View Full Version : Web Server Security
06-25-2004, 10:13 AM
A while back I had a hacker get into my in-house IIS webserver through ftp. They through on alot of DVD's and DIVX crap. After I discovered this we have closed down the ftp to only allow people from certain ftp's to be able to get in. The problem I have now is they keep requesting /winnt/system32/cmd.exe and it keeps showing up in my logs as either a 404, 403, or 500. Is there anyway to close down the webserver even more, and is there any monitoring software that will tell me if someone was able to hack in. Thanks in advance.
06-25-2004, 10:44 AM
which windows server is it? and version
eg win2003 web edition
also a few things you must do.
1) lock down all local accounts and give the admin a complex password.
2) keep the box totally up to date with patches.
3) use something like black ice server to monitor ports and block bad content
4) urlscan is another decent scanner
5) set up some firewalling that only allows traffic to certain ports eg port 80
things i would recommend you do now.
1) virus scan the box
2) spyware scan the box
look in the registry at local machine->software->microsoft->windows->current version->run, run once etc
that path may not be exactly correct but it should point you in the correct direction...
in those keys remove any strange looking values you do not recognise its use, there should be hardly anything in there!
hope this helps...
goto sysinternals.com and get pstools
06-25-2004, 10:49 AM
We have a pretty decent firewall, and a pretty good virus protector. Any other ideas.
06-25-2004, 10:57 AM
When he was in he probably created some new back doors. Go to http://www.webproworld.com/viewtopic.php?t=22803 and scan ALL your ports, close any unused ports, reboot and rescan your ports.
Also check out http://www.webproworld.com/viewtopic.php?t=22522 and see if your machine has been loged as an attacter.
That's a place to start...............the battle never ends.
06-25-2004, 11:18 AM
I did some firewall tests and it seems like I am okay in that regard. What is a URL scanner?
06-25-2004, 12:30 PM
basically logs traffic going into ISS and blocks on certain criteria which is customizable in an ini file....
06-25-2004, 02:38 PM
I installed that URLScan thing adn websites died. I removed .asp from its stuff to ignore, but that only helped part of my site. The database parts all died not good. I have since uninstalled it.
06-25-2004, 06:14 PM
Your URLScan config may have been a bit screwy (to be technical)
to get a fully working ini file
rename it to .ini and replace your current config restart iis and all should be fine...