I'm having problems with my Umbraco 6 (6.0.5) site that is running on IIS. Someone is exploiting it in some way and keeps uploading spammy html files to it. I get a lot of traffic to these files, which is not what I want and google webmaster tools have given me hacking attempt notices.
I have erased the files several times but they keep coming back. I have also followed some of umbraco's security advice and removed the Install folder, etc. I am also about to upgrade to umbraco 7, but havent had the time to do so yet. Sometimes there are completely new subfolders with files uploaded and sometimes files are added to already current folders.
This is not really my area of expertice. I need to know what can be done to prevent this and also if anyone else have had these problems.
Please advice on what can be done. Am I missing something in my web.config or is it something else?
Here is my web.config. One thing to do is the modify the customErrors flag, but surely this isnt enough
I have posted the same question on Stack owerflow, but thought this Forum might be more appropriate. My web.config is posted on the link below.
You really need to work on your security practices. For one, it appears you've pasted your web.config without removing your database credentials. You should fix this immediately.
I recommend you change your database credentials, change your login credentials, and change any other credentials you know about and move to a new machine and upgrade to the latest version of Umbraco 6 (not Umbraco 7... the latest Umbraco 6 should include all known security fixes).
There are other security practices you can do, but you should start there.
ok, what a blunder. I've changed my db-pwd, my admin pwd. I have followed the guide suggested by Jan also. Any other pointers, IIS config is not realy my area of expertice. I tried upgrading locally to a newer version of umbraco 6 but then I got problems with dll's not beeing able to locate dependencies.
Nicholas: What do you mean move to a new machine? We are moving the code to a new server if that is what you mean. I've scanned my local pc for any malware or viruses but havent found any
It would probably be a good idea to restrict Umbraco access to just those who use Umbraco.
Hopefully your web server and database server are also setup with appropriate firewall rules.
And hopefully you can figure out the upgrade issue so you can have the latest security fixes. Remember that you will want to copy your database too when performing an upgrade... the Umbraco upgrade process sometimes modifies the database.
the switch to the new server was done early this morning. I did change both the umbraco db-user password as well as the umbraco admin-password for the site. The db only allow connections from certain IPs, it has been like that fo a while. I will have a look at the folder security bits and possibly also upgrade umbraco version if I keep getting the spammy files uploaded.
You need to patch your current Umbraco installation regardless as well. As it says in the blogpost I referenced there is a security issue unless you patch the file mentioned.
I already followed this advice already, will try and upgrade version later tonight. I have also asked the hosting responsable to see where the files are coming from to know if the ftp account I use has been exploited or something else. As I myself cannot access the IIS admin tools. Is there anything else in my web.config I can do to remove the possibilities of uploading these files?
My umbraco6 site gets filled with spammy html files
I'm having problems with my Umbraco 6 (6.0.5) site that is running on IIS. Someone is exploiting it in some way and keeps uploading spammy html files to it. I get a lot of traffic to these files, which is not what I want and google webmaster tools have given me hacking attempt notices.
I have erased the files several times but they keep coming back. I have also followed some of umbraco's security advice and removed the Install folder, etc. I am also about to upgrade to umbraco 7, but havent had the time to do so yet. Sometimes there are completely new subfolders with files uploaded and sometimes files are added to already current folders.
This is not really my area of expertice. I need to know what can be done to prevent this and also if anyone else have had these problems.
Please advice on what can be done. Am I missing something in my web.config or is it something else?
Here is my web.config. One thing to do is the modify the customErrors flag, but surely this isnt enough
I have posted the same question on Stack owerflow, but thought this Forum might be more appropriate. My web.config is posted on the link below.
http://stackoverflow.com/questions/26992426/my-umbraco6-site-gets-filled-with-spammy-html-files
My webhotell is is beeing moved to another more secure server, hopefully this will stop by then
Hi Johan
Also make sure to patch your installation with this fix from earlier this year http://umbraco.com/follow-us/blog-archive/2014/7/21/security-issues-found-in-umbraco-4,-6-and-7.aspx
/Jan
You really need to work on your security practices. For one, it appears you've pasted your web.config without removing your database credentials. You should fix this immediately.
I recommend you change your database credentials, change your login credentials, and change any other credentials you know about and move to a new machine and upgrade to the latest version of Umbraco 6 (not Umbraco 7... the latest Umbraco 6 should include all known security fixes).
There are other security practices you can do, but you should start there.
ok, what a blunder. I've changed my db-pwd, my admin pwd. I have followed the guide suggested by Jan also. Any other pointers, IIS config is not realy my area of expertice. I tried upgrading locally to a newer version of umbraco 6 but then I got problems with dll's not beeing able to locate dependencies.
Nicholas: What do you mean move to a new machine? We are moving the code to a new server if that is what you mean. I've scanned my local pc for any malware or viruses but havent found any
Yep, that's what I meant by a new machine.
By the way, when you say you changed your admin password, I assume that you both changed your database user password and your Umbraco user password.
IIS also has the ability to protect certain folders based on IP address: http://serverfault.com/questions/605398/iis-access-control-by-ip-address-for-specific-files-and-folders
It would probably be a good idea to restrict Umbraco access to just those who use Umbraco.
Hopefully your web server and database server are also setup with appropriate firewall rules.
And hopefully you can figure out the upgrade issue so you can have the latest security fixes. Remember that you will want to copy your database too when performing an upgrade... the Umbraco upgrade process sometimes modifies the database.
the switch to the new server was done early this morning. I did change both the umbraco db-user password as well as the umbraco admin-password for the site. The db only allow connections from certain IPs, it has been like that fo a while. I will have a look at the folder security bits and possibly also upgrade umbraco version if I keep getting the spammy files uploaded.
To be continued...
Hi Johan
You need to patch your current Umbraco installation regardless as well. As it says in the blogpost I referenced there is a security issue unless you patch the file mentioned.
/Jan
I already followed this advice already, will try and upgrade version later tonight. I have also asked the hosting responsable to see where the files are coming from to know if the ftp account I use has been exploited or something else. As I myself cannot access the IIS admin tools. Is there anything else in my web.config I can do to remove the possibilities of uploading these files?
Havent had any more incidents the last 24 hours. Crossing my fingers
is working on a reply...