T
Toepes
Guest
My Windows 2003 server was hacked last week. Some websites seems to be used for fishing.
After deleting all that stuff, it was time to format the server, but right now a new problem occures.
Some spamscript is trying to create index.php files in different domains. It already worked and SPAM was transmitted from the server
I use filemon to see where index.php is trying te be created. Problem is where to look what is initiating this process.
I can format right now, but when i restore the domains i will have the problem back.
Does this look familiar to anyone ?
Where to look ?
it shows lines in filemon like this:
42645 10:41:33 AM explorer.exe:3596 IRP_MJ_CREATE C:\inetpub\vhosts\domain.ext.httpdocs\mapname\index.php\ocf_QebiesnrMkudrfcoIaamtykdDa:$DATA NOT FOUND Options: Open Access: All
After deleting all that stuff, it was time to format the server, but right now a new problem occures.
Some spamscript is trying to create index.php files in different domains. It already worked and SPAM was transmitted from the server
I use filemon to see where index.php is trying te be created. Problem is where to look what is initiating this process.
I can format right now, but when i restore the domains i will have the problem back.
Does this look familiar to anyone ?
Where to look ?
it shows lines in filemon like this:
42645 10:41:33 AM explorer.exe:3596 IRP_MJ_CREATE C:\inetpub\vhosts\domain.ext.httpdocs\mapname\index.php\ocf_QebiesnrMkudrfcoIaamtykdDa:$DATA NOT FOUND Options: Open Access: All