One of my custom developed ASP.NET sites was hacked today: "Hacked By Swan (Please Stop Wars !.. )" It is using ASP.NET and SQL Server 2005 and IIS 6.0 and Windows 2003 server. I am not using Ajax and I think I am using stored procedures everywhere I am connecting to the database so I dont think it is SQL injection. I have now removed the write permission on the folders.
我的一个自定义开发的ASP.NET网站今天被黑了:“被天鹅黑了(请停止战争!...)”它使用的是ASP.NET和SQL Server 2005以及IIS 6.0和Windows 2003服务器。我没有使用Ajax,我认为我在连接到数据库的任何地方使用存储过程,所以我不认为它是SQL注入。我现在已经删除了文件夹的写入权限。
How can I find out what they did to hack the site and what to do to prevent it from happening again?
我怎样才能知道他们做了什么来破解网站以及如何防止它再次发生?
The server is up to date with all Windows updates.
服务器是所有Windows更新的最新版本。
What they have done is uploading 6 files (index.asp, index.html, index.htm,...) to the main directory for the website.
他们所做的是将6个文件(index.asp,index.html,index.htm,...)上传到网站的主目录。
What log files should I upload? I have log files for IIS from this folder: c:\winnt\system32\LogFiles\W3SVC1
. I am willing to show it to some of you but don't think it is good to post on the Internet. Anyone willing to take a look at it?
我应该上传哪些日志文件?我从这个文件夹中有IIS的日志文件:c:\ winnt \ system32 \ LogFiles \ W3SVC1。我愿意向你们中的一些人展示,但不认为在互联网上发帖是件好事。有谁愿意看一看吗?
I have already searched on Google but the only thing I find there are other sites that have been hacked - I haven't been able to see any discussion about it.
我已经在谷歌上搜索过,但我发现其他网站都被黑客攻击了 - 我还没有看到任何关于它的讨论。
I know this is not strictly related to programming but this is still an important thing for programmers and a lot of programmers have been hacked like this.
我知道这与编程并不严格相关,但对于程序员来说这仍然是一件很重要的事情,很多程序员都被这样的黑客攻击。
8 个解决方案
#1
13
It appears that the attack on your website was part of a mass defacement carried out by SWAN on 21 November, 2008 against Windows 2003 and Windows 2000 boxes running IIS 6.0. Others here have suggested a number of things. I would only add that whenever you decide to bring up the website, please format the box and reinstall from scratch. Once a box is compromised, it cannot be trusted, at all, however you clean and purify it.
看来,对您的网站的攻击是SWAN于2008年11月21日针对运行IIS 6.0的Windows 2003和Windows 2000盒进行的大规模污损的一部分。这里的其他人提出了很多建议。我只想补充说,无论何时你决定打开网站,请格式化框并从头开始重新安装。一旦盒子被破坏,它就完全无法被信任,无论你如何清理和净化它。
#2
5
IIS Process
Check that your ASPNET process does not have privilage to write files on the server. If you need the process to have write permissions, allow them only to do so on a specific folder, and deny execute permissions on that folder for all User accoutns.
检查您的ASPNET进程是否有权在服务器上写入文件。如果您需要该进程具有写入权限,请仅允许它们对特定文件夹执行此操作,并拒绝所有用户帐户对该文件夹的执行权限。
SQL Injection
To see people looking for SQL vunrabilities have a look in your log files for the following text, "CAST(".
要查看正在查找SQL vunrabilities的人,请查看日志文件中的以下文本:“CAST(”。
Do you have any places where you build up SQL in the code behind to query the database? These can be prone to SQL injection attacks. By replacing code such as the following you will be more safe.
你有什么地方可以在后面的代码中建立SQL来查询数据库吗?这些可能容易发生SQL注入攻击。通过替换以下代码,您将更安全。
Dim strSQL As String = "Select * FROM USERS Where name = '" & Response.Querystring("name") "'"
then consider an alternative like the following.
然后考虑如下的替代方案。
Dim strSQL As String = "Select * FROM USERS Where name = @name"
and then adding the corresponding SQL PArameter to the sql command.
然后将相应的SQL参数添加到sql命令。
#3
2
Hopefully you've had your IIS logfiles turned on and hopefully the hacker didn't erase them. By default they're located here: c:\winnt\system32\LogFiles\W3SVC1 and will generally be named after the date.
希望你已经打开了IIS日志文件,希望黑客不会删除它们。默认情况下,它们位于此处:c:\ winnt \ system32 \ LogFiles \ W3SVC1,通常以日期命名。
Then it's probably helpful to figure out how to use log parser (from Microsoft), which is free. Then use this guide to help you with looking forensically at your logfiles. Do you have a firewall because it's syslogs might be helpful.
然后,弄清楚如何使用免费的日志解析器(来自Microsoft)可能会有所帮助。然后使用本指南帮助您查看日志文件的取证。你有防火墙,因为它的系统日志可能会有所帮助。
Another decent tool to help you find sql injection issues is to go here and download HP's Scrawlr.
另一个帮助你找到sql注入问题的好工具就是去这里下载HP的Scrawlr。
If you have any more questions about what you've found, come back and ask.
如果您对找到的内容有任何疑问,请回来询问。
#4
2
Well, for starters:
好吧,对于初学者:
- Have you patched your server?
- Do you have lingering remnants of things like FrontPage Server Extensions, Office extensions for web, etc.?
- Have you made sure you don't have SQL Injection vulnerabilities?
- Have you googled for that text, "Hacked by swan"? There are many hits, perhaps one of them has figured out his entrance
你修补了你的服务器吗?
您是否有遗留下来的东西,如FrontPage Server Extensions,Web扩展等等?
您确定没有SQL注入漏洞吗?
你有没有用Google搜索“被天鹅黑了”的文字?有许多点击,也许其中一个已经找到了他的入口
If you do have, or is unsure about, whether you have SQL Injection problems or not, then you can ask further here, but otherwise I would get some security experts to help you.
如果你确实有或者不确定你是否有SQL注入问题,那么你可以在这里进一步询问,否则我会得到一些安全专家来帮助你。
This is indeed a programming site, so unless your problem is programming-related, it will most likely be closed again.
这确实是一个编程站点,因此除非您的问题与编程相关,否则很可能会再次关闭。
#5
1
You might want to give try it using a penetration toolkit like Metasploit to discover any obvious holes.
你可能想尝试使用像Metasploit这样的渗透工具包来发现任何明显的漏洞。
Also, please post your log files if they are untampered with.
另外,如果您的日志文件未被篡改,请发布。
#6
0
The first thing you should do is check your log files. You could paste them here,and we'll tell you if we recognize an attack .
您应该做的第一件事是检查您的日志文件。你可以将它们粘贴在这里,我们会告诉你我们是否认识到了攻击。
#7
0
Set up Google Analytics and review all requests that were made to your website. If you are dealing with SQL injection through the query string you an easily find out what they did, and how they found your vulnerabilities.
设置Google Analytics并查看对您网站发出的所有请求。如果您通过查询字符串处理SQL注入,则可以轻松找到它们执行的操作以及它们如何找到您的漏洞。
#8
0
Is FTP turned on?
FTP打开了吗?
I once had a customer's who had left their FTP turned on for some reason, and the hacker had just set a bot running, trying random/common user/password combinations. That hack was worse than yours because it didn't show on the web pages, but tried to install an ActiveX...
我曾经有一个客户因为某些原因而打开了他们的FTP,黑客刚刚设置了一个机器人运行,尝试随机/普通用户/密码组合。那个黑客比你的更糟糕,因为它没有在网页上显示,但是试图安装一个ActiveX ...
So, you could check your FTP log.
因此,您可以检查您的FTP日志。
#1
13
It appears that the attack on your website was part of a mass defacement carried out by SWAN on 21 November, 2008 against Windows 2003 and Windows 2000 boxes running IIS 6.0. Others here have suggested a number of things. I would only add that whenever you decide to bring up the website, please format the box and reinstall from scratch. Once a box is compromised, it cannot be trusted, at all, however you clean and purify it.
看来,对您的网站的攻击是SWAN于2008年11月21日针对运行IIS 6.0的Windows 2003和Windows 2000盒进行的大规模污损的一部分。这里的其他人提出了很多建议。我只想补充说,无论何时你决定打开网站,请格式化框并从头开始重新安装。一旦盒子被破坏,它就完全无法被信任,无论你如何清理和净化它。
#2
5
IIS Process
Check that your ASPNET process does not have privilage to write files on the server. If you need the process to have write permissions, allow them only to do so on a specific folder, and deny execute permissions on that folder for all User accoutns.
检查您的ASPNET进程是否有权在服务器上写入文件。如果您需要该进程具有写入权限,请仅允许它们对特定文件夹执行此操作,并拒绝所有用户帐户对该文件夹的执行权限。
SQL Injection
To see people looking for SQL vunrabilities have a look in your log files for the following text, "CAST(".
要查看正在查找SQL vunrabilities的人,请查看日志文件中的以下文本:“CAST(”。
Do you have any places where you build up SQL in the code behind to query the database? These can be prone to SQL injection attacks. By replacing code such as the following you will be more safe.
你有什么地方可以在后面的代码中建立SQL来查询数据库吗?这些可能容易发生SQL注入攻击。通过替换以下代码,您将更安全。
Dim strSQL As String = "Select * FROM USERS Where name = '" & Response.Querystring("name") "'"
then consider an alternative like the following.
然后考虑如下的替代方案。
Dim strSQL As String = "Select * FROM USERS Where name = @name"
and then adding the corresponding SQL PArameter to the sql command.
然后将相应的SQL参数添加到sql命令。
#3
2
Hopefully you've had your IIS logfiles turned on and hopefully the hacker didn't erase them. By default they're located here: c:\winnt\system32\LogFiles\W3SVC1 and will generally be named after the date.
希望你已经打开了IIS日志文件,希望黑客不会删除它们。默认情况下,它们位于此处:c:\ winnt \ system32 \ LogFiles \ W3SVC1,通常以日期命名。
Then it's probably helpful to figure out how to use log parser (from Microsoft), which is free. Then use this guide to help you with looking forensically at your logfiles. Do you have a firewall because it's syslogs might be helpful.
然后,弄清楚如何使用免费的日志解析器(来自Microsoft)可能会有所帮助。然后使用本指南帮助您查看日志文件的取证。你有防火墙,因为它的系统日志可能会有所帮助。
Another decent tool to help you find sql injection issues is to go here and download HP's Scrawlr.
另一个帮助你找到sql注入问题的好工具就是去这里下载HP的Scrawlr。
If you have any more questions about what you've found, come back and ask.
如果您对找到的内容有任何疑问,请回来询问。
#4
2
Well, for starters:
好吧,对于初学者:
- Have you patched your server?
- Do you have lingering remnants of things like FrontPage Server Extensions, Office extensions for web, etc.?
- Have you made sure you don't have SQL Injection vulnerabilities?
- Have you googled for that text, "Hacked by swan"? There are many hits, perhaps one of them has figured out his entrance
你修补了你的服务器吗?
您是否有遗留下来的东西,如FrontPage Server Extensions,Web扩展等等?
您确定没有SQL注入漏洞吗?
你有没有用Google搜索“被天鹅黑了”的文字?有许多点击,也许其中一个已经找到了他的入口
If you do have, or is unsure about, whether you have SQL Injection problems or not, then you can ask further here, but otherwise I would get some security experts to help you.
如果你确实有或者不确定你是否有SQL注入问题,那么你可以在这里进一步询问,否则我会得到一些安全专家来帮助你。
This is indeed a programming site, so unless your problem is programming-related, it will most likely be closed again.
这确实是一个编程站点,因此除非您的问题与编程相关,否则很可能会再次关闭。
#5
1
You might want to give try it using a penetration toolkit like Metasploit to discover any obvious holes.
你可能想尝试使用像Metasploit这样的渗透工具包来发现任何明显的漏洞。
Also, please post your log files if they are untampered with.
另外,如果您的日志文件未被篡改,请发布。
#6
0
The first thing you should do is check your log files. You could paste them here,and we'll tell you if we recognize an attack .
您应该做的第一件事是检查您的日志文件。你可以将它们粘贴在这里,我们会告诉你我们是否认识到了攻击。
#7
0
Set up Google Analytics and review all requests that were made to your website. If you are dealing with SQL injection through the query string you an easily find out what they did, and how they found your vulnerabilities.
设置Google Analytics并查看对您网站发出的所有请求。如果您通过查询字符串处理SQL注入,则可以轻松找到它们执行的操作以及它们如何找到您的漏洞。
#8
0
Is FTP turned on?
FTP打开了吗?
I once had a customer's who had left their FTP turned on for some reason, and the hacker had just set a bot running, trying random/common user/password combinations. That hack was worse than yours because it didn't show on the web pages, but tried to install an ActiveX...
我曾经有一个客户因为某些原因而打开了他们的FTP,黑客刚刚设置了一个机器人运行,尝试随机/普通用户/密码组合。那个黑客比你的更糟糕,因为它没有在网页上显示,但是试图安装一个ActiveX ...
So, you could check your FTP log.
因此,您可以检查您的FTP日志。