• Introducing WebPros Cloud - a fully managed infrastructure platform purpose-built to simplify the deployment of WebPros products !  WebPros Cloud enables you to easily deliver WebPros solutions — without the complexity of managing the infrastructure.
    Join the pilot program today!
  • Support for BIND DNS has been removed from Plesk for Windows due to security and maintenance risks.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS.

Server hacked / exploided URGENT help required

T

Toepes

Guest
My Windows 2003 server was hacked last week. Some websites seems to be used for fishing.
After deleting all that stuff, it was time to format the server, but right now a new problem occures.

Some spamscript is trying to create index.php files in different domains. It already worked and SPAM was transmitted from the server :(

I use filemon to see where index.php is trying te be created. Problem is where to look what is initiating this process.

I can format right now, but when i restore the domains i will have the problem back.

Does this look familiar to anyone ?

Where to look ?


it shows lines in filemon like this:

42645 10:41:33 AM explorer.exe:3596 IRP_MJ_CREATE C:\inetpub\vhosts\domain.ext.httpdocs\mapname\index.php\:Docf_QebiesnrMkudrfcoIaamtykdDa:$DATA NOT FOUND Options: Open Access: All
 
Firewall? do you ahve one of these PHP files thats been created?

The IRP_MJ_CREATE function is used by ASP.NET to create files, etc or access a win32 executable.

This could be a trojan, this could be a open stream from FILEMON, this could be nothing...

you need to debug this problem by eliminating the possibility of an attack. do you look at your web logs? event log? firewall logs?

i can help you here but need to know more from you.
 
I will look in all logs to see what is going on on the same time

Will inform you a.s.a.p
 
At the command prompt type in netstat, make sure to copy or record what it returns and post that info.

Have you tried the MSBA?
Microsoft security baseline analyzer

I will be more than happy to help you figure this out. You can email me direct at [email protected]

Julian
 
I did run the programm Basline Security analyser an the thing it found is:

"Parent paths are enabled in some web sites and/or virtual directories."

These are sites withs ASP installed.

when I disable parent paths these sites don't work. According to the maker because these sides use the command Include.........
 
You must log in or register to reply here.

Similar threads

G
Issue Help - with 2Servers / DNS
Replies
1
Views
672
scsa20
scsa20
E
Issue Abnormal CPU usage and Apache crash
Replies
13
Views
5K
MartinT
M
TimReeves
Fail2Ban Jail needed for /var/log/sw-cp-server/error_log
Replies
5
Views
7K
roon
R
Hangover2
Resolved Disabled PHP "Hosting performance settings management" can be bypassed by using .user.ini or ini_set()
Replies
19
Views
6K
Hangover2
Hangover2
propz
Resolved Email Domain Blacklisting not working 100%
Replies
7
Views
3K
Kaspar
K
Back
Top