One of my custom developed ASP.NET sites was hacked today: "Hacked By Swan (Please Stop Wars !.. )" It is using ASP.NET and SQL Server 2005 and IIS 6.0 and Windows 2003 server. I am not using Ajax and I think I am using stored procedures everywhere I am connecting to the database so I dont think it is SQL injection. I have now removed the write permission on the folders.
How can I find out what they did to hack the site and what to do to prevent it from happening again?
The server is up to date with all Windows updates.
What they have done is uploading 6 files (index.asp, index.html, index.htm,...) to the main directory for the website.
What log files should I upload?
I have log files for IIS from this folder: c:\winnt\system32\LogFiles\W3SVC1
.
I am willing to show it to some of you but don't think it is good to post on the Internet. Anyone willing to take a look at it?
I have already searched on Google but the only thing I find there are other sites that have been hacked - I haven't been able to see any discussion about it.
I know this is not strictly related to programming but this is still an important thing for programmers and a lot of programmers have been hacked like this.
Most hackers will understand that they can be tracked down by authorities identifying their IP address, so advanced hackers will attempt to make it as difficult as possible for you to find out their identity.
Hackers usually use brute-force attacks such as guessing usernames and passwords, trying generic passwords, using password generator tools, social engineering/ phishing emails, and links, etc.
Google Search Console / Emails To look up any security issues on your Google search console, log in to your account, and go to the Security issues tab on the left side. If your website has been hacked, the malware will show up on your search console here.
It appears that the attack on your website was part of a mass defacement carried out by SWAN on 21 November, 2008 against Windows 2003 and Windows 2000 boxes running IIS 6.0. Others here have suggested a number of things. I would only add that whenever you decide to bring up the website, please format the box and reinstall from scratch. Once a box is compromised, it cannot be trusted, at all, however you clean and purify it.
IIS Process
Check that your ASPNET process does not have privilage to write files on the server. If you need the process to have write permissions, allow them only to do so on a specific folder, and deny execute permissions on that folder for all User accoutns.
SQL Injection
To see people looking for SQL vunrabilities have a look in your log files for the following text, "CAST(".
Do you have any places where you build up SQL in the code behind to query the database? These can be prone to SQL injection attacks. By replacing code such as the following you will be more safe.
Dim strSQL As String = "Select * FROM USERS Where name = '" & Response.Querystring("name") "'"
then consider an alternative like the following.
Dim strSQL As String = "Select * FROM USERS Where name = @name"
and then adding the corresponding SQL PArameter to the sql command.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With