PDA

View Full Version : Web Server Security



emi_b
06-25-2004, 11:13 AM
A while back I had a hacker get into my in-house IIS webserver through ftp. They through on alot of DVD's and DIVX crap. After I discovered this we have closed down the ftp to only allow people from certain ftp's to be able to get in. The problem I have now is they keep requesting /winnt/system32/cmd.exe and it keeps showing up in my logs as either a 404, 403, or 500. Is there anyway to close down the webserver even more, and is there any monitoring software that will tell me if someone was able to hack in. Thanks in advance.

M0rtym0use
06-25-2004, 11:44 AM
emi_b,
which windows server is it? and version
eg win2003 web edition

also a few things you must do.
1) lock down all local accounts and give the admin a complex password.
2) keep the box totally up to date with patches.
3) use something like black ice server to monitor ports and block bad content
4) urlscan is another decent scanner
5) set up some firewalling that only allows traffic to certain ports eg port 80

things i would recommend you do now.
1) virus scan the box
2) spyware scan the box

look in the registry at local machine->software->microsoft->windows->current version->run, run once etc
that path may not be exactly correct but it should point you in the correct direction...
in those keys remove any strange looking values you do not recognise its use, there should be hardly anything in there!

hope this helps...

MM

goto sysinternals.com and get pstools

emi_b
06-25-2004, 11:49 AM
win2000

We have a pretty decent firewall, and a pretty good virus protector. Any other ideas.

mushroom
06-25-2004, 11:57 AM
When he was in he probably created some new back doors. Go to http://www.webproworld.com/viewtopic.php?t=22803 and scan ALL your ports, close any unused ports, reboot and rescan your ports.

Also check out http://www.webproworld.com/viewtopic.php?t=22522 and see if your machine has been loged as an attacter.

That's a place to start...............the battle never ends.

emi_b
06-25-2004, 12:18 PM
I did some firewall tests and it seems like I am okay in that regard. What is a URL scanner?

M0rtym0use
06-25-2004, 01:30 PM
emi_b,
http://www.microsoft.com/windows2000/downloads/recommended/urlscan/default.asp
basically logs traffic going into ISS and blocks on certain criteria which is customizable in an ini file....

MM

emi_b
06-25-2004, 03:38 PM
I installed that URLScan thing adn websites died. I removed .asp from its stuff to ignore, but that only helped part of my site. The database parts all died not good. I have since uninstalled it.

M0rtym0use
06-25-2004, 07:14 PM
emi_b,
Your URLScan config may have been a bit screwy (to be technical)

to get a fully working ini file

http://www.always-on.org.uk/urlscan.zzz

rename it to .ini and replace your current config restart iis and all should be fine...

MM