我怎样才能知道我的网站*如何*被黑客入侵? 如何查找站点漏洞?
我定制开发的一个 ASP.NET 网站今天遭到黑客攻击:“被 Swan 黑客攻击 (请停止战争!...)” 它使用 ASP.NET 和 SQL Server 2005 以及 IIS 6.0 和 Windows 2003 服务器。 我没有使用 Ajax,并且我认为我在连接到数据库的任何地方都使用存储过程,所以我不认为它是 SQL 注入。 我现在已经删除了文件夹的写入权限。
我如何才能查明他们对网站进行了哪些攻击以及如何防止此类情况再次发生?
服务器已更新所有 Windows 更新。
他们所做的是将 6 个文件(index.asp、index.html、index.htm...)上传到网站的主目录。
我应该上传哪些日志文件? 我有以下文件夹中的 IIS 日志文件:c:\winnt\system32\LogFiles\W3SVC1
。 我愿意把它展示给你们中的一些人,但我认为发布在互联网上不好。 有谁愿意看一下吗?
我已经在谷歌上进行了搜索,但我唯一发现的是其他网站已被黑客攻击 - 我还没有看到任何有关它的讨论。
我知道这与编程并不严格相关,但这对于程序员来说仍然是一件重要的事情,并且很多程序员都被这样黑过。
One of my custom developed ASP.NET sites was hacked today: "Hacked By Swan (Please Stop Wars !.. )"
It is using ASP.NET and SQL Server 2005 and IIS 6.0 and Windows 2003 server.
I am not using Ajax and I think I am using stored procedures everywhere I am connecting to the database so I dont think it is SQL injection.
I have now removed the write permission on the folders.
How can I find out what they did to hack the site and what to do to prevent it from happening again?
The server is up to date with all Windows updates.
What they have done is uploading 6 files (index.asp, index.html, index.htm,...) to the main directory for the website.
What log files should I upload?
I have log files for IIS from this folder: c:\winnt\system32\LogFiles\W3SVC1
.
I am willing to show it to some of you but don't think it is good to post on the Internet. Anyone willing to take a look at it?
I have already searched on Google but the only thing I find there are other sites that have been hacked - I haven't been able to see any discussion about it.
I know this is not strictly related to programming but this is still an important thing for programmers and a lot of programmers have been hacked like this.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(8)
对您网站的攻击似乎是 SWAN 于 2008 年 11 月 21 日针对运行 IIS 6.0 的 Windows 2003 和 Windows 2000 机器进行的大规模破坏的一部分。 这里的其他人提出了很多建议。 我只想补充一点,每当您决定打开该网站时,请格式化该框并从头开始重新安装。 一旦一个盒子被泄露,无论你如何清洁和净化它,它都根本不可信。
It appears that the attack on your website was part of a mass defacement carried out by SWAN on 21 November, 2008 against Windows 2003 and Windows 2000 boxes running IIS 6.0. Others here have suggested a number of things. I would only add that whenever you decide to bring up the website, please format the box and reinstall from scratch. Once a box is compromised, it cannot be trusted, at all, however you clean and purify it.
IIS 进程
检查您的 ASPNET 进程是否没有在服务器上写入文件的权限。 如果您需要进程具有写入权限,请仅允许他们在特定文件夹上执行此操作,并拒绝所有用户帐户对该文件夹的执行权限。
SQL 注入
要查看寻找 SQL 漏洞的人,请查看您的日志文件中是否有以下文本“CAST(”。
您是否有在代码隐藏中构建 SQL 来查询的位置数据库?这些可能容易受到 SQL 注入攻击。通过替换如下所示的代码,
然后考虑以下替代方案,
然后将相应的 SQL 参数添加到 sql 命令中。
IIS Process
Check that your ASPNET process does not have privilage to write files on the server. If you need the process to have write permissions, allow them only to do so on a specific folder, and deny execute permissions on that folder for all User accoutns.
SQL Injection
To see people looking for SQL vunrabilities have a look in your log files for the following text, "CAST(".
Do you have any places where you build up SQL in the code behind to query the database? These can be prone to SQL injection attacks. By replacing code such as the following you will be more safe.
then consider an alternative like the following.
and then adding the corresponding SQL PArameter to the sql command.
希望您已打开 IIS 日志文件,并希望黑客没有删除它们。 默认情况下,它们位于:c:\winnt\system32\LogFiles\W3SVC1,通常以日期命名。
然后了解如何使用免费的日志解析器(来自 Microsoft)可能会有所帮助。 然后使用本指南帮助您以取证方式查看日志文件。 您是否有防火墙,因为它的系统日志可能会有所帮助。
另一个可以帮助您查找 sql 注入问题的不错工具是 此处 并下载 HP 的 Scrawlr。
如果您对所发现的内容还有任何疑问,请回来询问。
Hopefully you've had your IIS logfiles turned on and hopefully the hacker didn't erase them. By default they're located here: c:\winnt\system32\LogFiles\W3SVC1 and will generally be named after the date.
Then it's probably helpful to figure out how to use log parser (from Microsoft), which is free. Then use this guide to help you with looking forensically at your logfiles. Do you have a firewall because it's syslogs might be helpful.
Another decent tool to help you find sql injection issues is to go here and download HP's Scrawlr.
If you have any more questions about what you've found, come back and ask.
好吧,首先:
如果你确实有,或者不确定你是否有SQL注入问题,那么你可以在这里进一步询问,否则我会找一些安全专家来帮助你。
这确实是一个编程站点,因此除非您的问题与编程相关,否则它很可能会再次关闭。
Well, for starters:
If you do have, or is unsure about, whether you have SQL Injection problems or not, then you can ask further here, but otherwise I would get some security experts to help you.
This is indeed a programming site, so unless your problem is programming-related, it will most likely be closed again.
您可能想尝试使用 Metasploit 等渗透工具包来发现任何明显的漏洞。
另外,请发布您的日志文件(如果它们未被篡改)。
You might want to give try it using a penetration toolkit like Metasploit to discover any obvious holes.
Also, please post your log files if they are untampered with.
您应该做的第一件事是检查日志文件。 您可以将它们粘贴到此处,如果我们识别到攻击,我们会告诉您。
The first thing you should do is check your log files. You could paste them here,and we'll tell you if we recognize an attack .
设置 Google Analytics 并查看向您的网站发出的所有请求。
如果您通过查询字符串处理 SQL 注入,您可以轻松找出他们做了什么,以及他们如何发现您的漏洞。
Set up Google Analytics and review all requests that were made to your website.
If you are dealing with SQL injection through the query string you an easily find out what they did, and how they found your vulnerabilities.
FTP 是否已打开?
我曾经遇到过一位客户,由于某种原因,他们的 FTP 处于打开状态,而黑客刚刚设置了一个机器人运行,尝试随机/通用用户/密码组合。 那个黑客比你的更糟糕,因为它没有显示在网页上,而是试图安装 ActiveX...
所以,你可以检查你的 FTP 日志。
Is FTP turned on?
I once had a customer's who had left their FTP turned on for some reason, and the hacker had just set a bot running, trying random/common user/password combinations. That hack was worse than yours because it didn't show on the web pages, but tried to install an ActiveX...
So, you could check your FTP log.