My Webpage Hacked! How???

[Chris G]

I was having trouble with my hit counter being stuck at one so I started a thread in this forum yesterday titled, “Hit Counter Stuck at 1.†I responded to the last of the replies late last night.

This morning I awoke and found that the hit counter was now working (the good news!). But I also discovered that one of my panel’s background was not blue, instead of pale yellow. Furthermore I discovered that the .htm involved was changed at 5:25AM this morning while I was very asleep. So I had a visitor that left a calling card! When I attempted to delete the .htm and replace it with a backup, I find that I am unable to do so! I get an error message: Server error. The file“index.htm†is checked out or locked for editing by IUSR_LIBRARY. [Note: LIBRARY is name of computer]. I was able to rename the file and then delete it-and I used FP to publish the file back to the webserver-but, of course, the hit counter is stuck again at 1.

So, in order of importance, (1) How do I check in or unlock these files? and (2) How did this person get in to my webpage and make unauthorized changes?

I am running Windows XP with IIS installed with extensions. The system sits behind a Linksys Router. Port 80 is, of course, forwarded to the server (LIBRARY).

Any and all help will be greatly appreciated. I thought I was protected behind a firewall- but obviously there is a hole somewhere!

 

[Thomas A. Rowe]

The security hole, is that Port 80 has to be open for folks to access your
web site, since someone was actually able to save changes back to your web
site, then your permissions are not set correctly, as they should have been
prompted to login, this is one of the many reason that most of the regulars
here recommend that folks use a hosting service and not try to host their
own web servers, as there is a lot that needs to be learned in order to make
a web server secure when available on the internet.

--

==============================================
Thomas A. Rowe (Microsoft MVP - FrontPage)
WEBMASTER Resources(tm)

FrontPage Resources, Forums, WebCircle,
MS KB Quick Links, etc.
==============================================

I was having trouble with my hit counter being stuck at one so I started a

thread in this forum yesterday titled, "Hit Counter Stuck at 1." I responded
to the last of the replies late last night.

This morning I awoke and found that the hit counter was now working (the

good news!). But I also discovered that one of my panel's background was not
blue, instead of pale yellow. Furthermore I discovered that the .htm
involved was changed at 5:25AM this morning while I was very asleep. So I
had a visitor that left a calling card! When I attempted to delete the .htm
and replace it with a backup, I find that I am unable to do so! I get an
error message: Server error. The file"index.htm" is checked out or locked
for editing by IUSR_LIBRARY. [Note: LIBRARY is name of computer]. I was able
to rename the file and then delete it-and I used FP to publish the file back
to the webserver-but, of course, the hit counter is stuck again at 1.

So, in order of importance, (1) How do I check in or unlock these files?

and (2) How did this person get in to my webpage and make unauthorized
changes?

I am running Windows XP with IIS installed with extensions. The system

sits behind a Linksys Router. Port 80 is, of course, forwarded to the server
(LIBRARY).

Any and all help will be greatly appreciated. I thought I was protected

behind a firewall- but obviously there is a hole somewhere!

 

[Chris G]

Thanks for replying, Thomas....

Under Internet Informations Services (IIS), the Properties of my web site are set for Read Only. I obviously have to allow Anonyomous connectiuon or no one would be able to see the web page without a name and password.

What else do you recommend?

 

[Thomas A. Rowe]

Honestly I recommend that you get a hosting services.

A web site is read-only by default, however you current problem is that FP
extensions are not configured correctly, since someone was actually able to
save changes back to your site and also check out a file. Depending on if
you are running the FP2000 or FP2002 extension, look for the option to run a
check or to check server health, then let FP tighten security under the IIS
MMC for the specific web. Also disable the default web and move your active
web to drive other than C, however you can leave IIS installed as it
currently is, with the default in C, just make sure it is disabled. Create a
folder on another drive, then under IIS MMC, make that you main web site
location.

To get the best support for configuring your server in a secure manner, I
suggest you post to the appropriate Windows newsgroup.

I do have Windows 2000 Server, however it will never be open to the internet
for any type of access, so strong security, (the type needed when hosting)
hasn't been and will not be an issue for me.

--

==============================================
Thomas A. Rowe (Microsoft MVP - FrontPage)
WEBMASTER Resources(tm)

FrontPage Resources, Forums, WebCircle,
MS KB Quick Links, etc.
==============================================

Thanks for replying, Thomas....

Under Internet Informations Services (IIS), the Properties of my web site

are set for Read Only. I obviously have to allow Anonyomous connectiuon or
no one would be able to see the web page without a name and password.

 

[Chris G]

Well, Mr Hacker, you are at work again-- now entire page is blue!. Tell you what...I would like to learn more about this-you've seen my webpage-I'm just an average guy. Teach me what you know--- email me at link on webpage. What do 'ya say?!!

 

[Chris G]

Thanks again for responding:
I want to host my own webpage because I have many pictures from my daughter’s high school sport teams-I was using a third party, but the storage costs started adding up. Plus, and just perhaps as important, I would like to learn about using IIS securely.

So, I am using FP2003 (not 2000 or 2002). Secondly, I do not find an option in the IIS to “check server healthâ€; third, I previously have disabled the default web and I have moved the active web to another drive.

I have disabled server extensions for the time being—and I will locate a more appropriate group—do you know what that might be? Maybe IIS or something?

 

[Thomas A. Rowe]

Extensions: Unless you are running a Windows 2003 server, you have the
FP2000 extensions by default, so you would open IIS MMC, right click on the
web, then All Task, Check Server Extensions, then you be prompted with the
option to let FP tighten security. If you have upgraded to the FP2002
extensions, you have to access them via the Admin Pages, not the IIS MMC,
then you would chose the Check Server Health option. There are no FP2003
extensions, so to speak.

IIS Security, the best place would be the IIS newsgroup.

Keep in mind that the web server provided under Windows 2000 Pro and Windows
XP Pro are mainly for local testing, as they are limited to 10 simultaneous
connections, this is not users, be each request for to the server, so if you
have 1 page with 8 images and 1 user, you have used 10 connections. Plus you
are limited to a single root web.

--

==============================================
Thomas A. Rowe (Microsoft MVP - FrontPage)
WEBMASTER Resources(tm)

FrontPage Resources, Forums, WebCircle,
MS KB Quick Links, etc.
==============================================

Thanks again for responding:
I want to host my own webpage because I have many pictures from my

daughter's high school sport teams-I was using a third party, but the
storage costs started adding up. Plus, and just perhaps as important, I
would like to learn about using IIS securely.

So, I am using FP2003 (not 2000 or 2002). Secondly, I do not find an

option in the IIS to "check server health"; third, I previously have
disabled the default web and I have moved the active web to another drive.

I have disabled server extensions for the time being-and I will locate a

more appropriate group-do you know what that might be? Maybe IIS or
something?

 

[Chris G]

I tried what you suggested: open IIS MMC, right click on the web, then All Task, Check Server Extensions, then you be prompted with the option to let FP tighten security. I did this but was never prompted for FP to tighten security. Rather, the report came back No Problems Found- End Check.

You also mention that I may have to access them via the Admin Pages, not the IIS MMC. What are the Admin Pages? Do you mean Administrative Tools from the Control Panel? If so, I am not clear on where to go..

 

[Thomas A. Rowe]

The admin pages only applies if you have upgraded to the FP2002 extensions

--

==============================================
Thomas A. Rowe (Microsoft MVP - FrontPage)
WEBMASTER Resources(tm)

FrontPage Resources, Forums, WebCircle,
MS KB Quick Links, etc.
==============================================

I tried what you suggested: open IIS MMC, right click on the web, then

All Task, Check Server Extensions, then you be prompted with the option to
let FP tighten security. I did this but was never prompted for FP to tighten
security. Rather, the report came back No Problems Found- End Check.

You also mention that I may have to access them via the Admin Pages, not

the IIS MMC. What are the Admin Pages? Do you mean Administrative Tools from
the Control Panel? If so, I am not clear on where to go...

 

[Chris G]

Thomas, I don't mean to sound dense here, but how do I know if I upgraded to FP2002 extensions or not??!!!

 

[Tom Pepper Willett]

You would have manually installed and configured them.
--

 

[Chris G]

When uninstalling Server Expensions from the WindowsXP Control Panel, Add/Remove Windows Components, IIS, I received the following message

The server administration programs and the server extensions on the web server are not compatible. The administration program is too old to use with this server.

 

[Chris G]

Thanks for replying Tom...

What do you think this message means:

"The server administration programs and the server extensions on the web server are not compatible. The administration program is too old to use with this server."

As mentioned in the thread below this thread, I received the message when uninstalling Server Expensions from the WindowsXP Control Panel, Add/Remove Windows Components, IIS.

The hacker was back in around 6:15 and changed all backgrounds to blue again. After this event, I uninstalled server extensions-and chnaged backgrounds back to pale yellow. I hope unstalling the extension will stop him!!

 

[Tom Gahagan]

Well, Mr Hacker, you are at work again-- now entire page is blue!. Tell

you what...I would like to learn more about this-you've seen my webpage-I'm
just an average guy. Teach me what you know--- email me at link on webpage.
What do 'ya say?!!

I would say that he (or SHE!)* is probably not reading this newsgroup! < vbgBut you never know! < vbg >

Sorry for your troubles

Best to you.....
Tom Gahagan

* having made a gender mistake here before I thought that I would make sure
Kathleen and all other ladies that frequent this group would be glad to see
that I've reformed my ways and recognize that women can be just as wicked as
men! <g>

 

[Rob Schneider]

Thanks again for responding:
I want to host my own webpage because I have many pictures from my daughter’s high school sport teams-I was using a third party, but the storage costs started adding up. Plus, and just perhaps as important, I would like to learn about using IIS securely.

So, I am using FP2003 (not 2000 or 2002). Secondly, I do not find an option in the IIS to “check server healthâ€; third, I previously have disabled the default web and I have moved the active web to another drive.

I have disabled server extensions for the time being—and I will locate a more appropriate group—do you know what that might be? Maybe IIS or something?

I *strongly* recommend you not serve a web server yourself. Your ISP
probably provides free web space. If not change to an ISP that provides
free space.

 

[Kathleen Anderson [MVP - FP]]

* having made a gender mistake here before I thought that I would
make sure Kathleen and all other ladies that frequent this group
would be glad to see that I've reformed my ways and recognize that
women can be just as wicked as men! <g>

 

[JL Amerson]

Yeah! And you men love it when we are wicked. ;-)

 

[Mark Fitzpatrick]

This is usually the case if you have newer extensions installed, like the FP
2002 Server Extensions. The FP 2002 Server Extensions use an HTML based
interface and will generate this error. If you have the 2002 extensions
installed they will be listed with the regular programs and not under the
Windows Components. Even after removing the 2002 extensions, the 2000
extensions may still be there as the extensions can work side-by-side and
then you can proceed with this method.

Hope this helps,
Mark Fitzpatrick
Microsoft MVP - FrontPage

When uninstalling Server Expensions from the WindowsXP Control Panel,

Add/Remove Windows Components, IIS, I received the following message:

The server administration programs and the server extensions on the web

server are not compatible. The administration program is too old to use with
this server.

 

[Mark Fitzpatrick]

Lock down the IUSR account. The IUSR account is the anonymous internet user
account. It should only have read access. If you're getting files pulled
from it then it could have more access. Also make sure that the everyone
group is also not listed under permissions. Also, look at your IIS log
files. You can open them and search for all accesses for that file and
narrow it down to a particular timeframe. Then, if you find there is a
consistant IP address doing it, you can use IP blocking to filter them out
and reject them.

Hope this helps,
Mark Fitzpatrick
Microsoft MVP - FrontPage

Well, Mr Hacker, you are at work again-- now entire page is blue!. Tell

you what...I would like to learn more about this-you've seen my webpage-I'm
just an average guy. Teach me what you know--- email me at link on webpage.
What do 'ya say?!!