How to prevent anonymous file uploads from HTML Forms
There is a major security breach in one of our company's websites. The website is built on C#, ASP.Net and IIS 7. There are some hackers who are able to upload files from the login form from the website's home page. There are no other forms on the website and only the index page is visible to the users.
When I check the server logs, there is no anonymous access from Remote Desktop or FTP. So I think the hackers are uploading files from the login form only. We have setup the firewall which restricts user access to certain countries, but when I see server log, still people from those restricted countries are able to access that page and these files are coming from those countries only.
The server which we are using is a dedicated server. The customer support could not provide sufficient help in fixing this issue.
Can someone please throw a light over whats happening here and how I can prevent it.
I presume your application isn't meaning to accept anonymous file uploads. Which means something is being exploited.
Without seeing your application source code and knowing how your server is configured, it isn't really possible to provide a simple solution to prevent your suspected file upload exploit. Instead I have included information about how to secure your server and your application, which I hope you will find useful.
Start Fresh: Now that your server has been compromised, you should ideally reformat the server and load the data back from a last know safe backup. It's rather difficult to salvage a server that has been compromised and bring it back to a safe state without reformatting, unless you know exactly what they compromised on the system and can be sure you can reverse the effects. I would always err on the side of caution.
Actively Protect: You should ensure the Windows Updates are enabled and applied regularly. You have antivirus installed that runs daily, a tight firewall. And of course use strong passwords for all user accounts. Don't forget to patch 3rd party software and controls regularly as well.
FTP is Insecure: You noted that you are using FTP. FTP is insecure on it's own, your credentials are sent in plain text across the internet, you should avoid using FTP, if a hacker compromised any network between you and your server (and some of those networks may be out of your control) then they could have just read it when you logged in. There would be no authentication errors logged because they knew the password. So replace FTP with SFTP, or better yet only ever access your server via a VPN tunnel to your server.
PCI Vulnerability Scan: Once you have your server in a relatively secure, fresh state, you should run a PCI scan on against your server. A PCI scan is a requirement for servers that handle sensitive credit card details, but it is useful for checking the security of any public facing server, even if you don't handle credit cards.
There are many providers of PCI compliance scans. There are a lot of free trial solutions out there so your initial cost is low. I can recommend both, Comodo Hacker Guardian and McAfee Vulnerability Scanner.
It's very simple to use, you sign up and provide the scanner with the IP address of your service, it will then scan it and provide a report of all the vulnerabilities that it knows of, and need to be patched. It most likely won't find holes in your Web App, but it is likely the vulnerability lies in IIS or other server technology and not explicitly your code.
I am sure you'll be surprised how much information can be returned about server, I was when I first ran a scan.
Harden your Web Application: Once you have resolved all the issues, you can then be relatively sure that your server is safe, now you just have to check you are following best practices and hardening your code. Not all of these will necessarily apply, (I am not sure whether you are using SQL Server for example), but you should definitely follow these tutorials for your code:
ASP.NET has a lot of built in checks to try and prevent insecure code from being injected into your form. This one is probably the most relevant to your situation, if you are sure this is how they compromised your server. Microsoft: Protect From Injection Attacks in ASP.NET
When building your ASP.NET application it is useful to know where all the various vulnerabilities may lie. This table may be useful:
Credit to Rick G. Garibay. You should read his security presentation: Hardening Security in ASP.NET Applications & Services.
Keep Checking: It is very tempting that once your application has been deployed and is working, and you have hardened your application and server, just to let it run. But keep checking periodically that the antivirus is still running and updating properly and that patches etc are being applied. Scan through your logs before attacks happen. The longer your server runs the more vulnerabilities are likely to be discovered over time, so keep running the PCI scans, the frequency you choose will depend on the security requirement of your data.
It's a bit of a long answer but I hope that it helps address your security concerns.