Question : windows server 2003 server hack issue

Recently our server hacked by pakbugs,
I don't understand how hacker create and replace some home page (default.htm, index.htm, default.asp) without login the server or ftp access

Kindly help me to secure my server.

The following thing server running on our server.

IIS 6.0
tomcat 5
merak mailserver
cold fusion 4.5

I have check the following logs but unable to understand the issue

Frist website hack logs
#Software: Microsoft Internet Information Services 6.0
#Version: 1.0
#Date: 2010-01-07 14:48:39
#Fields: date time s-sitename s-computername s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) cs-host sc-status

sc-substatus sc-win32-status time-taken
2010-01-07 14:48:39 W3SVC1896362308 WTRS10138 198.65.102.164 GET / - 80 - 123.201.132.126 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+6.1;+Trident/4.0;

+GTB6.3;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+Media+Center+PC+6.0;+InfoPath.2) - delldigitalschoolathon.com 403 14 5 437
#Software: Microsoft Internet Information Services 6.0
#Version: 1.0
#Date: 2010-01-08 03:58:18
#Fields: date time s-sitename s-computername s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) cs-host sc-status

sc-substatus sc-win32-status time-taken
2010-01-08 03:58:17 W3SVC1896362308 WTRS10138 198.65.102.164 GET / - 80 - 116.71.210.16 Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;

+rv:1.9.1.5)+Gecko/20091102+hru($_GET['cmd']);+?> - delldigitalschoolathon.com 403 14 5 656
2010-01-08 03:58:17 W3SVC1896362308 WTRS10138 198.65.102.164 GET /favicon.ico - 80 - 116.71.210.16 Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;

+rv:1.9.1.5)+Gecko/20091102+hru($_GET['cmd']);+?> - delldigitalschoolathon.com 404 0 2 281
2010-01-08 03:58:24 W3SVC1896362308 WTRS10138 198.65.102.164 GET /favicon.ico - 80 - 116.71.210.16 Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;

+rv:1.9.1.5)+Gecko/20091102+hru($_GET['cmd']);+?> - delldigitalschoolathon.com 404 0 2 3531
2010-01-08 03:59:12 W3SVC1896362308 WTRS10138 198.65.102.164 GET /index.htm - 80 - 116.71.210.16 Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;

+rv:1.9.1.5)+Gecko/20091102+hru($_GET['cmd']);+?> - delldigitalschoolathon.com 200 0 0 578
2010-01-08 03:59:13 W3SVC1896362308 WTRS10138 198.65.102.164 GET /index.htm - 80 - 116.71.210.16 Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;

+rv:1.9.1.5)+Gecko/20091102+hru($_GET['cmd']);+?> http://delldigitalschoolathon.com/ delldigitalschoolathon.com 200 0 0 562
2010-01-08 04:00:03 W3SVC1896362308 WTRS10138 198.65.102.164 GET / - 80 - 116.71.210.16 Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;

+rv:1.9.1.5)+Gecko/20091102+hru($_GET['cmd']);+?> - delldigitalschoolathon.com 403 14 5 406
#Software: Microsoft Internet Information Services 6.0
#Version: 1.0
#Date: 2010-01-08 04:24:28
#Fields: date time s-sitename s-computername s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) cs-host sc-status

sc-substatus sc-win32-status time-taken
2010-01-08 04:24:28 W3SVC1896362308 WTRS10138 198.65.102.164 GET / - 80 - 121.242.204.200 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+Trident/4.0;

+GTB6.3;+InfoPath.2;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506.648;+.NET+CLR+3.5.21022) - www.delldigitalschoolathon.com 403 14 5 734
2010-01-08 04:24:58 W3SVC1896362308 WTRS10138 198.65.102.164 GET / - 80 - 121.242.204.200 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+Trident/4.0;

+GTB6.3;+InfoPath.2;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506.648;+.NET+CLR+3.5.21022) - www.delldigitalschoolathon.com 403 14 5 453
#Software: Microsoft Internet Information Services 6.0
#Version: 1.0
#Date: 2010-01-08 05:50:24
#Fields: date time s-sitename s-computername s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) cs-host sc-status

sc-substatus sc-win32-status time-taken
2010-01-08 05:50:23 W3SVC1896362308 WTRS10138 198.65.102.164 GET / - 80 - 119.153.6.41 Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;

+rv:1.9.1.5)+Gecko/20091102+hru($_GET['cmd']);+?> - delldigitalschoolathon.com 403 14 5 703
2010-01-08 05:50:26 W3SVC1896362308 WTRS10138 198.65.102.164 GET /favicon.ico - 80 - 119.153.6.41 Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;

+rv:1.9.1.5)+Gecko/20091102+hru($_GET['cmd']);+?> - delldigitalschoolathon.com 404 0 2 2640
2010-01-08 05:50:26 W3SVC1896362308 WTRS10138 198.65.102.164 GET / - 80 - 119.153.6.41 Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;

+rv:1.9.1.5)+Gecko/20091102+hru($_GET['cmd']);+?> - delldigitalschoolathon.com 403 14 5 453
2010-01-08 05:50:27 W3SVC1896362308 WTRS10138 198.65.102.164 GET /favicon.ico - 80 - 119.153.6.41 Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;

+rv:1.9.1.5)+Gecko/20091102+hru($_GET['cmd']);+?> - delldigitalschoolathon.com 404 0 2 281
2010-01-08 05:50:51 W3SVC1896362308 WTRS10138 198.65.102.164 GET /Default.htm - 80 - 119.153.6.41 Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;

+rv:1.9.1.5)+Gecko/20091102+hru($_GET['cmd']);+?> - delldigitalschoolathon.com 200 0 0 3421
2010-01-08 05:50:51 W3SVC1896362308 WTRS10138 198.65.102.164 GET /Default.htm - 80 - 119.153.6.41 Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;

+rv:1.9.1.5)+Gecko/20091102+hru($_GET['cmd']);+?> http://delldigitalschoolathon.com/? delldigitalschoolathon.com 200 0 0 625
2010-01-08 05:50:56 W3SVC1896362308 WTRS10138 198.65.102.164 GET /Default.htm - 80 - 119.153.6.41 Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;

+rv:1.9.1.5)+Gecko/20091102+hru($_GET['cmd']);+?> - delldigitalschoolathon.com 200 0 0 578
2010-01-08 05:50:57 W3SVC1896362308 WTRS10138 198.65.102.164 GET /Default.htm - 80 - 119.153.6.41 Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;

+rv:1.9.1.5)+Gecko/20091102+hru($_GET['cmd']);+?> http://delldigitalschoolathon.com/ delldigitalschoolathon.com 200 0 0 562
#Software: Microsoft Internet Information Services 6.0
#Version: 1.0
#Date: 2010-01-08 06:12:49
#Fields: date time s-sitename s-computername s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) cs-host sc-status

sc-substatus sc-win32-status time-taken
2010-01-08 06:12:49 W3SVC1896362308 WTRS10138 198.65.102.164 GET /Default.htm - 80 - 217.162.28.98 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+6.1;

+Trident/4.0) - delldigitalschoolathon.com 200 0 0 484
#Software: Microsoft Internet Information Services 6.0
#Version: 1.0
#Date: 2010-01-08 06:37:51
#Fields: date time s-sitename s-computername s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) cs-host sc-status

+++++++++++
I also got hack website entry http://zone-h.org
http://zone-h.org/mirror/id/10095659

sc-substatus sc-win32-status time-taken
2010-01-08 06:37:51 W3SVC1896362308 WTRS10138 198.65.102.164 GET /Default.htm - 80 - 210.212.184.236 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;

+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.4506.2152;+.NET+CLR+3.5.30729) http://zone-h.org/mirror/id/10095659 delldigitalschoolathon.com 200 0 0

875
2010-01-08 06:37:59 W3SVC1896362308 WTRS10138 198.65.102.164 GET /admin - 80 - 210.212.184.236 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET

+CLR+1.1.4322;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.4506.2152;+.NET+CLR+3.5.30729) - delldigitalschoolathon.com 404 0 2 296

+++++++++++++++++++++++++++++++++++++++++
+++++++++++++
Second website logs
#Software: Microsoft Internet Information Services 6.0
#Version: 1.0
#Date: 2010-01-07 12:01:12
#Fields: date time s-sitename s-computername s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) cs-host sc-status sc-substatus sc-win32-status time-taken
2010-01-07 12:01:11 W3SVC1651598421 WTRS10138 198.65.134.58 GET / - 80 - 208.91.115.10 Mozilla/5.0+(Windows;+U;+Windows+NT+5.0;+en-US;+rv:1.7.5)+Gecko/20041107+Firefox/1.0 - aqr.tyroo.com 403 14 5 468
#Software: Microsoft Internet Information Services 6.0
#Version: 1.0
#Date: 2010-01-08 05:52:45
#Fields: date time s-sitename s-computername s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) cs-host sc-status sc-substatus sc-win32-status time-taken
2010-01-08 05:52:44 W3SVC1651598421 WTRS10138 198.65.134.58 GET / - 80 - 119.153.6.41 Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;+rv:1.9.1.5)+Gecko/20091102+<?+passthru($_GET['cmd']);+?> - aqr.tyroo.com 403 14 5 734
2010-01-08 05:52:44 W3SVC1651598421 WTRS10138 198.65.134.58 GET /favicon.ico - 80 - 119.153.6.41 Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;+rv:1.9.1.5)+Gecko/20091102+<?+passthru($_GET['cmd']);+?> - aqr.tyroo.com 404 0 2 281
2010-01-08 05:52:47 W3SVC1651598421 WTRS10138 198.65.134.58 GET /favicon.ico - 80 - 119.153.6.41 Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;+rv:1.9.1.5)+Gecko/20091102+<?+passthru($_GET['cmd']);+?> - aqr.tyroo.com 404 0 2 281
2010-01-08 05:53:08 W3SVC1651598421 WTRS10138 198.65.134.58 GET /Default.htm - 80 - 119.153.6.41 Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;+rv:1.9.1.5)+Gecko/20091102+<?+passthru($_GET['cmd']);+?> - aqr.tyroo.com 200 0 0 1078
2010-01-08 05:53:09 W3SVC1651598421 WTRS10138 198.65.134.58 GET /Default.htm - 80 - 119.153.6.41 Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;+rv:1.9.1.5)+Gecko/20091102+<?+passthru($_GET['cmd']);+?> http://aqr.tyroo.com/ aqr.tyroo.com 200 0 0 640
#Software: Microsoft Internet Information Services 6.0
#Version: 1.0
#Date: 2010-01-08 06:12:49
#Fields: date time s-sitename s-computername s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) cs-host sc-status sc-substatus sc-win32-status time-taken
2010-01-08 06:12:48 W3SVC1651598421 WTRS10138 198.65.134.58 GET /Default.htm - 80 - 217.162.28.98 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+6.1;+Trident/4.0) - aqr.tyroo.com 200 0 0 250
#Software: Microsoft Internet Information Services 6.0
#Version: 1.0
#Date: 2010-01-08 07:43:17
#Fields: date time s-sitename s-computername s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) cs-host sc-status sc-substatus sc-win32-status time-taken
2010-01-08 07:43:17 W3SVC1651598421 WTRS10138 198.65.134.58 GET /Default.htm - 80 - 213.6.216.139 Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+ar;+rv:1.9.1.7)+Gecko/20091221+Firefox/3.5.7 http://zone-h.org/mirror/id/10095660 aqr.tyroo.com 200 0 0 734
2010-01-08 07:43:17 W3SVC1651598421 WTRS10138 198.65.134.58 GET /favicon.ico - 80 - 213.6.216.139 Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+ar;+rv:1.9.1.7)+Gecko/20091221+Firefox/3.5.7 - aqr.tyroo.com 404 0 2 203
2010-01-08 07:43:20 W3SVC1651598421 WTRS10138 198.65.134.58 GET /favicon.ico - 80 - 213.6.216.139 Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+ar;+rv:1.9.1.7)+Gecko/20091221+Firefox/3.5.7 - aqr.tyroo.com 404 0 2 203
#Software: Microsoft Internet Information Services 6.0
#Version: 1.0
#Date: 2010-01-08 08:31:04
#Fields: date time s-sitename s-computername s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) cs-host sc-status sc-substatus sc-win32-status time-taken
2010-01-08 08:31:03 W3SVC1651598421 WTRS10138 198.65.134.58 GET / - 80 - 121.242.197.70 Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;+rv:1.9.1.7)+Gecko/20091221+Firefox/3.5.7+(.NET+CLR+3.5.30729) - aqr.tyroo.com 403 14 5 859
2010-01-08 08:31:04 W3SVC1651598421 WTRS10138 198.65.134.58 GET /favicon.ico - 80 - 121.242.197.70 Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;+rv:1.9.1.7)+Gecko/20091221+Firefox/3.5.7+(.NET+CLR+3.5.30729) - aqr.tyroo.com 404 0 2 343
2010-01-08 08:31:07 W3SVC1651598421 WTRS10138 198.65.134.58 GET /favicon.ico - 80 - 121.242.197.70 Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;+rv:1.9.1.7)+Gecko/20091221+Firefox/3.5.7+(.NET+CLR+3.5.30729) - aqr.tyroo.com 404 0 2 328
2010-01-08 08:31:09 W3SVC1651598421 WTRS10138 198.65.134.58 GET / - 80 - 121.242.197.70 Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;+rv:1.9.1.7)+Gecko/20091221+Firefox/3.5.7+(.NET+CLR+3.5.30729) - aqr.tyroo.com 403 14 5 531
++++++++++++++++

I also found an entry
http://zone-h.org/mirror/id/10095659

Regards,
Naresh

Answer : windows server 2003 server hack issue

if you have a own server; restrict ftp access to certain IPs. that will help a lot.

define the default document in IIS, remove unnecessary default documents for a site

check the program code properly for sql injection possibility.

by the way,
create a new folder and configure the site when you out the site again.

have a good antivirus [like symantec end point protection] that detects unauthorized entries and injections.

hope this helps

Random Solutions

installing Project Server 2007 on Windows Server 2008 r2

ESXi 3.5 - 153875 - Two identicals network cards / only one working

How to format my computer

PowerPoint 2007 VIEWER - how to suppress "end of slideshow, click to exit" message at end

PowerPoint Crashes on PasteSpecial DataType:=ppPasteOLEObect

Adding a Count() to a Union Query

Add field to table

ODBC tables connecting on startup

Customizing Outlook 2007 Contact form