Forum Moderators: phranque
my site got hacked a couple of days ago. Fortunately it was a relatively benign attach, just replacing 2 images from the home page with dripping letters of blood saying "Hacked by IN07". Is there any way I can work out how it happened and so how I could prevent it?
The modified date of the image files changed to 31/8/2005 18:30, so that is presumably when the attack took place.
I'm running ASP applications on Windows 2003 server. I've got a couple of different apps (a CMS, a forum, home grown stuff, etc.) so I'm not sure which one was the vulnerable one.
What kind of thing should I be looking for in my log files?
Do Windows 2003 servers keep any kind of log, other than the normal website logs, that would give information about who changed the image files?
thanks!
Jonathan
else if { I'd look for the first instance of the graph with a different size request.
bob.gif 5206 "index.html"
bob.gif 5206 "index.html"
bob.gif 5206 "index.html"
bob.gif 3211 "index.html"
bob.gif 3211 "index.html"
bob.gif 3211 "index.html"
bob.gif 3211 "index.html"
if { this is the case then look up above the first occurance and as long as your log files are relatively small (under 200mbs a month) you should be able to spot it relatively quickly.
}
Are you running awstats with public access? If so this is a common script that can be hacked. However you can download a newer version with a fix that won't allow this. Other scripts may be to blame but it may also NOT be a script that let this happen.
Be sure you're not CHMODing everything to 777 as well!
JAB Creations, he is running a Windows box, so CHMOD isn't an option he has :-)
