GFI Software|www.gfi.com|info@gfi.com
How to detect hackers on your web server
Catch hackers red handed through real-time security event logmonitoring
A discussion of the methods used by hackers to attack IIS web servers,and how you can use event log monitoring on your web server to bealerted to successful attacks immediately.
How to detect hackerson your web server
GFI Software|www.gfi.com
2
Introduction
This white paper focuses on how administrators can set up their web servers successfully and safely. Describingthe tools used by hackers to gain backdoor access to your IIS web servers, this paper details the necessary stepsto detect successful intrusions on your network, as well as explaining how to prevent such attacks to yourweb server.Introduction...................................................................................................................................................................................................2
Hacking a web server is not difficult.....................................................................................................................................................2
Tools of the hacker trade..........................................................................................................................................................................2
Intrusion detection by monitoring key system files.......................................................................................................................5
How to detect attacks on your server..................................................................................................................................................5
About GFI LANguard Security Event Log Monitor (S.E.L.M.)......................................................................................................10
About GFI......................................................................................................................................................................................................11
Hacking a web server is not difficult
Internet Information Services (IIS) web servers are highly popular among business organizations, with morethen 6 million installations worldwide. Unfortunately, this makes IIS web servers also a popular target amongsthackers. As a result, every so often, new exploits emerge which endanger your IIS web server’s integrityand stability.Many administrators have a hard time keeping up with the various security patches released for IIS to cope witheach new exploit, making it easy for malicious users to find a vulnerable web server on the Internet. Takingadvantage of an exploit is not difficult with the appropriate hacker tools – these enable the averageteenage hacker to easily attack and even control your web server, with the possibility of penetrating yourinternal network.In other words, it is not too difficult for outsiders to access proprietary corporate information. Worse still,hackers need not be teenagers out for a thrill, as is commonly presumed: disgruntled employees andcompetitors, for instance, may have their own reasons for breaking into confidential areas of your network.Few hacker attacks are actually instantly recognizable as such, and fewer still become high profile affairsreported in the media. Most attacks are not easy to discover because many intruders prefer to remain hidden sothat they can use the IIS web server they have hacked as a launch base for attacks on far more important orpopular web servers. Apart from endangering your own web site’s integrity, such use of your server can renderyou liable should it be used to launch an attack on another organization.
Tools of the hacker trade
Many tools exist to facilitate hackers who wish to deface a web site. Such tools are so easy to use that evensomeone with no prior hacking experience can make a mess out of a web server in no time at all.
How to detect hackerson your web server
GFI Software|www.gfi.com
3
The Internet Printing Protocol (IPP) exploit
IPP exploit made easy
A program that makes use of this exploit is Internet Printing Protocol Exploit v.0.15 (see figure above). This isbased on the infamous original exploit code in a C program file named “jill.c”, made public by a hacker usingthe alias “dark spyrit”. This application uses a vulnerability in the IPP buffer overflow on an IIS web server. All the hacker needs to do istype in the name of the targeted web server (or a computer with IIS installed on it) and click on “Connect”.Upon connecting, the application will send the actual string that overflows the stack, leading to the executionof custom code (that is known as shell code) and connecting the file cmd.exe to the specified port on theattacker’s side (default being 31337). This can bypass typical firewall configurations and other similar security measures.Once that is done, the hacker is presented with a command line and SYSTEM access, from where he/she couldcarry out a number of activities that an administrator would definitely not have authorized, such as gainingaccess to databases that could contain credit card details and other such confidential data.
The UNICODE and CGI-Decode exploits
Unicode exploit using Internet Explorer
of 00
Detect Hackers on Web Server
89 Reads
Info and Rating
| Category: | Uncategorized. |
| Rating: | |
| Upload Date: | 10/16/2010 |
| Copyright: | Attribution Non-commercial |
| Tags: |
Leave a Comment