Petes random thoughts and jottings

Posts tagged iis7

Nov 9

Have we been Hacked?: An investigation

I started to get a lot of spam email from one email address, about 10 every minute: they were all going into my junk mail folder but after a few hours I was curious as to why this was happening.

In outlook, I opened the email and then selected ‘Properties’ (in outlook 2010, click on File menu then click properties button). You get to see the headers for the email, of interest was the Received: header which identifies the source.

Unfortunately the IP address it was coming from was one of our servers… uh oh…..

Perhaps we had an smtp server sitting on there being used as our secondary mail server (in case our primary mail server went down) but no, the smtp server option hadn’t been installed. I tried telnetting to port 25 on the box but no response so it didn’t seem to be a piece of software (rogue or otherwise~) acting as an smtp server.)

Next brainwave: I used netstat on the commandline to see if port 25 was currently in use. The command is:
netstat -ano formats the data quite nicely and if you do the following:
netstat -ano |findstr :25 you can find only entries that are communicating to/from port 25.

Success, netstat told me which process was being used by giving me the pid (process id). If you then go into resource monitor or task manager you can relate pid to a process (you might have to add pid as a column for task manager).
It was a w3wp.exe - one of the application pools on IIS. Luckily we have started to use application pool identities on IIS so I knew which application pool was the culprit (On resource manager, add column ‘username’ to see the application pool name, in task manager, it shows it there by default)

Ok, it happens to be one of our old websites but how is it occurring? For that particular website (we have 1 application pool per website which makes things a lot easier) I then looked into its log files stored here: %SystemDrive%\inetpub\logs\LogFiles\{id} (Find the ID from IIS manager by clicking on the sites folder in the left hand side and you will see all the sites with their ids)

Most log files were 1Mb each, except for today which so far is 24Mb! Ahah! Success. Looking into the log file told us which page was being ‘hacked’. It was a tell a friend page where you could enter yours and a friends email address along with a message and the server would send the friend an email looking like it came from your email. A classic case of forgetting to put a captcha on the page. The page has been around for 4 years and only today someone discovered its vulnerabilities. Luckily I am BCCd on all emails sent which is why I got a lot of emails sent to me. If I hadn’t been copied in, we wouldn’t have found out until our email server had been blacklisted.

I blacklisted the IP address which put an immediate stop to the problem but have deleted the page aswell. It was very rarely used (not for months) and so wont be missed. But a good learning experience all round.

By amazing coincidence my second in command is on holiday this week. He says he is at Centre Parcs but if I found out he has gone to the Philippines (which is where the IP address of the hacker comes from), well, I hope for his sake, he brings me back a nice present.


Aug 12

Fix: IIS 7 SecurityException: Request for the permission of type ‘System.Web.AspNetHostingPermission failed

IIS 7 recommends using ApplicationPoolIdentities for its application pools. This is instead of using NetworkService. One advantage of this is looking at Processes in Task Manger, the IIS Worker process has the username matching the application pool name and thus it is easier to see which is consuming more resources etc.

BUT, if you switch to ApplicationPoolIdentity as the Identity you might come across the following error:

[SecurityException: Request for the permission of type ‘System.Web.AspNetHostingPermission, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089’ failed.]

To fix this, in advance settings for the application pool change load user profile to true.

For more information on ApplicationPoolIdentity see http://learn.iis.net/page.aspx/624/application-pool-identities/


Feb 18

Mime types on IIS7

I host quite a few mp4 videos on our webserver which runs IIS7. By default, IIS7 doesnt have the mime type set for mp4 and thus returns an error of 404 if you try to access the file. This is done for security reasons (so people cant access secure files by default eg .inc, .cs etc). Thats a valid point but mp4 is quite common as a format especially these days so why isnt that one made available?! Anyway, in IIS7 I came across quite a nice solution, you can additional mime types to the web.config. Here is a sample:

<system.webServer>
<staticContent>
<mimeMap fileExtension=”.mp4” mimeType=”video/mp4” />
<mimeMap fileExtension=”.m4v” mimeType=”video/m4v” />
</staticContent>
</system.webServer>

I like that, if we ever move to another server thats one less thing to have to remember to set up.


Dec 22

IIS 7 Enabling PUT request

Im doing some funky restful services and was setting it up on a laptop. BUT PUT requests werent working (always returning a 405 error - Method not allowed). The fix was to uninstall WebDav publishing as a feature of IIS. And then it worked straight away.

Some people were talking about Webdav is forcing you to make authorised requests for PUT but I was and it wasnt working. Simplest solution was to remove it as I didnt need it.