New Turkish Hacker Trick.

 

There is a Turkish hacking tool that appeared on one of my hosted sites a few months ago.  I now use the hacker tool to test the security of all the hosts I use.  I have found that on 100% (all, every, without exception) of the hosts, the anonymous IUSR_ account has write permissions on all attached drive partitions.  Some individual web site folders (like my own), the administrator of that site has restricted the IUSR account to read-only permission.  But, I was able to plant a test file and delete that file in the C:, C:\WINNT\ or C:\WINDOWS\, SYSTEM32, etc. etc.   I had access to every single other domain on the same physical machine as my own, simply by having that hacker utility in any readable folder on my site.  So, any of the 416 sites could have anonymous FTP enabled to upload the file to a Web accessible folder, or any other site could have some other upload function.  Once the hacker utility is on the machine ANYWHERE, all sites are at the mercy of the hacker.  Hosts I've verified vulnerable and notified are: iPowerWeb, Nevidia, and VitalStream.  Hosting companies assume their systems are secure because they assume the anonymous account has no means or browsing parent folders.  They're wrong.

 

The Access version of WWF is more vulnerable to this kind of attack because the folder in which the Access MDB is placed requires the anonymous account to have create and write permission on the folder itself.  Once the anonymous user has some means of uploading to that folder, they can do anything they want to the forum.  Even if you password protect the MDB, the plain text username and password are going to be stored in your ASP.

 

Frequent backups of the MDB is critical.  Make sure the anonymous IUSR account can write only to the folder holding the MDB (which should have ONLY the MDB) and the forum Uploads folder.  All other folders should allow ONLY read permission to the IUSR account.  The hacker utility doesn't allow the hacker to elevate their identity beyond the anonymous IUSR account, so your main WWF ASP files will be safe WHEN the hacker does it again.

 

Look for some strange .asp files that you don't recognize as your own.  It's possible that the hacker dropped the hacking utility on your site so that he would have it available to use in case the other admins found it and removed it. 

 

There is usually a web page that isn't directly associated with your domain, something like "http://ws16.myhostdomain.com:8000" or "http://cp.myhostdomain.com".  They might use vDeck, ensim, plesk, hsphere, cpanel, or their own ASP.NET control panel.  Look for Folder Management or Permission Management.

 

However, I looked at your host's home page and found this frightening statement under their list of features, "PERMISSIONS      READ,WRITE in all folders (777 default)".  You should ask your host if you can set the permissions on individual folders, because you never want the NT equivalent of "777".  If your host won't let you change permissions, consider changing hosts, because they are the hacker's best friend, NOT yours.

 

i ask you a last help if you could....

 

Tell me how can i dimostrate my folder have 777 permission, so i can ask to change to my provider with some tests....

 

How you understand what are you saying ?