I would love to be as superior as Bernie Ecclestone was after being mugged, selling is battered face for a fortune and showing the abusers how to brilliantly volte-face a situation, but of course I am just a nobody and the best turnaround I can ambition is to help at least one person with some lessons learned the hard way, after being WWW’mugged myself.

20110130 bernie mugged volte face

The full Bernie story: http://www.youtube.com/watch?v=b7AiMoOSxlk

It is very unpleasant to have a website mugged, or “hacked”, for no reason at all but the display of the “signatures” of the abusers.
After all these years, here are some tips.

(1)

If you have an ASP.NET web.config global file, yet the system says it can NOT find a valid web.config for a particular application, it might be because of wrong permissions on that app’s file system containing folder.

Since I run IIS6, this page was helpful:

http://support.microsoft.com/kb/317955/

It basically says: “add the NETWORK SERVICE user to the app’s folder”.

Indeed, every .NET app folder must allow the “NETWORK SERVICE” user with the permissions:
- read
- read and execute
- list folder contents

(2)

In IIS6 the user IUSR_TEMPLATE represents an anonymous web visitor and so must be available for all resources to be made public on the WWW.

Generally, this user should only have READ permits and nothing else, for all resources.

If some particular folders require writing, give this user READ and WRITE permits, but *never* WRITE and EXECUTE.

Ideally, the WRITE permit should only be given to out-of-reach-of-the-web-server folders, meaning locations that are nowhere in the tree being made public by IIS, Apache or whatever the http server. But this isn’t always possible: most Content Management Systems (CMSs) will require at least one writable public folder, for example to where bloggers can upload pictures – just follow the minimal approach and the *never* WRITE and EXECUTE rule.

(3)

For read-only web presences, if you strictly follow the minimal rule, giving nothing but the READ permit to the web visitor user and no other permits to no other users at all, you’ll end up with a very secure site, but with some annoyances, e.g. FTP uploading contents will fail probably with a “450 can’t access file” error.

In Windows, you can easily fix it by giving “full control” to the SYSTEM user at some entry point.

(4)

Some CMSs that support themes, like Worpress, might display a blank page after being moved or copied. One very simple solution is to install a new theme, activate it, then return to the original.