|
Quick bite : FTP site got tagged? Here's a fix. Script kiddies, like any other malformed adolescents, like to leave their mark around the place, sort of like toilet graffiti. IIS FTP servers can be reasonably easy for these kiddies to 'tag', but here's the fix...www.tartoos.com Here's the situation. You're looking in your FTPRoot folder for a particular file, and you notice some weird folder that you don't remember putting there. The name is often indecipherable gibberish, and sometimes there's a complete directory tree sitting under it, also with weird names or some grammatically incorrect statement embedded. You've been tagged, and you'll need to fix it. What's happened is that some script kiddie has gained access to your FTP server, whether they've port scanned for anonymous-enabled servers or whether they've cracked your password, you need to do something about it. First thing you have to do is disable anonymous access (or at bare minimum make it read-only by altering the NTFS permissions on the files and folders concrened, removing write permission for the IUSR account). If your server isn't anonymous-enabled, you'll need to change your passwords so they can't be used again (try randomly generated ones this time).www.tartoos.com Then you should look for files which shuldn't be there. Sometimes these 'hackers' upload suspicious little programs for their own use - anything that's not yours, get rid of it. If you can. Which brings us to the problem. There's a disparity between the capabilities of the NTFS file system and the Win32 system that sits on top of it. Often if you try to delete these directories and files from Windows Explorer, it'll fail, because our little hacker friends have used characters that the Win32 system can't handle, but NTFS can. So here's how you fix itwww.tartoos.com Get
yourself a command prompt with start->run->cmd.exe The whole experience, too, should teach you the value of security. Patch your servers and lock them down as best you can, cause there's always some spotty adolesccent who'll screw you around if you don't.
An
introduction to custom error pages IIS, like all good web servers, allows you to create your own custom error pages. Atrax runs you through a quick intro, creating a 404 error page which notifies the administrator of broken links. Custom errors can be something of a boon. They can add a touch off professionalism to your site, and can allow you to capture traffic that would otherwise have just seen a broken link and left in disgust. They can also be useful for creating 'virtual' pages and directories - you can give out a URL like 'http://yoursite.com/someuser.asp' and get it automatically redirected to 'http://yoursite.com/users.asp?user=someuser' - making it certainly easier to remember. In this article, I'll be creating a simple 404 error page which will apologise nicely to your users and notify the administrator of the broken link, so you can fix it.www.tartoos.com Custom error pages of the 'URL' subtype can run any type of server-side code your IIS box can handle - ASP, Perl, TCl, Python, whatever. We'll be using ASP/JScript for this example, but there's no reason why you couldn't use something else for the purpose. The first thing to do is create your file. I set up a 'customerrors' folder in my root folder, and added a file called '404.asp'. Then I headed off to Internet Services Manager and fired up my 'default web site properties' dialog. Just click on the obvious tab (marked 'custom errors', dummy) and scroll down to find the 404 error page. www.tartoos.com
The default here is to use the 'file' subtype pointed to IIS's default error page. We'll click on 'edit properties' and change this value.
As you can see, I changed the dropdown's value to 'URL' from 'FILE' and entered an absolute URL to my new error page. Just click OK, then get yourself out of IIS services manager and off to your favourite ASP editor. Here's the simple code I placed in my 404 page. <%@Language="JScript"%><% Response.Buffer = true; Response.Expires = -1441
function sendMessage() { var qs = Request.ServerVariables("query_string").item; var objMail = new ActiveXObject("CDONTS.NewMail"); objMail.to = "administrator@infinitemonkeys.ws"; objMail.from = 'webserver@infinitemonkeys.ws'; objMail.subject = 'Broken Link notification'; var body = 'A 404 error has been generated by' objMail.body = body + ' the infinitemonkeys site. the error is \'' + qs + '\''; objMail.send(); }
%><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "DTD/xhtml1-transitional.dtd"> <html> <head> <title>Page Not Found</title> <link rel="stylesheet" href="/infinitemonkeys/css/style.css" /> </head> <body> <!--#include virtual="/infinitemonkeys/inc/header.asp"--> <p><b>The page you are looking for was not found.</b></p> <p>Try again using the menu on the left. The administrator has been notified and will rectify the error as soon as possible.</p> <% sendMessage() %> <!--#include virtual="/infinitemonkeys/inc/footer.asp"--> </body> </html> The thing to note here is that parameters passed to the file are not in the usual key/value ASP format - they're in the format '404.asp?errorcode;pagenotfound. This means you can't use the usual Request.Querystring("key") method to extract the missing file's name. So you use Request.ServerVariables("query_string").itemwww.tartoos.com From this short example it should become fairly obvious that there are many things you can do with custom errors in IIS beyond just notifying yourself of page errors - with some simple string parsing you can create any number of 'virtual' pages and nifty little tricks. It'll keep folks in your site instead of just giving them the somewhat impolite standard 404 or 500 error. you can even use it to catch script errors by trapping 500.100 errors in order to fail gracefully and rectify issues. |
