How Can I Find Out *HOW* My Site Was Hacked? How Do I Find Site Vulnerabilities?

Question

One of my custom developed ASP.NET sites was hacked today: "Hacked By Swan (Please Stop Wars !.. )" It is using ASP.NET and SQL Server 2005 and IIS 6.0 and Windows 2003 server. I am not using Ajax and I think I am using stored procedures everywhere I am connecting to the database so I dont think it is SQL injection. I have now removed the write permission on the folders.

How can I find out what they did to hack the site and what to do to prevent it from happening again?

The server is up to date with all Windows updates.

What they have done is uploading 6 files (index.asp, index.html, index.htm,...) to the main directory for the website.

What log files should I upload? I have log files for IIS from this folder: c:\winnt\system32\LogFiles\W3SVC1. I am willing to show it to some of you but don't think it is good to post on the Internet. Anyone willing to take a look at it?

I have already searched on Google but the only thing I find there are other sites that have been hacked - I haven't been able to see any discussion about it.

I know this is not strictly related to programming but this is still an important thing for programmers and a lot of programmers have been hacked like this.

Answer 1

Well, for starters:

• Have you patched your server?
• Do you have lingering remnants of things like FrontPage Server Extensions, Office extensions for web, etc.?
• Have you made sure you don't have SQL Injection vulnerabilities?
• Have you googled for that text, "Hacked by swan"? There are many hits, perhaps one of them has figured out his entrance

If you do have, or is unsure about, whether you have SQL Injection problems or not, then you can ask further here, but otherwise I would get some security experts to help you.

This is indeed a programming site, so unless your problem is programming-related, it will most likely be closed again.

Answer 2

The first thing you should do is check your log files. You could paste them here,and we'll tell you if we recognize an attack .

Answer 3

IIS Process

Check that your ASPNET process does not have privilage to write files on the server. If you need the process to have write permissions, allow them only to do so on a specific folder, and deny execute permissions on that folder for all User accoutns.

SQL Injection

To see people looking for SQL vunrabilities have a look in your log files for the following text, "CAST(".

Do you have any places where you build up SQL in the code behind to query the database? These can be prone to SQL injection attacks. By replacing code such as the following you will be more safe.

Dim strSQL As String = "Select * FROM USERS Where name = '" & Response.Querystring("name") "'"

then consider an alternative like the following.

Dim strSQL As String = "Select * FROM USERS Where name = @name"

and then adding the corresponding SQL PArameter to the sql command.

Answer 4

You might want to give try it using a penetration toolkit like Metasploit to discover any obvious holes.

Also, please post your log files if they are untampered with.

Answer 5

Hopefully you've had your IIS logfiles turned on and hopefully the hacker didn't erase them. By default they're located here: c:\winnt\system32\LogFiles\W3SVC1 and will generally be named after the date.

Then it's probably helpful to figure out how to use log parser (from Microsoft), which is free. Then use this guide to help you with looking forensically at your logfiles. Do you have a firewall because it's syslogs might be helpful.

Another decent tool to help you find sql injection issues is to go here and download HP's Scrawlr.

If you have any more questions about what you've found, come back and ask.

Answer 6

It appears that the attack on your website was part of a mass defacement carried out by SWAN on 21 November, 2008 against Windows 2003 and Windows 2000 boxes running IIS 6.0. Others here have suggested a number of things. I would only add that whenever you decide to bring up the website, please format the box and reinstall from scratch. Once a box is compromised, it cannot be trusted, at all, however you clean and purify it.

Answer 7

Set up Google Analytics and review all requests that were made to your website. If you are dealing with SQL injection through the query string you an easily find out what they did, and how they found your vulnerabilities.

Answer 8

Is FTP turned on?

I once had a customer's who had left their FTP turned on for some reason, and the hacker had just set a bot running, trying random/common user/password combinations. That hack was worse than yours because it didn't show on the web pages, but tried to install an ActiveX...

So, you could check your FTP log.