Petes techie blog

A blog written for two people. Me and You.

Have We Been Hacked?: An Investigation

| Comments

I started to get a lot of spam email from one email address, about 10 every minute: they were all going into my junk mail folder but after a few hours I was curious as to why this was happening.

In outlook, I opened the email and then selected ‘Properties’ (in outlook 2010, click on File menu then click properties button). You get to see the headers for the email, of interest was the Received: header which identifies the source.

Unfortunately the IP address it was coming from was one of our servers… uh oh…..

Perhaps we had an smtp server sitting on there being used as our secondary mail server (in case our primary mail server went down) but no, the smtp server option hadn’t been installed. I tried telnetting to port 25 on the box but no response so it didn’t seem to be a piece of software (rogue or otherwise~) acting as an smtp server.)

Next brainwave: I used netstat on the commandline to see if port 25 was currently in use. The command is:

netstat -ano formats the data quite nicely and if you do the following:

netstat -ano |findstr :25 you can find only entries that are communicating to/from port 25.

Success, netstat told me which process was being used by giving me the pid (process id). If you then go into resource monitor or task manager you can relate pid to a process (you might have to add pid as a column for task manager).

It was a w3wp.exe - one of the application pools on IIS. Luckily we have started to use application pool identities on IIS so I knew which application pool was the culprit (On resource manager, add column ‘username’ to see the application pool name, in task manager, it shows it there by default)

Ok, it happens to be one of our old websites but how is it occurring? For that particular website (we have 1 application pool per website which makes things a lot easier) I then looked into its log files stored here: C:\inetpub\logs\LogFiles{id} (Find the ID from IIS manager by clicking on the sites folder in the left hand side and you will see all the sites with their ids)

Most log files were 1Mb each, except for today which so far is 24Mb! Ahah! Success. Looking into the log file told us which page was being ‘hacked’. It was a tell a friend page where you could enter yours and a friends email address along with a message and the server would send the friend an email looking like it came from your email. A classic case of forgetting to put a captcha on the page. The page has been around for 4 years and only today someone discovered its vulnerabilities. Luckily I am BCCd on all emails sent which is why I got a lot of emails sent to me. If I hadn’t been copied in, we wouldn’t have found out until our email server had been blacklisted.

I blacklisted the IP address which put an immediate stop to the problem but have deleted the page aswell. It was very rarely used (not for months) and so wont be missed. But a good learning experience all round.

By amazing coincidence my second in command is on holiday this week. He says he is at Centre Parcs but if I found out he has gone to the Philippines (which is where the IP address of the hacker comes from), well, I hope for his sake, he brings me back a nice present.