Hi,
some haker has hakered my site in my windows 2003 std with IIS.
The haker has copy 5 pages in each folder of my IIS sites.
The files are:
default.htm
default.html
index.asp
index.html
index.php
I've a hardware firewall that's protects my server (SonicWALL PRO with IPS)
Only the port TCP/80 is open.
What can I do?
Where is my "hole"?
thanks
Seemed like there are some WEBDAV holes that allowed for this to happen.
To get arround it, go into IIS manager and for the site in question, make
default.asp the only default content page. (provided of course default.asp
is your home pages in your directories).
"Andrea"
news:YAd7i.11733$nT2.1673@tornado.fastwebnet.it...
> Hi,
> some haker has hakered my site in my windows 2003 std with IIS.
> The haker has copy 5 pages in each folder of my IIS sites.
> The files are:
> default.htm
> default.html
> index.asp
> index.html
> index.php
>
> I've a hardware firewall that's protects my server (SonicWALL PRO with
> IPS)
> Only the port TCP/80 is open.
>
> What can I do?
> Where is my "hole"?
>
> thanks
>
Hi,
I've think about this.... but the webdav protocol is not installed
!!!!!!!!!!!!!!!!!!!!!!!
to get around I've changed the default web pages using random names.
but it's not a "nice" ways... I wanna know where is the bug!
"ace_away"
news:%23YhkoZsoHHA.5008@TK2MSFTNGP05.phx.gbl...
> Seemed like there are some WEBDAV holes that allowed for this to happen.
>
> To get arround it, go into IIS manager and for the site in question, make
> default.asp the only default content page. (provided of course default.asp
> is your home pages in your directories).
>
>
>
> "Andrea"
> news:YAd7i.11733$nT2.1673@tornado.fastwebnet.it...
>> Hi,
>> some haker has hakered my site in my windows 2003 std with IIS.
>> The haker has copy 5 pages in each folder of my IIS sites.
>> The files are:
>> default.htm
>> default.html
>> index.asp
>> index.html
>> index.php
>>
>> I've a hardware firewall that's protects my server (SonicWALL PRO with
>> IPS)
>> Only the port TCP/80 is open.
>>
>> What can I do?
>> Where is my "hole"?
>>
>> thanks
>>
>
>
Was the machine fully up-to-date on patches from MS ?
What third-party things are installed (php, coldfusion, perl, etc) ?
Did you have the Front Page server extensions installed ?
Or did you perhaps have RCP over HTTP enabled ?
What other machines are on your network within the SonicWall
bounded area ? Are they fully healthy (and patched) and what
access do those have expose to the outside ?
"Andrea"
news:F3g7i.12070$nT2.889@tornado.fastwebnet.it...
> Hi,
> I've think about this.... but the webdav protocol is not installed
> !!!!!!!!!!!!!!!!!!!!!!!
>
> to get around I've changed the default web pages using random names.
>
> but it's not a "nice" ways... I wanna know where is the bug!
>
>
>
> "ace_away"
> news:%23YhkoZsoHHA.5008@TK2MSFTNGP05.phx.gbl...
>> Seemed like there are some WEBDAV holes that allowed for this to happen.
>>
>> To get arround it, go into IIS manager and for the site in question, make
>> default.asp the only default content page. (provided of course
>> default.asp is your home pages in your directories).
>>
>>
>>
>> "Andrea"
>> news:YAd7i.11733$nT2.1673@tornado.fastwebnet.it...
>>> Hi,
>>> some haker has hakered my site in my windows 2003 std with IIS.
>>> The haker has copy 5 pages in each folder of my IIS sites.
>>> The files are:
>>> default.htm
>>> default.html
>>> index.asp
>>> index.html
>>> index.php
>>>
>>> I've a hardware firewall that's protects my server (SonicWALL PRO with
>>> IPS)
>>> Only the port TCP/80 is open.
>>>
>>> What can I do?
>>> Where is my "hole"?
>>>
>>> thanks
>>>
>>
>>
>
>
"Roger Abell [MVP]"
news:OQeZrCtoHHA.248@TK2MSFTNGP04.phx.gbl...
> Was the machine fully up-to-date on patches from MS ? YESSS
> What third-party things are installed (php, coldfusion, perl, etc) ? PHP
> Did you have the Front Page server extensions installed ? NO
> Or did you perhaps have RCP over HTTP enabled ? NO
> What other machines are on your network within the SonicWall
> bounded area ? 4 SERVERS ALL PACHED
Are they fully healthy (and patched) and what
> access do those have expose to the outside ? ALL PORT 80/TCP EXCEPT FOR
> ONE THAT HAS THE 25-110-143 AND ANOTHER ONE THAT HAS 21 FOR FTP.
>
> "Andrea"
> news:F3g7i.12070$nT2.889@tornado.fastwebnet.it...
>> Hi,
>> I've think about this.... but the webdav protocol is not installed
>> !!!!!!!!!!!!!!!!!!!!!!!
>>
>> to get around I've changed the default web pages using random names.
>>
>> but it's not a "nice" ways... I wanna know where is the bug!
>>
>>
>>
>> "ace_away"
>> news:%23YhkoZsoHHA.5008@TK2MSFTNGP05.phx.gbl...
>>> Seemed like there are some WEBDAV holes that allowed for this to happen.
>>>
>>> To get arround it, go into IIS manager and for the site in question,
>>> make default.asp the only default content page. (provided of course
>>> default.asp is your home pages in your directories).
>>>
>>>
>>>
>>> "Andrea"
>>> news:YAd7i.11733$nT2.1673@tornado.fastwebnet.it...
>>>> Hi,
>>>> some haker has hakered my site in my windows 2003 std with IIS.
>>>> The haker has copy 5 pages in each folder of my IIS sites.
>>>> The files are:
>>>> default.htm
>>>> default.html
>>>> index.asp
>>>> index.html
>>>> index.php
>>>>
>>>> I've a hardware firewall that's protects my server (SonicWALL PRO with
>>>> IPS)
>>>> Only the port TCP/80 is open.
>>>>
>>>> What can I do?
>>>> Where is my "hole"?
>>>>
>>>> thanks
>>>>
>>>
>>>
>>
>>
>
>
The php is updated?
You might have an application level flaw in the serverside conent.
"Andrea"
news:bRt7i.12791$nT2.9663@tornado.fastwebnet.it...
>
>
> "Roger Abell [MVP]"
> news:OQeZrCtoHHA.248@TK2MSFTNGP04.phx.gbl...
>> Was the machine fully up-to-date on patches from MS ? YESSS
>> What third-party things are installed (php, coldfusion, perl, etc) ?
>> PHP
>> Did you have the Front Page server extensions installed ? NO
>> Or did you perhaps have RCP over HTTP enabled ? NO
>> What other machines are on your network within the SonicWall
>> bounded area ? 4 SERVERS ALL PACHED
> Are they fully healthy (and patched) and what
>> access do those have expose to the outside ? ALL PORT 80/TCP EXCEPT FOR
>> ONE THAT HAS THE 25-110-143 AND ANOTHER ONE THAT HAS 21 FOR FTP.
>>
>> "Andrea"
>> news:F3g7i.12070$nT2.889@tornado.fastwebnet.it...
>>> Hi,
>>> I've think about this.... but the webdav protocol is not installed
>>> !!!!!!!!!!!!!!!!!!!!!!!
>>>
>>> to get around I've changed the default web pages using random names.
>>>
>>> but it's not a "nice" ways... I wanna know where is the bug!
>>>
>>>
>>>
>>> "ace_away"
>>> news:%23YhkoZsoHHA.5008@TK2MSFTNGP05.phx.gbl...
>>>> Seemed like there are some WEBDAV holes that allowed for this to
>>>> happen.
>>>>
>>>> To get arround it, go into IIS manager and for the site in question,
>>>> make default.asp the only default content page. (provided of course
>>>> default.asp is your home pages in your directories).
>>>>
>>>>
>>>>
>>>> "Andrea"
>>>> news:YAd7i.11733$nT2.1673@tornado.fastwebnet.it...
>>>>> Hi,
>>>>> some haker has hakered my site in my windows 2003 std with IIS.
>>>>> The haker has copy 5 pages in each folder of my IIS sites.
>>>>> The files are:
>>>>> default.htm
>>>>> default.html
>>>>> index.asp
>>>>> index.html
>>>>> index.php
>>>>>
>>>>> I've a hardware firewall that's protects my server (SonicWALL PRO with
>>>>> IPS)
>>>>> Only the port TCP/80 is open.
>>>>>
>>>>> What can I do?
>>>>> Where is my "hole"?
>>>>>
>>>>> thanks
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>
PHP IS 4.4.4
I've read in the bugs solved by the 4.4.7 but nothing seems important for my
case.....
"Roger Abell [MVP]"
news:%23FY4Y5NpHHA.3968@TK2MSFTNGP06.phx.gbl...
> The php is updated?
> You might have an application level flaw in the serverside conent.
>
> "Andrea"
> news:bRt7i.12791$nT2.9663@tornado.fastwebnet.it...
>>
>>
>> "Roger Abell [MVP]"
>> news:OQeZrCtoHHA.248@TK2MSFTNGP04.phx.gbl...
>>> Was the machine fully up-to-date on patches from MS ? YESSS
>>> What third-party things are installed (php, coldfusion, perl, etc) ? PHP
>>> Did you have the Front Page server extensions installed ? NO
>>> Or did you perhaps have RCP over HTTP enabled ? NO
>>> What other machines are on your network within the SonicWall
>>> bounded area ? 4 SERVERS ALL PACHED
>> Are they fully healthy (and patched) and what
>>> access do those have expose to the outside ? ALL PORT 80/TCP EXCEPT FOR
>>> ONE THAT HAS THE 25-110-143 AND ANOTHER ONE THAT HAS 21 FOR FTP.
>>>
>>> "Andrea"
>>> news:F3g7i.12070$nT2.889@tornado.fastwebnet.it...
>>>> Hi,
>>>> I've think about this.... but the webdav protocol is not installed
>>>> !!!!!!!!!!!!!!!!!!!!!!!
>>>>
>>>> to get around I've changed the default web pages using random names.
>>>>
>>>> but it's not a "nice" ways... I wanna know where is the bug!
>>>>
>>>>
>>>>
>>>> "ace_away"
>>>> news:%23YhkoZsoHHA.5008@TK2MSFTNGP05.phx.gbl...
>>>>> Seemed like there are some WEBDAV holes that allowed for this to
>>>>> happen.
>>>>>
>>>>> To get arround it, go into IIS manager and for the site in question,
>>>>> make default.asp the only default content page. (provided of course
>>>>> default.asp is your home pages in your directories).
>>>>>
>>>>>
>>>>>
>>>>> "Andrea"
>>>>> news:YAd7i.11733$nT2.1673@tornado.fastwebnet.it...
>>>>>> Hi,
>>>>>> some haker has hakered my site in my windows 2003 std with IIS.
>>>>>> The haker has copy 5 pages in each folder of my IIS sites.
>>>>>> The files are:
>>>>>> default.htm
>>>>>> default.html
>>>>>> index.asp
>>>>>> index.html
>>>>>> index.php
>>>>>>
>>>>>> I've a hardware firewall that's protects my server (SonicWALL PRO
>>>>>> with IPS)
>>>>>> Only the port TCP/80 is open.
>>>>>>
>>>>>> What can I do?
>>>>>> Where is my "hole"?
>>>>>>
>>>>>> thanks
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>
Andrea wrote on Sat, 2 Jun 2007 16:27:03 +0200:
> PHP IS 4.4.4
>
> I've read in the bugs solved by the 4.4.7 but nothing seems important for
> my case.....
http://www.php.net/releases/4_4_7.php
Are you saying that you consider none of those security fixes are important?
Dan
Absolutely not!
what I say is that I don't see anything that could be related to my iusse!
"Daniel Crichton"
news:us1JUsrpHHA.3968@TK2MSFTNGP06.phx.gbl...
> Andrea wrote on Sat, 2 Jun 2007 16:27:03 +0200:
>
>> PHP IS 4.4.4
>>
>> I've read in the bugs solved by the 4.4.7 but nothing seems important for
>> my case.....
>
> http://www.php.net/releases/4_4_7.php
>
> Are you saying that you consider none of those security fixes are
> important?
>
> Dan
>
Andrea wrote on Mon, 4 Jun 2007 22:01:45 +0200:
> Absolutely not!
> what I say is that I don't see anything that could be related to my iusse!
Injection or overflow vulnerabilities could be used to cause code to run on
your server that you did not intend, so that covers a few of those fixes.
The 3rd fix on the list covers a way to override the register_globals
setting - this can be bad in that global variables can be overwritten using
querystring or post values.
However, while these are possibilities, I'd be more suspicious of the actual
PHP code you have on the server. I myself was subject to a file replacement
attack on my Debian/Apache2/PHP5 server recently due a flaw in phpBB2
combined with allowing remote file opening (where URLs could be opened as if
they were local files, which I was using to pull data from some other
servers) which allowed the attacker to load a remote file as local PHP code
which then let them overwrite the config.php file for PHP-Nuke on my server.
This is an application flaw, and no amount of security patches will stop
something like this - the fix was to correct the phpBB2 code so that it
didn't allow the path variable it was using to be overwritten from POST
data, and I dumped the blocks that grabbed remote data (they were only a
test anyway) and so was able to turn off the option in PHP to pull remote
files.
Dan
And the most nice is this one: "Fixed a remotely trigger-able buffer
overflow inside bundled libxmlrpc library" :)
--
Yours faithfully, Vadim Maksimenko.
"Daniel Crichton"
news:us1JUsrpHHA.3968@TK2MSFTNGP06.phx.gbl...
> Andrea wrote on Sat, 2 Jun 2007 16:27:03 +0200:
>
>> PHP IS 4.4.4
>>
>> I've read in the bugs solved by the 4.4.7 but nothing seems important for
>> my case.....
>
> http://www.php.net/releases/4_4_7.php
>
> Are you saying that you consider none of those security fixes are
> important?
>
> Dan
>
>