Subscribe Now

Subscribe Now

Denial of Service: A "How Do the Pros Handle It" Front Line Report : Compiled by Erika L. Walker, CF Community Correspondant

As many of our readers are aware, an RUWebby client site was hit by a denial of service attack earlier this week. RUWebby Vice President Erika L. Walker worked valiantly to combat the attack. As usual, Michael Dinowitz, publisher of Fusion Authority, was right there to help her, and our wonderful developer community gave advice and provided support. We thank everyone who sprang to the battlements and helped Erika and RUWebby.com.

We felt that some of the emails exchanged during the crisis might be useful to our readers and have redacted them below:

Well, to those who are interested, I've combed through the log files. Found my attacker and even the commands he executed to put up those pages. (PoisonBOx..blah..blah...blah) <---not that I've caught the creep. That won't happen! :) The client is still installing patches, and we're tightening every bolt on the machine. I've also been advised to delete the default website IIS automatically sets up as well as disable all Front Page extensions, should they be running. (Front Page! EWW!).

Also, here is a compilation of all the tips and tricks people sent back to me in reply to this problem. I thank you very much for your responses! I learned a whole heck of a lot today about how insecure Microsoft products really are!! :) And that the only really safe server is an unplugged one!

Erika (with a *K*)
-----------------------------------------------------------

Compilation of Responses:

I do a security scan of my system every now and again using Whisker from RFP: (http://www.wiretrip.net/rfp/2/index.asp). I suggest everyone either do the same or ask someone you trust to do it for you. It takes little time to do and the rewards could be massive (especially with the supposed Cyberwar coming).

Also, run a few searches over your code for things like CFFILE, CFINCLUDE and other tags that can be used as attack points. A few hours of code review could save days in code rebuild.

As for how he got in, check all the logs on the box. Look for file gaps to see if he hacked them to cover his trail. If there are none, then look for things out of the ordinary, like .dll, .htx or other calls. Between the system logs, web logs, CF logs and whatever, you may find his attack route. Finally, check out SecurityFocus.com and the other security sites. They may know.

Michael Dinowitz [mdinowit@houseoffusion.com]
-----------------------------------------------------
ALL of my client sites were hacked and defaced last week - (by Evil Angelica) - and the only common thread among them was my WS-FTP.INI file. I would suggest taking a look here to find the common thread, which might give you a clue: http://defaced.alldas.de/defaced.php?attacker=PoizonB0x&p=1

Diana Nichols [nichols2000@mindspring.com]
-----------------------------------------------------
PoisonBox is a rather infamous group of hackers...if they want in, they can get in. I believe they where the group that bragged of hacking 200+ Chinese websites recently, and got mentioned in Wired...

Take a look at the time the files were altered, look in your log files around those times. See if you can find out what URLs where requested, or see of any other abnormal activity was going on.

Make sure all of the below holes are patched or taken care of, too: http://www.wittys.com/files/mab/iis-hacking.html.

Jon Hall [jonhall@ozline.net]
-----------------------------------------------------
Websites in America and China are the trophies. It's not a 'real war', but you've got hackers and crackers from both sides hitting the other for protest points. As for your ISP, they may say that the security is your problem or they may not. Best thing to do is make sure your patches are up to date, follow the proper coding standards so as to not open any holes and keep an eye on some security lists or sites.

Michael Dinowitz [mdinowit@houseoffusion.com]
-----------------------------------------------------
*This message was transferred with a trial version of CommuniGate(tm) Pro*

Hacking Exposed is a great book to learn about network and computer security. It covers the basics of hacking and how to protect yourself. It even has a section on website hacking and uses ColdFusion as an example. I would recommend it to anyone interested in securing their server/network. Hacking Exposed

Also, [I] have a couple of script-kiddie tools I would be happy to run on your site to check the basics. Send me an email off the list if you are interested.

Dave Livingston [dave@jbandy.com]
-----------------------------------------------------
As far as IIS4/5 is concerned, a version not completely up to date (read: get mail notification of new exploits/patches) is a security hole waiting to happen, especially if the old pre-ASP .htr extensions are enabled. Heh, it's actually still a security hole waiting to happen even patched but that's just IIS. I'm not overly familiar w/ anything win32 so you might want to check these sites:

http://www.attrition.org/
http://www.securityfocus.com/
http://www.microsoft.com/technet/security/current.asp
http://www.ntbugtraq.com/

Raymond B. [raymond@lucentstudios.com]
-----------------------------------------------------
You're not going to like what I have to say, I don't think.

If your server has been compromised, you can't fix it by simply taking it offline and installing patches. Anything on the server could very well have been compromised. Ideally, you should wipe the disks, reinstall the OS and everything else, and restore your application files from a trusted backup. Otherwise, you can't be sure that other back doors haven't been set up on the box.

During the reinstall process, you might want to take a look at the following resources, in addition to everything else that's been suggested:

"Securing Windows NT/2000 Servers for the Internet", Stefan Norberg, O'Reilly. This is a very good explanation of securing IIS web servers, and contains good step-by-step instructions.

"Hardening Windows 2000 Guide", available as a PDF download: http://www.systemexperts.com/win2k/HardenWin2K.html

"Windows NT Security Guidelines", written by Trusted Systems for NSA, available as a download: http://www.trustedsystems.com/tss_nsa_guide.htm
This doesn't have too much to do with web services specifically, but provides a clear description of basic use of ACLs, which is essential for securing your web server.

Dave Watts [dwatts@figleaf.com]

del.icio.us | digg | Spurl | Simpy | Newsvine | BlinkList | Furl | reddit | BlogMarks | Yahoo! My Web | Ma.gnolia | Technorati

• Subscribe
• RSS

• Editorial
• Specials
• Community
• News
• Tech and Tags
• Views
• Reviews
• Techniques
• Security
• Best of ColdFusion Talk
• Knowledge Base
• Blog Watch

• Tipical Charlie

Quarterly Update