customers with simple index.html got defaced with some anti iraqwar image and stuff. i have look throught the ftp log and find a anonymous that match the time the index file is created. i don't think my server got hacked and i don't allow anonymous login so...does anyone know how they can get in and upload the files?

what authority do i contact about this defacing?

If you have an insecure or outdated version of phpBB2 installed, that can be used to upload bad index files. Also check around some of the defacement reporting sites, to see if your server IP is listed with the defacement. Most likely the domain was hit in a mass defacement. There should be details with how it was done there too.

Unfortunately, I can't remember any of those defacement listing sites off the top of my head.

i use windows/iis6. as far as i know none of my customers use phpbb but i'll check. thank you

Which version of PHP are you using. If you are using PHP 4.3.10 or older your should upgrade to 4.3.11 at least. Also make sure you update Cpanel and the backend scripts regularly + have a sysadmin update your kernel etc.

Originally posted by jt2377
i use windows/iis6. as far as i know none of my customers use phpbb but i'll check. thank you

Run a security audit on your server, I suspect incorrect security settings. This would explain the anonymous ftp login in your logs.

1. Anonymous FTP enabled = security issue.
2. Unless the IP is within your country's jurisdiction, don't bother wasting your time trying to report it.

Check your permissions is your webdav enabled? Secondly have you patched the server?

You may want to check for any rootkit just in case

http://www.sysinternals.com/Utilities/RootkitRevealer.html

Originally posted by boonchuan
Check your permissions is your webdav enabled? Secondly have you patched the server?

You may want to check for any rootkit just in case

http://www.sysinternals.com/Utilities/RootkitRevealer.html

server is patched. no anyonums users is allow.

thank for link. i'll use it to check for rootkit.

btw, i've contact theplanet and use their vulnarablity tool to check the server....the only security hole that it found was smtp, email server. it's running MailEnable Pro 1.5.4 and the new edition is 1.6

i'll probably upgrade it.

Originally posted by Josh Stein
1. Anonymous FTP enabled = security issue.
2. Unless the IP is within your country's jurisdiction, don't bother wasting your time trying to report it.

i've contacted theplanet, basically they say the samething, it's hard to find out who excatly defaced my customer's website and pretty much it was weak account password that allow them to load up the deface files.

after deleting deface files, everything went back to normal. i run a antivirus scan and find nothing except few emails that got virus. the system (windows) itself is not infected or anything.

my server run Microsoft Remote Access and Routing as a basic firewall with every ports shuted and f-prot anti virus run in real time.

should i tell my customers to beef up their password? it seem like a weak password did the trick.

i alway patch up windows whenever a patch is released.

Like I said before run a security audit, you can even download a basic one free from Microsoft here: http://www.microsoft.com/technet/security/tools/mbsahome.mspx you should also turn on logging & auditing in order to find security holes in the future.

Originally posted by Kiamori
Like I said before run a security audit, you can even download a basic one free from Microsoft here: http://www.microsoft.com/technet/security/tools/mbsahome.mspx you should also turn on logging & auditing in order to find security holes in the future.

did that with older version. i'll try the new version. thank