could try if this server is connected to your main lan then yet you def have a problem you should really keep this server in a different segment of the network (if it is then scratch what I have just said) however you also want to make sure that your services accounts are turned off and that you have basically only the lowest user account to access the site they most prob use some Unicode to do a buffer overflow on the iis server or something of that nature my if you really want a secure web server then you either get it hosted some were else or you use apache or go along down the server core route
24th May 2013, 10:10 AM #6
Wasnt IIS 6 prone to the Unicode Exploit also ?
Id suggest changing over to Apache/Centos . Only reason we use IIS is for anything asp related such as Home Access Plus
24th May 2013, 10:24 AM #7
Apache isn't much better.
Originally Posted by 2097
24th May 2013, 04:09 PM #8
Thanks for all the suggestions folks - I'd say that if you forgive the patronising demeanour of 'Deanuk', there are all some really useful ideas. So thanks very much for that!
24th May 2013, 04:15 PM #9
Most if not all those bugs in Apache have been patched.
24th May 2013, 04:19 PM #10
If the exploit may have enabled them to read anything sensitive, make sure you notify your school's Data Protection Officer.
24th May 2013, 04:22 PM #11
Server 2003/IIS6 hasn't been supported for about 6 years now. As the others have said, whatever exploits are being used will most likely never be patched.
i would seriously suggest looking to upgrade/migrate it to a newer version of Windows Server/IIS with haste.
24th May 2013, 04:23 PM #12
Just dont go for XAMPP - Full of security holes.
24th May 2013, 05:27 PM #13
I'd say in the short term, disable your website in IIS6 and migrate it to either IIS7.5 in Server 2008 R2 or IIS8 in Server 2012. By default both of these are harder, as a lot of options/services are turned off by default.
By networkingNut in forum Windows Server 2000/2003
Last Post: 7th June 2010, 08:32 PM
By MattGibson in forum Windows Server 2000/2003
Last Post: 31st July 2009, 12:50 PM
By FN-GM in forum Windows
Last Post: 17th January 2009, 09:23 PM
By OutToLunch in forum Windows
Last Post: 5th February 2007, 03:19 PM
By tosca925 in forum Windows
Last Post: 6th February 2006, 12:52 AM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)
Tags for this Thread