HELP! We got hacked.

[Mark Marlow]

My company host several websites using IIS 4.0 on NT server 4 service pack
6a. We have frontpage extensions installed and were recently hacked. All
the home directories had 5 files upload to them.

index.htm
index.html
default.htm
default.html
default.asp

The hacked message was:

winkoder and enspine ownz you : ION / us.brasnet.org


I would like to know what can be done to prevent this in the future. There
is no ftp access and every web has a username and password to upload to it.
Thanks for any help.

(e-mail address removed)

 

[Guest]

This is generic but:

o Change all your admin passwords.
o Scan the system for viruses.
o Upgrade to all the latest patches.
o Check your firewall rules.

Repeat slightly more often than required.

Jim Buyens
Microsoft FrontPage MVP
http://www.interlacken.com
Author of:
*------------------------------------------------------*
|\----------------------------------------------------/|
|| Microsoft Office FrontPage 2003 Inside Out ||
|| Microsoft FrontPage Version 2002 Inside Out ||
|| Web Database Development Step by Step .NET Edition ||
|| Troubleshooting Microsoft FrontPage 2002 ||
|| Faster Smarter Beginning Programming ||
|| (All from Microsoft Press) ||
|/----------------------------------------------------\|
*------------------------------------------------------*


----- Mark Marlow wrote: -----

My company host several websites using IIS 4.0 on NT server 4 service pack
6a. We have frontpage extensions installed and were recently hacked. All
the home directories had 5 files upload to them.

index.htm
index.html
default.htm
default.html
default.asp

The hacked message was:

winkoder and enspine ownz you : ION / us.brasnet.org


I would like to know what can be done to prevent this in the future. There
is no ftp access and every web has a username and password to upload to it.
Thanks for any help.

(e-mail address removed)

 

[Carl Vannest]

Mark,

Let me suggest that in the future you make your passwords harder to
figure out. I'm not sure what your password was in the past but many people
tend to make them easy to remember for Website Loading. You still want to
make the password as hard as possible. Keep in mind that hackers/crackers
use Password Lists of 100's of 1,000's possible word and number combinations
to crack a password. Your password should be something so obscure that
these lists could not possibly contain it. An example would be j28ow1n0.
There is no pattern to the letters and numbers, and there are at max 2
letters and 2 numbers in a string.

Better Luck Next Time,
Carl

 

[Steve Easton]

Well for starters your "host" is running
IIS/4.0 on a NT4/ Windows 98 server,
which hasn't been updated since 26-Nov-2002.

So, I would have your host install the latest security
updates from MSFT.

Since it's possible that the server has been compromised
using a buffer over run attack to place a "bot" on the server,
I would run a spybot search and destroy program on the server.

Then I would change the passwords so that they are more complex.

I would also seriously consider an immediate upgrade to
windows 2000 server or better.

hth

 

[DN]

To that end I've started using a new program out called PassSafe. It
lets you remember one password, but combines it with the current computer
name and ends up giving you a completely random looking password for
every site. Pretty slick idea--now if it only worked on more than just
web pages.