|
Hacking a web server is not difficult
Internet Information Services (IIS) web servers are highly popular among business organizations, with more then 6 million installations worldwide. Unfortunately, this makes IIS web servers also a popular target amongst hackers. As a result, every so often, new exploits emerge which endanger your IIS web server's integrity and stability.
Many administrators have a hard time keeping up with the various security patches released for IIS to cope with each new exploit, making it easy for malicious users to find a vulnerable web server on the Internet. Taking advantage of an exploit is not difficult with the appropriate hacker tools ? these enable the average teenage hacker to easily attack and even control your web server, with the possibility of penetrating your internal network.
In other words, it is not too difficult for outsiders to access proprietary corporate information. Worse still, hackers need not be teenagers out for a thrill, as is commonly presumed: disgruntled employees and competitors, for instance, may have their own reasons for breaking into confidential areas of your network.
Few hacker attacks are actually instantly recognizable as such, and fewer still become high profile affairs reported in the media. Most attacks are not easy to discover because many intruders prefer to remain hidden so that they can use the IIS web server they have hacked as a launch base for attacks on far more important or popular web servers. Apart from endangering your own web site's integrity, such use of your server can render you liable should it be used to launch an attack on another organization.
Tools of the hacker trade
Many tools exist to facilitate hackers who wish to deface a web site. Such tools are so easy to use that even someone with no prior hacking experience can make a mess out of a web server in no time at all.
The Internet Printing Protocol (IPP) exploit
IPP exploit made easy
A program that makes use of this exploit is Internet Printing Protocol Exploit v.0.15 (see figure above). This is based on the infamous original exploit code in a C program file named "jill.c", made public by a hacker using the alias "dark spyrit".
This application uses a vulnerability in the IPP buffer overflow on an IIS web server. All the hacker needs to do is type in the name of the targeted web server (or a computer with IIS installed on it) and click on "Connect".
Upon connecting, the application will send the actual string that overflows the stack, leading to the execution of custom code (that is known as shell code) and connecting the file cmd.exe to the specified port on the attacker's side (default being 31337).
This can bypass typical firewall configurations and other similar security measures.
Once that is done, the hacker is presented with a command line and SYSTEM access, from where he/she could carry out a number of activities that an administrator would definitely not have authorized, such as gaining access to databases that could contain credit card details and other such confidential data.
The UNICODE and CGI-Decode exploits
Unicode exploit using Internet Explorer
Two other exploits preferred by web site defacers include the UNICODE and CGI-Decode exploits. Here, the hacker can simply use the browser itself to do anything on a target machine that is running an un-patched version of IIS. All it takes is Internet Explorer and a "magic string" to execute anything under the anonymous account of the IIS. The above screenshot shows a directory dump of C: of the IIS server in the web browser itself! This is just a simple example to demonstrate that the hacker can gain access to your web server's hard disk.
Initially, this access is limited to the user rights of the IIS anonymous user account (IUSR_computername). Once the hacker has IIS anonymous access, he can easily upload an ASP file, which can escalate his access to SYSTEM privileges. Such an action would give him full access to the hacked computer, meaning he can do anything.
Custom-made applications
Some web site cracker groups prefer to produce their own applications to automate the process of defacing a web site.
|
