Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Westi on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

How do hackers use a public port to gain access to my server

cfsjohn

cfsjohn

Programmer
Sep 1, 2016
72
US
First, If this is the wrong forum to ask this question, please direct me to the more appropriate forum.

I have a website hosted by IIS. It is accessible by the public on a particular port on my server so incoming https traffic on port xyz is routed to my website.
I have an API also hosted by IIS. It is accessible by the public on a particular port on my server so incoming https traffic on port abc is routed to my API.

I am not concerned with a hacker accessing my API. I could care less if a hacker accessed my API and pulled all the data in my database. There is nothing in my data that would be useful to anyone doing criminal activity. I AM concerned that I have a port on my server that is accessible by the whole world. I do not understand how a hacker can get into my server simply by having this open port but of course I do not want anyone gaining access to my server unless they have credentials to do so.

So, I guess I need to have a better understanding of how a hacker exploits a open port to gain access to my server or to push a dangerous file thru my open port onto my server.

Can someone help me with that understanding?

Thanks,
John
 
Sort by date Sort by votes
First questions I would have to give you a general risk assessment:
1) Where is this server located? Cloud or on prem
2) What protections do you have in front of the server?
3) What protections do you have on the server?

Articles pertinent to the situation:
medium.com

Hacking Microsoft IIS : IIS Enumeration

Hacking IIS - Part 1
medium.com medium.com
learn.microsoft.com

Security in IIS: Guarding Secure Data and Server Processes

learn.microsoft.com
www.bleepingcomputer.com

Hackers use Microsoft IIS web server logs to control malware

The Cranefly hacking group, aka UNC3524, uses a previously unseen technique of controlling malware on infected devices via Microsoft Internet Information Services (IIS) web server logs.
www.bleepingcomputer.com www.bleepingcomputer.com
BIG ONE: https://medium.com/@mudasserhussain1111/hacking-microsoft-iis-iis-vulnerabilities-4c74c82b2af8
 
Upvote 0 Downvote
DrB0b, Thanks for the reply.
1) The server is on the cloud.
2 and 3) Our CSP provides some security. For example they do not allow ip's from outside the US. There is a lot of "sniffing" software installed on all the cloud servers in our domain. I see processes like NinjaRMMA running on our servers. They maintain the firwall. They do nightly image backups. We are supposed (never been tested) to be able to come up in a different data center within 24 hours in case of catastrophic failure. For most things to do with security, I defer to them. We are on "green cloud" servers if that means anything. If I need to open a port for https traffic they open the port. We have a port open for https traffic for our website. The website calls an API which I developed. The API is also on a port open to https traffic.

I will read the links you provided,
John
 
Upvote 0 Downvote
Sounds like you are with Rackspace but that is just a wild guess. Most hosted solutions will lock down everything except what is needed portwise and will have some form of intrusion prevention/detection. Essentially, you will want to make sure your IIS server is up to date and patched as much as possible.

Here is a great article on some things to tighten up in regards to IIS:
techcommunity.microsoft.com

Windows Server 101: Hardening IIS via Security Control Configuration

In this article you'll learn about the various guides to hardening IIS, the default web server built into Windows Server.
techcommunity.microsoft.com techcommunity.microsoft.com
 
Upvote 0 Downvote
Also, you may want to go over your API depending on how it interacts with the site. How it was coded and what functions it utilizes it may be worth taking a look at it again. If its an old version of python or whatever and it has known issues, upgrading to a later version might be in the cards as well.
 
Upvote 0 Downvote
DrB0b said:
Also, you may want to go over your API depending on how it interacts with the site. How it was coded and what functions it utilizes it may be worth taking a look at it again. If its an old version of python or whatever and it has known issues, upgrading to a later version might be in the cards as well.
Click to expand...
I do have a couple of questions:
1) How does an intruder actually read things like the configuration files? I mean how do they download or open a file that is on my server? The website or API does not provide any ability to look at files so how do they do that?
2) My website calls my API as it's backend. The website url is public. The API url is also public because the website may be running on a browser anywhere and the website calls the API from that browser. How can I make the url for the API private unless it is being called by the website?

Thanks,
John
 
Upvote 0 Downvote
You must log in or register to reply here.

Similar threads

T
  • Locked
  • Solved
Not able to log into my previous account, and there's no "Forget Password"
Replies
15
Views
2K
Chris Miller
Chris Miller
V
  • Locked
  • Question
IP office Hunt group to voicemail
Replies
0
Views
528
vandaliahealth
V
K
  • Locked
  • Question
PABX SL1000 to add Ext Operator
Replies
0
Views
588
kennychin
K
idahomitel
  • Locked
  • Question
SX 200 cfna to operator
Replies
0
Views
517
idahomitel
idahomitel
Mirzapur
  • Locked
  • Question
NEC SV9100 Trunk to Trunk Transferred call Not disconnecting issue
Replies
0
Views
636
Mirzapur
Mirzapur

Part and Inventory Search

Sponsor

Back
Top