Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > site security: how can I audit what user or machine process has altered a file?

Reply
Thread Tools

site security: how can I audit what user or machine process has altered a file?

 
 
Ken Fine
Guest
Posts: n/a
 
      02-22-2008

I'm having a periodic issue on one of my sites with defacement: people are
using some process or exploit to replace/deface pages. I want to know how
exactly they are doing this, and what process or user is doing this. How can
I best audit what user or machine process has altered a particular file, or
set up a log on that file for the future? Beyond basic server security, any
pointers for common strategies to hinder this sort of defacement?

I'm using Windows Server 2003, ASP.NET, PHP, and classic ASP. I control the
server entirely.

Thanks,
-KF

 
Reply With Quote
 
 
 
 
Mark Rae [MVP]
Guest
Posts: n/a
 
      02-22-2008
"Ken Fine" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...

> I want to know how exactly they are doing this


What's the URL...?


--
Mark Rae
ASP.NET MVP
http://www.markrae.net

 
Reply With Quote
 
 
 
 
Steven Cheng
Guest
Posts: n/a
 
      02-25-2008
Hi KF,

Do you mean your webserver machine is suffering some attacks recently? For
file altering, it could be done from both internal network or external. For
internal, you may need to restrict more on the file access of that machine.
For external, it is more likely that some external users has gain some
level of access permissions on your machine. Normally, you may first check
the IIS webserver security(such as install all the lastest patch and apply
some good practices):

#Installing and Securing IIS Servers (Part 1)
http://www.windowsecurity.com/articl..._Servers_Part1
.html

#Tech Tip: Take these steps to secure your IIS Web server
http://articles.techrepublic.com.com...1-5287646.html

#IIS Security Checklist
http://www.washington.edu/computing/...IISsecchecklis
t.html

Sure, there are also some information about building secured ASP.NET
application:

#Building Secure ASP .NET Applications .pdf Download
http://www.microsoft.com/downloads/d...772-97FE-41B8-
A58C-BF9C6593F25E&displaylang=en

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead



==================================================

Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscripti...ult.aspx#notif
ications.



Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscripti...t/default.aspx.

==================================================


This posting is provided "AS IS" with no warranties, and confers no rights.





--------------------
>From: "Ken Fine" <(E-Mail Removed)>
>Subject: site security: how can I audit what user or machine process has

altered a file?
>Date: Fri, 22 Feb 2008 13:27:12 -0800
>
>
>I'm having a periodic issue on one of my sites with defacement: people are
>using some process or exploit to replace/deface pages. I want to know how
>exactly they are doing this, and what process or user is doing this. How

can
>I best audit what user or machine process has altered a particular file,

or
>set up a log on that file for the future? Beyond basic server security,

any
>pointers for common strategies to hinder this sort of defacement?
>
>I'm using Windows Server 2003, ASP.NET, PHP, and classic ASP. I control

the
>server entirely.
>
>Thanks,
>-KF
>
>


 
Reply With Quote
 
Ken Fine
Guest
Posts: n/a
 
      02-25-2008
Thanks. I'm still curious if there is a way to log what process or user
altered a particular file, so I can figure out exactly where the attack is
coming from. Do you know a way to do that?

Thanks,
-KF

""Steven Cheng"" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hi KF,
>
> Do you mean your webserver machine is suffering some attacks recently? For
> file altering, it could be done from both internal network or external.
> For
> internal, you may need to restrict more on the file access of that
> machine.
> For external, it is more likely that some external users has gain some
> level of access permissions on your machine. Normally, you may first check
> the IIS webserver security(such as install all the lastest patch and apply
> some good practices):
>
> #Installing and Securing IIS Servers (Part 1)
> http://www.windowsecurity.com/articl..._Servers_Part1
> html
>
> #Tech Tip: Take these steps to secure your IIS Web server
> http://articles.techrepublic.com.com...1-5287646.html
>
> #IIS Security Checklist
> http://www.washington.edu/computing/...IISsecchecklis
> t.html
>
> Sure, there are also some information about building secured ASP.NET
> application:
>
> #Building Secure ASP .NET Applications .pdf Download
> http://www.microsoft.com/downloads/d...772-97FE-41B8-
> A58C-BF9C6593F25E&displaylang=en
>
> Sincerely,
>
> Steven Cheng
>
> Microsoft MSDN Online Support Lead
>
>
>
> ==================================================
>
> Get notification to my posts through email? Please refer to
> http://msdn.microsoft.com/subscripti...ult.aspx#notif
> ications.
>
>
>
> Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
> where an initial response from the community or a Microsoft Support
> Engineer within 1 business day is acceptable. Please note that each follow
> up response may take approximately 2 business days as the support
> professional working with you may need further investigation to reach the
> most efficient resolution. The offering is not appropriate for situations
> that require urgent, real-time or phone-based interactions or complex
> project analysis and dump analysis issues. Issues of this nature are best
> handled working with a dedicated Microsoft Support Engineer by contacting
> Microsoft Customer Support Services (CSS) at
> http://msdn.microsoft.com/subscripti...t/default.aspx.
>
> ==================================================
>
>
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
>
>
>
>
> --------------------
>>From: "Ken Fine" <(E-Mail Removed)>
>>Subject: site security: how can I audit what user or machine process has

> altered a file?
>>Date: Fri, 22 Feb 2008 13:27:12 -0800
>>
>>
>>I'm having a periodic issue on one of my sites with defacement: people are
>>using some process or exploit to replace/deface pages. I want to know how
>>exactly they are doing this, and what process or user is doing this. How

> can
>>I best audit what user or machine process has altered a particular file,

> or
>>set up a log on that file for the future? Beyond basic server security,

> any
>>pointers for common strategies to hinder this sort of defacement?
>>
>>I'm using Windows Server 2003, ASP.NET, PHP, and classic ASP. I control

> the
>>server entirely.
>>
>>Thanks,
>>-KF
>>
>>

>


 
Reply With Quote
 
Steven Cheng
Guest
Posts: n/a
 
      02-26-2008
Hi KF,

For file system access monitor, so far I what I can get is the windows's
own system audit feature:

#Threats and Countermeasures
http://www.microsoft.com/technet/sec...ity/tcg/tcgch0
3n.mspx

However, it is not recording both the account and process, only account
info may get recorded.

You may also look for some other file system monitor tools, one is the
sysinternals filemon:

#FileMon for Windows v7.04
http://technet.microsoft.com/en-us/s.../bb896642.aspx

and some other 3rd party ones:

#Auditing File System Events
http://dl.scriptlogic.com/landing/fi...-file-system-e
vents.aspx?engine=adwords!9443&keyword=(windows%20 audit)&match_type=&gclid=C
L-U7Ybu4JECFQoXewodZiq3Sw

http://www.filedudes.com/files/File_System_Monitor.html

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead



This posting is provided "AS IS" with no warranties, and confers no rights.



--------------------
>From: "Ken Fine" <(E-Mail Removed)>
>References: <(E-Mail Removed)>

<(E-Mail Removed)>
>In-Reply-To: <(E-Mail Removed)>
>Subject: Re: site security: how can I audit what user or machine process

has altered a file?
>Date: Mon, 25 Feb 2008 08:58:01 -0800


>
>Thanks. I'm still curious if there is a way to log what process or user
>altered a particular file, so I can figure out exactly where the attack is
>coming from. Do you know a way to do that?
>
>Thanks,
>-KF
>
>""Steven Cheng"" <(E-Mail Removed)> wrote in message
>news:(E-Mail Removed)...
>> Hi KF,
>>
>> Do you mean your webserver machine is suffering some attacks recently?

For
>> file altering, it could be done from both internal network or external.
>> For
>> internal, you may need to restrict more on the file access of that
>> machine.
>> For external, it is more likely that some external users has gain some
>> level of access permissions on your machine. Normally, you may first

check
>> the IIS webserver security(such as install all the lastest patch and

apply
>> some good practices):
>>
>> #Installing and Securing IIS Servers (Part 1)
>>

http://www.windowsecurity.com/articl..._Servers_Part1
>> html
>>
>> #Tech Tip: Take these steps to secure your IIS Web server
>> http://articles.techrepublic.com.com...1-5287646.html
>>
>> #IIS Security Checklist
>>

http://www.washington.edu/computing/...IISsecchecklis
>> t.html
>>
>> Sure, there are also some information about building secured ASP.NET
>> application:
>>
>> #Building Secure ASP .NET Applications .pdf Download
>>

http://www.microsoft.com/downloads/d...772-97FE-41B8-
>> A58C-BF9C6593F25E&displaylang=en
>>
>> Sincerely,
>>
>> Steven Cheng
>>
>> Microsoft MSDN Online Support Lead
>>
>>
>>
>> ==================================================
>>
>> Get notification to my posts through email? Please refer to
>>

http://msdn.microsoft.com/subscripti...ult.aspx#notif
>> ications.
>>
>>
>>
>> Note: The MSDN Managed Newsgroup support offering is for non-urgent

issues
>> where an initial response from the community or a Microsoft Support
>> Engineer within 1 business day is acceptable. Please note that each

follow
>> up response may take approximately 2 business days as the support
>> professional working with you may need further investigation to reach the
>> most efficient resolution. The offering is not appropriate for situations
>> that require urgent, real-time or phone-based interactions or complex
>> project analysis and dump analysis issues. Issues of this nature are best
>> handled working with a dedicated Microsoft Support Engineer by contacting
>> Microsoft Customer Support Services (CSS) at
>> http://msdn.microsoft.com/subscripti...t/default.aspx.
>>
>> ==================================================
>>
>>
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights.
>>
>>
>>
>>
>>
>> --------------------
>>>From: "Ken Fine" <(E-Mail Removed)>
>>>Subject: site security: how can I audit what user or machine process has

>> altered a file?
>>>Date: Fri, 22 Feb 2008 13:27:12 -0800
>>>
>>>
>>>I'm having a periodic issue on one of my sites with defacement: people

are
>>>using some process or exploit to replace/deface pages. I want to know how
>>>exactly they are doing this, and what process or user is doing this. How

>> can
>>>I best audit what user or machine process has altered a particular file,

>> or
>>>set up a log on that file for the future? Beyond basic server security,

>> any
>>>pointers for common strategies to hinder this sort of defacement?
>>>
>>>I'm using Windows Server 2003, ASP.NET, PHP, and classic ASP. I control

>> the
>>>server entirely.
>>>
>>>Thanks,
>>>-KF
>>>
>>>

>>

>
>


 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Re: How include a large array? Edward A. Falk C Programming 1 04-04-2013 08:07 PM
listdir reports [Error 1006] The volume for a file has been externally altered so that the opened file is no longer valid PerOK Python 2 01-08-2009 07:58 AM
How to verify that a printed web page has not been altered leeana1@gmail.com HTML 8 08-07-2006 07:01 AM
Rumor - Lucas has "subtly" altered the original Star Wars trilogy Modemac DVD Video 213 10-09-2004 01:43 AM
Web page has altered my home page in IE 5.5 Harry the Horse Computer Support 3 07-11-2003 12:11 AM



Advertisments