Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2085
Views
10
Helpful
3
Replies

webserver hacked behind ASA 5510

NAGISWAREN2
Level 1
Level 1

‎04-25-2011 09:43 PM - edited ‎03-11-2019 01:25 PM

Hi all,

Need help. I have one webserver which open for public via http and https. The server sit behind Cisco ASA 5510. Today our webserver have been hacked by someone. The index.html has been replaced by hacker own index.html file. Is it anyway to detect who did (by IP) this? is my Cisco ASA can give any clue about it? How to prevent from this happening in Cisco ASA? FYI, my ASA only allow HTTP and HTTPS port from outside to internal. This ASA is solely dedicated to protect the webserver. Any idea? Please help.

Regards, Nagis
Labels:
0 Helpful
3 Replies 3

hobbe
Level 7
Level 7

‎04-26-2011 12:23 AM

Hi

If you have not done so,

enable logging on the webserver and send the logs somewhere.

enable logging on the ASA and send the logs somewhere.

The asa will be able to help you with this if it is correctly setup, however the webserver will also help you with that.

now to the webserver.

Do not connect it to any networks.

You have no idea if they installed any software such as rootkits or virus and so on so take it offline and remove the logs of the server.

Format the server and then reinstall from a clean media.

The logs of the server should be able to tell you what have happened unless they did not exist in the first place or the agressor just simply whiped it out.

The reason for the webserver beeing hacked is that somewhere in the installation of the software or in the setup of the webserver there is an error.

either someone did not remove something (a file or several) or someone did not give the correct access-rights or just simply a bad password or a error in how the webserver handles things.

Either way this is one of those things that the asa should not get the blame for.

it is a good thing if you can find out how they did it so you can close that hole.

Good luck

HTH

0 Helpful

NAGISWAREN2
Level 1
Level 1
In response to hobbe

‎04-26-2011 12:35 AM

Hi Hobbe,

Thanks for advice. BTW, i'm not handling the Server. The server handle by server administrator and i'm on network part. So now my management questioning me why the expensive firewall Cisco ASA not protecting the server ? Is it the server been hacked becaused of loophole on ASA or server itself? Is it opening port 80 and 443 is good enough for hacker to hack the server?

Regards, Nagis

hobbe
Level 7
Level 7
In response to NAGISWAREN2

‎04-26-2011 01:06 AM

The server have been hacked and the reason for that is that the server has a internal problem.

The firewall most likely have done its part and kept the rest of the traffic away from the server.

There are many different configuration things you can do to keep some stuff away from the server and it is good if you do that.

however this is a problem with the server in itself.

if you look in the logs of the server you will most likely either find nothing wich means that the agressor have wiped them or that the server administrator have never enabled them, or you will find out that the agressor used some loophole in the server software/or the way it is setup.

why should you setup a firewall when it does not work against everything ?

well the firewall keeps most bad traffic from the server and inspects many things to help the server do its job.

but it is not a magic box that keeps the server away from every danger, if you tell the firewall that you want people to be able to connect to the server then the firewall will allow people to connect to the server on the ports you have specified to it in this case 80 and 443.

but it will not allow people to connect to the server on other ports such as ftp or 445 or any other port.

This makes the server much more safe since the firewall keeps that type of traffic away from it.

if there is a bug in fx the ftp software or if your server admin have not shut down these ports then the server would be attacked not only on 80 and 443 but also in the other ports and there would be a higher likelihood of someone finding a bug or error to be able to take control over the server.

Now when you have the firewall you server admin needs to do his best to make sure that ports 80 and  443 are well configured and setup in his server, but he/she does not have to put so much effort to securing every other software that runs on that server.

A hacker can gain access to the server through fx old example scripts, or a bad configuration that allows access to certain files or components or just plain old bugs in the software.

This is all down to the server administrator to secure.

This is one reason why patching is important.

This is also the reason why you need good logging on both the server and also the asa.

If you have good logging setup you can show the management that the firewall have stopped X thousands of attacks over a period of Y months.

and the server logs will tell you about the ones that comes through the 80 and 443.

if setup right the ASA can also help out with logging the 80 and 443 and what comes there.

The asa does have some capabilities to help the webserver fx against a dos attack or an attack that drains the resources of the server.

So it is important to know what you are doing when setting up access to the servers.

fx does your server need to be able to initiate traffic to the internet ?

There are fx a special card that can help out with IDS/IPS. does your asa have one of those ?

Good luck

HTH

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card