I have seen this a few times in the recent past and it’s always the same. All of the folders and sub-folders within the main Websites directory have been spammed with several default index files. Generally the files are as follows.
index.php index.cfm index.htm index.html index.php default.php default.cfm default.htm default.html default.php
The reason you find every file type in every directory is obvious, the not so obvious is why they don’t include index.aspx & default.aspx on their list of files. Most of these hacker groups or “script kiddies” as their called seem to be Turkish or at least refer to Turkish Hackers in some way within the index files themselves. Searching for help on the web in relation to this type of hack seems to be near useless. If you search a phrase from one of the index files you will only find other sites hacked by the same group and not any useful information on how they got in or how to prevent future attacks.
If this is your first time getting hacked in this manner and your reading this thinking your wasting your time because they hacked you and moved on you have a very serious rude awakening in your very near future because the hacks will continue monthly, daily and even hourly until you resolve the security issues on your server.
Most people reading this already know that and are desperate for an answer. While we are on the subject of answers and still on the subject of getting help by searching let’s talk about posting, as in posting on help forums. I read many posts while trying to troubleshoot this issue and most responses are laughable at best. I am thankful I have been at this for many years and know which advice is reasonable and which is not.
Some people just don’t have a clue it seems and I cant talk about help on forums without mentioning the asshole that should end his own life because no one cares. Who is this asshole you say? The asshole that throws the response out to reformat and start fresh. There seems to be one post in every thread I read lately and I have to hold back from registering on whatever forum it happens to be that I am reading and telling him what a jerk-off he is and how he should serious start considering a new career and stay far away from computers for the rest of his life. I wanna post and tell this computer illiterate fuck if that was a viable option in the business world none of us would have jobs because everyone would just reformat all the time.
It doesn’t take a very knowledgeable person to reformat a box now does it. When I was out in the field working at my last job and performing cleanups on workstations and servers I would tell the customer what separates a good tech from a bad one. A good tech will be able to count on one hand how many boxes he had to reformat in the last year and likely in his entire career if we are only talking about servers.
Go tell the CEO you need to reformat his Domain server / Exchange server because a guy in some thread said so and you will be out of a job faster than cheetah with a rocket up its ass.
Any-who back to the situation at hand, now that I have vented my frustration on web idiots. I will list in steps how this likely happened and what to do about it so you can prevent it from happening again and again and again.
Generally these types of attacks take place from script kiddies and wanna be hackers who really aren’t hacking anything, they are using known exploits and pre-compiled programs to perform their malicious attacks.
I will first list out the steps to locking down the server and then the steps to monitoring and investigating the attacks in case they continue.
First start by locking down the web directories on the server, this includes your top level directory which hosts all of the sites and each sub directory. If you are using strict HTML on all of your websites you are in luck because you can apply the permissions to the top level directory and then force them on all the sub directories. If you are using ASP and or ASP.NET I recommend following Microsoft’s guidelines and best practices for directory permissions. I will attach a couple screen shots of general HTML and ASP folder security permissions to give you a general idea of how these should be set.
Additional Links for settings folder permissions in IIS
Microsoft’s guide to setting permissions on an IIS server
Microsoft’s guide to securing ASP / ASP.NET
Now that we locked down the web site directories in explorer we need to secure the directory permissions in IIS. To do this open IIS and for each website you will need to edit the properties of the site. Within the properties dialog you will need to select the home directory tab and set the permissions accordingly. HTML and ASP have different permissions and I recommend following Microsoft best practices on setting them. HTML has the obvious advantage in that it doesn’t need any type of script execute properties. While your in here make sure “Log Visits” and “Index this resource” are checked.
Enable Logging and log EVERYTHING in IIS. This is extremely important to do, I can almost gaurantee after following this guide that you wont get hacked again but if you do you will wish you had logs to help you find out how, why and when it happened. I would make sure logging is enabled on every site you host, make sure all settings are checked within the logging options and last but certainly not least is to send the logs to a directory OUTSIDE of you websites directory. I personally create a directory simple called “Logs” within the root of my OS drive and then create sub-folders for IIS, System, and Log parsing which we will get into in a moment. The logging schedule may seem a bit confusing at first so I will explain it here briefly. Each website will create its own logging directory and the files within will be labeled in a non unique fashion relating to time and date. The option for hourly, daily, weekly and so on refer to how often you want a new file created and the old one closed. I choose hourly for several reasons, the two most important are that it is easier when I know approximately when the attack happened to work with smaller log files within an hourly time frame and if the attack occurred more than an hour ago I know the log file is closed and not in use by the system. Here are some screen shots of how my logging is currently configured on my employers IIS server.
Download and Install Microsoft’s IIS Lockdown Tool. This is a great tool for quickly and easily securing your websites. This isn’t the all in one answer to your problem and this isn’t a sure fire way to lockdown your server but it is free and does add some nice security additions to your server. I will notify you upfront that this will prevent the downloading of some files such as .exe and .bat but those are options that can be adjusted as needed. I would also like to recommend redirecting the log files to the log directory we created earlier so they are all in one place. This is done via the registry and the directions can easily be found on the net. The last thing I would like to recommend within this tool is to enable the redirect page when the program is blocking content. This will save you some headaches and frustration when trying to figure out why something isn’t working on one of your websites.
Microsoft IIS Lockdown Tool 2.1
IIS Lockdown Tool Technet Article
I saved the single most important step for last so I hope I didn’t bore anyone and then they left before getting here. In IIS I can’t even begin to express how important it is to disable WebDAV. WebDAV is the single most widely used IIS exploit out there and keeping it enabled is a sure fire way to get hacked. WebDAV is the hackers dream of a back door inviting them in to do whatever they please on your vulnerable web server. In case you are wondering what the hell is WebDAV and who is it useful to I will breifly explain that before posting a link to a more in depth article with instructions on disabling it. Lets say you have 20 websites and they all share 1 IP address, Now lets say 10 of those sites are owned by individual customers who require FTP access to their website directory. So how do you give access to one customer’s website directory while not giving them access to another customers website directory? WebDAV.
WebDAV Article with Disabling Instructions
So by now your webserver should be secure but I would like to cover one more thing before we wrap this up. We setup logs earlier and now I will show you how to read them. The first thing you will need to a log parser and although their are many fancy log parsers out there I think the one you will find most useful is Microsoft’s own Log Parser. The parser excepts stand SQL style queries and there are plenty of example on the net to show you how to get useful results from your IIS logs. I will include a couple links here to get you started after the break. Please note not all examples will work exactly as you read them, most will need to be tweaked to your specific server or query.
More Log parsing example using Microsoft’s Log Parser
Excellent guide on Forensic Style log parsing with Microsoft’s LogParser
If your interested in some graphical logs that are more useful for traffic and statistical monitoring rather than forensic investigation I 2 free software recommendations for you.
Funnel Web Analyzer from the well known Quest Software
Indihiang Web log Analyzer
If your interested in some additional reading I recommend the following article which shows IIS hacking from a hackers perspective.
If you found this article helpful please donate, I appreciate anything including pennies.