1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

Server hacked / exploided URGENT help required

Discussion in 'Plesk for Windows - 8.x and Older' started by Toepes, May 16, 2006.

  1. Toepes

    Toepes Guest

    My Windows 2003 server was hacked last week. Some websites seems to be used for fishing.
    After deleting all that stuff, it was time to format the server, but right now a new problem occures.

    Some spamscript is trying to create index.php files in different domains. It already worked and SPAM was transmitted from the server :(

    I use filemon to see where index.php is trying te be created. Problem is where to look what is initiating this process.

    I can format right now, but when i restore the domains i will have the problem back.

    Does this look familiar to anyone ?

    Where to look ?

    it shows lines in filemon like this:

    42645 10:41:33 AM explorer.exe:3596 IRP_MJ_CREATE C:\inetpub\vhosts\domain.ext.httpdocs\mapname\index.php\:Docf_QebiesnrMkudrfcoIaamtykdDa:$DATA NOT FOUND Options: Open Access: All
  2. lordElrond

    lordElrond Guest

    Firewall? do you ahve one of these PHP files thats been created?

    The IRP_MJ_CREATE function is used by ASP.NET to create files, etc or access a win32 executable.

    This could be a trojan, this could be a open stream from FILEMON, this could be nothing...

    you need to debug this problem by eliminating the possibility of an attack. do you look at your web logs? event log? firewall logs?

    i can help you here but need to know more from you.
  3. Toepes

    Toepes Guest

    I will look in all logs to see what is going on on the same time

    Will inform you a.s.a.p
  4. lordElrond

    lordElrond Guest

    At the command prompt type in netstat, make sure to copy or record what it returns and post that info.

    Have you tried the MSBA?
    Microsoft security baseline analyzer

    I will be more than happy to help you figure this out. You can email me direct at abuse@managementusa.com

  5. Toepes

    Toepes Guest

    I did run the programm Basline Security analyser an the thing it found is:

    "Parent paths are enabled in some web sites and/or virtual directories."

    These are sites withs ASP installed.

    when I disable parent paths these sites don't work. According to the maker because these sides use the command Include.........