How can I keep my site from being hacked again?
May 9, 2005 7:49 AM Subscribe
Someone has been repeatedly trying to hack into my website. I'm on a windows box, running ASP and an Access Database.
I run a site where I review toys, and as an experiment in ASP, I created a whole publishing interface that uses an access database and a password protected login.
Last week, someone broke in (probably using a brute force attempt), and went in and began dumping random ASP code into my reviews. My thought was to gain access to server information etc.. Googling came up with an application called Stationmaster ASP. Dunno what it does, but looks like they didn’t succeed.
Still, I changed all my passwords, backed up my data.
Well, this weekend I am hacked again. I forget that I had a form that allows people to upload images for reviews. This form allows any media to be uploaded, but does not go into a database. It was accessible off of one of my logged in pages, but not publicly. The hacker uploaded EXE, BAT, ASP and even what looks like a picture of himself and his girlfriend to my server. I’ve since deleted the offending page, but I worry now that I am an easy target for hackers and script kiddies.
Now I am not an ASP Guru – what can I do to further protect myself? I am now working on a new site in PHP, on a completely different server. Is there any kind of known ASP exploit this hacker is using? Anything my host can do to patch my system?
I run a site where I review toys, and as an experiment in ASP, I created a whole publishing interface that uses an access database and a password protected login.
Last week, someone broke in (probably using a brute force attempt), and went in and began dumping random ASP code into my reviews. My thought was to gain access to server information etc.. Googling came up with an application called Stationmaster ASP. Dunno what it does, but looks like they didn’t succeed.
Still, I changed all my passwords, backed up my data.
Well, this weekend I am hacked again. I forget that I had a form that allows people to upload images for reviews. This form allows any media to be uploaded, but does not go into a database. It was accessible off of one of my logged in pages, but not publicly. The hacker uploaded EXE, BAT, ASP and even what looks like a picture of himself and his girlfriend to my server. I’ve since deleted the offending page, but I worry now that I am an easy target for hackers and script kiddies.
Now I am not an ASP Guru – what can I do to further protect myself? I am now working on a new site in PHP, on a completely different server. Is there any kind of known ASP exploit this hacker is using? Anything my host can do to patch my system?
Also, you could always give the URL and we could "test" it to see just how secure it is.
posted by bshort at 8:01 AM on May 9, 2005
posted by bshort at 8:01 AM on May 9, 2005
Caveat: I'm working from your description, not from looking at the code. This means I could be way off-base.
It sounds like your problem is basic security, rather than ASP, OS or server - if you recode that upload script in PHP, it will still be more-or-less vulnerable.
Here's the biggest thing you need to know about internet security: NEVER TRUST THE CLIENT.
Every single piece of data that comes from the client needs to be treated like it's an attempt to rape your server. Anything suspicious gets dumped. If you're expecting an image, make sure it's an image. Save uploaded files outside your document root. If you're expecting an integer, make sure it's an integer, and in the correct range. Be paranoid.
As to what you can do right now to protect yourself... that's tricky. I'm tempted to say wget the site and put up a static version for now. But then, any security mistakes you've made in ASP are likely to be carried over into the new PHP version... maybe a basic web security primer is what you need. I'm sure Google will find dozens for you.
Or perhaps you can find an existing codebase that does what you want? The upside there is that a lot of the security bugs will have been shaken out of it, the downside is that the more popular the codebase, the more people searching for a way to mess with it.
posted by Leon at 8:08 AM on May 9, 2005
It sounds like your problem is basic security, rather than ASP, OS or server - if you recode that upload script in PHP, it will still be more-or-less vulnerable.
Here's the biggest thing you need to know about internet security: NEVER TRUST THE CLIENT.
Every single piece of data that comes from the client needs to be treated like it's an attempt to rape your server. Anything suspicious gets dumped. If you're expecting an image, make sure it's an image. Save uploaded files outside your document root. If you're expecting an integer, make sure it's an integer, and in the correct range. Be paranoid.
As to what you can do right now to protect yourself... that's tricky. I'm tempted to say wget the site and put up a static version for now. But then, any security mistakes you've made in ASP are likely to be carried over into the new PHP version... maybe a basic web security primer is what you need. I'm sure Google will find dozens for you.
Or perhaps you can find an existing codebase that does what you want? The upside there is that a lot of the security bugs will have been shaken out of it, the downside is that the more popular the codebase, the more people searching for a way to mess with it.
posted by Leon at 8:08 AM on May 9, 2005
Keep in mind that PHP itself is a carnival of security horrors. Make sure you keep up to date with their releases.
posted by cmonkey at 8:30 AM on May 9, 2005
posted by cmonkey at 8:30 AM on May 9, 2005
Best answer: It's obvious the problem here is your upload script. Allowing an exe to be uploaded and executed means your server has been compromised. Bear in mind this is not an ASP exploit per se, any type of server is vulnerable when you give an untrusted user the ability to run code!
I'd remove the offending upload form until you find one that is secure, or at the very least turn off execute privileges on the folder that the uploads are saved in.
posted by derbs at 8:32 AM on May 9, 2005
I'd remove the offending upload form until you find one that is secure, or at the very least turn off execute privileges on the folder that the uploads are saved in.
posted by derbs at 8:32 AM on May 9, 2005
at the very least turn off execute privileges on the folder that the uploads are saved in.
I'm not a windows admin by any measure of the word, but my understand of windows is that this is impossible...
posted by shepd at 8:38 AM on May 9, 2005
I'm not a windows admin by any measure of the word, but my understand of windows is that this is impossible...
posted by shepd at 8:38 AM on May 9, 2005
at the very least turn off execute privileges on the folder that the uploads are saved in.
I'm not a windows admin by any measure of the word, but my understand of windows is that this is impossible...
Surely though IIS allows you to mark directories as non-CGI. Right? As long as the webserver is told not to execute things then you're much better off.
I agree with what others have said. Your problem isn't the OS, the webserver, or the language you've written your scripts in. What you need to do is pick up a good book on how to write interpreted webpages securely. Otherwise you're going to pick up PHP and start writing the same unsecured code. You might also want to subscribe to a list like BugTraq and pay attention to what sorts of vulnerabilities people exploit. Most of the problems are with unverified input (thank god for perl and its taint system).
posted by sbutler at 8:50 AM on May 9, 2005
I'm not a windows admin by any measure of the word, but my understand of windows is that this is impossible...
Surely though IIS allows you to mark directories as non-CGI. Right? As long as the webserver is told not to execute things then you're much better off.
I agree with what others have said. Your problem isn't the OS, the webserver, or the language you've written your scripts in. What you need to do is pick up a good book on how to write interpreted webpages securely. Otherwise you're going to pick up PHP and start writing the same unsecured code. You might also want to subscribe to a list like BugTraq and pay attention to what sorts of vulnerabilities people exploit. Most of the problems are with unverified input (thank god for perl and its taint system).
posted by sbutler at 8:50 AM on May 9, 2005
Right click on the folder > properties > security tab. Select the Internet Guest Account user. Check "Allow" on 'Read' and 'Write', and "Deny" for all the others (including execute).
This is for windows server 2003 by the way. It's slightly different for NT Server 4, but still possible.
posted by derbs at 8:50 AM on May 9, 2005
This is for windows server 2003 by the way. It's slightly different for NT Server 4, but still possible.
posted by derbs at 8:50 AM on May 9, 2005
Response by poster: I don't have access to the server, my host administers it, and the machine is shared with other sites. They have said that their machine is patched and up to date in terms of security.
I've taken the form off-line for now. I'm working on a new version of the site in php on a unix box with a professional PHP guy, and I hate to spend a lot of dev time on the old, poorly done site.
Thanks for all your help.
posted by quibx at 9:32 AM on May 9, 2005
I've taken the form off-line for now. I'm working on a new version of the site in php on a unix box with a professional PHP guy, and I hate to spend a lot of dev time on the old, poorly done site.
Thanks for all your help.
posted by quibx at 9:32 AM on May 9, 2005
Response by poster: Oh, and the site is in my profile, if anyone wants to see if they see something obvious.
posted by quibx at 9:32 AM on May 9, 2005
posted by quibx at 9:32 AM on May 9, 2005
This thread is closed to new comments.
Are you running it or is it being maintianed by a hosting company? Is it fully patched? Has it been locked down to prevent exploits on unneeded ports? Is it running some sort of virus scanner? Is there a firewall in front of it?
There are lots and lots of Windows exploits and unless the machine is actively maintained and kept up to date you're just asking for trouble.
Linux isn't entirely trouble-free, but from my own personal experience it's much much much more secure than any Windows OS I've heard of.
posted by bshort at 8:00 AM on May 9, 2005