Maybe a Hacking issue - help?

[bbowers]

We have recently been having an issue where unauthorized files are being written to

http://wwwroot

of our web server on a regular basis. The files are all 0k and are named like “index.html, index.htm and etc. The time stamp on all files are identical. If they were written at 8:17 every one would have that same time. It happens every few days. When it happens a _vti_cnf folder is created with the same files as written to the root. From what I have found these are the config files from FrontPage. When I view the info in these files the created by info is NA and it shows they are created from FrontPage 4. The Server logs indicate the same thing, no user available. We have really been struggling on how to determine what is happening. We are not sure if it is external or internal. Any suggestions on what we can do to track this issue down. The first time it happened IIS was set to look at index.html first so the web page would not come up. We have since now correct that issue, but still need to determine what is going on. This is a Windows 2k server.

 

[jshurst]

First, is this web server open to the public or is it just for internal use (LAN). If you can I would limit the ip address range for certain users. You might could even limit it to the local machine itself (if you can stand to have it offline for some time). You can find this under IIS. Go to the properties of the website and look under the Directory Security -> IP and Domain name restrictions.

I would also disable the Administrator account (create a new one named something else first), disable the Guest account, and change passwords to other accounts.

See if that helps.

J

 

[Serbtastic]

Also, if the

http://wwwroot

resides on an NTFS partition, you can look at the ownership of the mystery files to help you figure out how they got there.

 

[bbowers]

The owner of the files is IUSR_

http://WWW the

internet guest account.

It is an external web server, user have access to it from the inside. I have changed passwords, but have not disabled the admin account. Guest account is disabled? Not really sure what you mean by limit the server to an IP range?

 

[lhuegele]

Because it's open to the internet, limiting access by IP address won't apply to you.

What is the O/S and service pack level? Have you made sure everything is patched and up to date? Have you double-checked your NTFS permissions to make sure they don't have WRITE access or directory browsing?

Sounds like you could have several issues, and there is a wide range of causes/effects. You will need to provide more information to help us help you.

Also, turning on advanced logging would be a good way to get more information on who's doing what, but you will take a performance hit so it's only something you want to have on temporarily to see if you can gain more insight.

Good luck,

 

[Motiv]

Try to open a particular site in FrontPage - it will probably let you open the site without prompting for user credentials.

You can go to each site in IIS and remove anonymous access from _vti_cnf folder I believe (it could be _vti_pvt its been too long since I've dealt with this)

Or... you could just remove the FrontPage extensions from the server and only allow users to upload content via FTP - they might complain tho... sigh.