Error in non existent global.asa - security

I have a user's website giving an error in a global.asa file but it does not exist in their web root. It looks like the account has been hacked as it's giving an error about not connecting to a server, and at the same time I see the firewall block outbound connection requests.
msxml3.dll error '80072efd'
A connection with the server could not be established
/LM/W3SVC/6510/ROOT/global.asa, line 66
I've deleted the IIS instance and had the control panel recreate it, but the issue still exists. I've even created a dummy asp file which only displays some text and it happens.
I'm at a loss where this could be being picked up and looking for suggestions. Where might this be set?

I've had the same problem on a w2k3 server (iis6) with many sites, where just one had the fake global.asa;
I've not still found cause but a workaround solution, for me, has been:
open MMC Console (IIS manager)
stop IIS
double click on Web Sites (confirm reload offline configuration)
under every site delete "ghost" global.asa (that you don't find under phisical websites folder)
start IIS

Related

Windows Authentication - specific folder permissions in IIS 8.5

We have intranet website that is deployed on IIS 6 with windows authentication and ASP.Net Impersonation enabled. It works perfectly, but when we moved to IIS 8.5, logging (to a log file) seems to stopped working. When we ran Process Monitor, it shows access denied to the folder where logs are written. And it also shows that, it is impersonating logged in user to write the logs. Where we want the system to use app pool user to log. I tried everything available on internet, changing entries in applicationhost.config to adding location paths and adding web.config to that particular location, nothing seems to work.
Update:
Just executed Process Monitor on old server and below is the comparison. it is exactly same, except new server denies the access. In both the cases, impersonating user (logged in user) tries the access to folder. I think something to with OS. Old server us Windows Server Standard and new one is Windows Server 2012 R2 Standard.
Old Server
Operation:CreateFile
Result:SUCCESS
Path:XXXXX\log.txt
Desired Access:Generic Write, Read Attributes
Disposition:OpenIf
Options:Synchronous IO Non-Alert, Non-Directory File, Open No Recall
Attributes:n/a
ShareMode:Read, Delete
Impersonating:domain\username
OpenResult:Opened
New Server
Operation:CreateFile
Result:ACCESS DENIED
Path:XXXXX\log.txt
Desired Access:Generic Write, Read Attributes
Disposition:OpenIf
Options:Synchronous IO Non-Alert, Non-Directory File, Open No Recall
Attributes:n/a
ShareMode:Read, Delete
Impersonating:domain\username

Locally setting up redirect to https://

I have read a few answers to try and find a solution to a ridiculous problem.
I dont have access to a server that I can log on to access phpmyadmin,
What is supposed to happen is that the web url is supposed to be viewed via https, and in most cases this happens.
Except for a particular PC I have at home and it never seems to open in https. Why this is happening on this given machine is completely unknown.
Is there a way I can set up a rule on my local machine that will ALWAYS convert http://pathtomysite.com to https://pathtomysecuresite.com, (possibly via the 'hosts' entry (and yes it is a windows machine running win10).
I could do this on the web server itself, I know how to do this, but the problem is, I don't have, nor am I allowed to have, access to the database server to update the .htaccess or webconfig.xml on the server. (I am 99% sure its Apache, not nginx or IIS).
Any help is allows gratefully received.

IIS V6 autoblocking ip

the linux-guy here has a question about IIS v6.
The case is, that i have a site running, when i do some specific tasks on this site ( Like deleting a specific item, three times in a row) the site will break, and a completely blank page will appear. Checking the response headers, i noticed that the server sends a "403 Forbidden: IP address of the client has been rejected."
Through a proxy, i can connect just fine.
Checking the site-options in the IIS manager, shows me that my IP is not blocked globally, its something thats just happening.
Where can i check for this? It happens automatically and the block ends after about 8-12 minutes, every time?
best regards.
Jonas
do you have access to IIS?
i assume blocking occure on web site side (inside ASP code), not in IIS.
please check IIS console, and make sure that there are no blocked IP's. If it's true, you should find database/table or some config file, where stored all blocked IP's. After that, you should get able to find ASP code, which is responsable for blocking....
you also could try make quick search inside all ASP pages for text like: "REMOTE_ADDR" and ".ServerVariables"

IIS 404 Error even when file exists?

I have been working with IIS 7 for a while and it has worked fine until it just suddenly started throwing 404 errors for my multiple websites even though they actually exist. All of the configurations seems fine (path, default document) but not a single file, no matter the format or location will be loaded.
Another strange thing is that everything works when I try to access the websites via localhost or 127.0.0.1 but not through my external IP.
Does anyone know why this could happen and how I can fix it?
Edit:
It appears this 404 page is not the built in IIS error page. It is associated with nginx but I'm not sure where the file is located on my server or why my pages are being intercepted.
It turns at the server was hijacked by Morfeus F***ing Scanner, which I was not aware was even a thing until this happened. It's activity showed up in the server access logs. I basically had to reset the entire server. It was quite a chore.

Server - Windows 2K8/IIS7/ColdFusion throwing intermittent 403 errors

We've just set up a new dedicated server at hostgator, running Windows 2008 Server, IIS7 and ColdFusion 8 ENT.
On browsing the homepage, sometimes the site works, sometimes, part of the site runs and I can see a 403 error in Firebug. At other times, I only get an IIS error page saying:
"403 - Forbidden: Access is denied. You do not have permission to view this directory or page using the credentials that you supplied."
The site is http://www.asia-buy.com. It might run first time, but if you refresh it a few times, you'll probably encounter the problem.
There is a lot of ajax and JSON stuff going on under the hood and I'm wondering if that has any bearing on the problem.
Would appreciate advice from anyone who may have solved a similar issue in the past.
Resolved: Hostgator says this is actually a security setting in IIS to attempt to prevent DDOS attacks on the website. A a developer, I use CTRL-F5 a lot. A normal user would not.
Full error:
HTTP Error 403.502 - Forbidden
The IP address from which you are browsing is not permitted to access the requested Web site because it has made too many requests over short period of time.
Open IIS Manager.
Go to your website.
Go to Features/IP Address and Domain Restrictions/Dynamic IP Restriction Settings
Uncheck the boxes, or change the values, as needed

Resources