• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Server hacked / exploided URGENT help required

T

Toepes

Guest
My Windows 2003 server was hacked last week. Some websites seems to be used for fishing.
After deleting all that stuff, it was time to format the server, but right now a new problem occures.

Some spamscript is trying to create index.php files in different domains. It already worked and SPAM was transmitted from the server :(

I use filemon to see where index.php is trying te be created. Problem is where to look what is initiating this process.

I can format right now, but when i restore the domains i will have the problem back.

Does this look familiar to anyone ?

Where to look ?


it shows lines in filemon like this:

42645 10:41:33 AM explorer.exe:3596 IRP_MJ_CREATE C:\inetpub\vhosts\domain.ext.httpdocs\mapname\index.php\:Docf_QebiesnrMkudrfcoIaamtykdDa:$DATA NOT FOUND Options: Open Access: All
 
Firewall? do you ahve one of these PHP files thats been created?

The IRP_MJ_CREATE function is used by ASP.NET to create files, etc or access a win32 executable.

This could be a trojan, this could be a open stream from FILEMON, this could be nothing...

you need to debug this problem by eliminating the possibility of an attack. do you look at your web logs? event log? firewall logs?

i can help you here but need to know more from you.
 
I will look in all logs to see what is going on on the same time

Will inform you a.s.a.p
 
At the command prompt type in netstat, make sure to copy or record what it returns and post that info.

Have you tried the MSBA?
Microsoft security baseline analyzer

I will be more than happy to help you figure this out. You can email me direct at [email protected]

Julian
 
I did run the programm Basline Security analyser an the thing it found is:

"Parent paths are enabled in some web sites and/or virtual directories."

These are sites withs ASP installed.

when I disable parent paths these sites don't work. According to the maker because these sides use the command Include.........
 
You must log in or register to reply here.

Similar threads

Y
Resolved Apache2 - Broken images load from remote server
Replies
1
Views
5K
yanover
Y
QWeb Ric
Forwarded to devs Mail not migrating properly if source server is Courier 5
Replies
18
Views
3K
Dave W
Dave W
E
Cloud Hosting Platforms – Choose the right one for your business
Replies
0
Views
2K
Elvis Plesky
E
V
HTTP/2 – Does it improve site performance?
Replies
0
Views
2K
viktor
V
M
Issue psa_service[675]: Trying to start service mysql... /usr/sbin/mysqld (pid 926) is running...
Replies
0
Views
2K
Michael Huber
M
Back
Top