We have been recently hit by the turkish hacker even though we had 7.92 installed on our server.

 

So here are the things you can do to protect yourselves.

 

a) Remove write/modify permission for the Web user on the wwwroot and other subsequent folders. Only allow it on Uploads folder.

 

b) Scan your whole wwwroot folder for files like cyberspy5.asp or hardknock.asp which is a encoded vbscript file which the hacker uses to hijack the site later. I have noticed that they also upload a .txt file with the content of the htm which they can easily copy as default.asp. They will certainly hide it somewhere in your wwwroot subfolders.

 

If you only have FTP access to the site then you would have to download the whole folder and scan it on your hard disk.

 

Look for the string "VBScript.Encode" in the asp files

 

c) If you are using iGallery as your forum's picture gallery then please do install the latest version for the same.

 

d) The have the tendency to create default pages in all the folders on which it gets the write permissions and many times we have to give write permissions to the wwwroot folder as we have scripts which downloads a JavaScript from another PHPBB site to the wwwroot folder which now I am thinking to moving it to some other folder.

 

So you may consider to change the sequence of the default page in IIS to the following order:

  - default.asp

  - default.htm

  - index.asp

  - index.asp

 

And write protect your default.asp on the wwwroot folder.

 

I hope you will find this information useful. Please feel free to comment and if you have similar tips which will help fellow WebWiz Forum owners please do post here.

 

Cheers,
Vijay Bhatter