Jump to content
Compatible Support Forums
Sign in to follow this  
bytemangler

Website hacked

Recommended Posts

Our website has just got deface. I thought the problem is just the index.htm or default.htm being rename. I deleted them but the offended page still pop up. This is the first time for us and I don't know how to start. Can any of the network admin help me out please...thanks in advance

 

mad and confused

Share this post


Link to post

If you are using "includes" on those pages, then you might want to check all of them. Also, make sure there aren't any EXEs running that will switch the page back if it's removed. There may even be some DLLs registered that are doing this as well. If all else fails, you could just delete and restore portions of the site or the whole thing from backup. You should also try and put on some of the IIS updates that may pertain to you ( www.microsoft.com/technet ).

Share this post


Link to post

I think there is some EXE service running in the background that put the index.htm and default.htm files back on a scheduled time. I remember removing these files and reboot the system. Any idea how to find out where the file could be?

 

Thanks

Share this post


Link to post

Generally, when you look at the process tab in Task Manager you can pick these out as hackers tend to have a sense of humor about these. Also, you could do a search on any exe files that don't look familiar, and see where they are located and what their "created" dates are.

Share this post


Link to post

I forgot to mention the worm. It was the Anti-PoizonBox message.

"f**k USA Government

f**k PoizonBOx

contact:sysadmcn@yahoo.com.cn "

Share this post


Link to post

Interesting.... I was going through my Sidewinder logs and noticed a website that said the same thing. I flagged it for later study. Thanks for the reminder!

 

smile

Share this post


Link to post

You should format the disk and reinstall the OS.

 

At least in the UNIX world, it's common for hack kits to modify the kernel or 'ps' so that you can't see the evil process running. It's possible to do this on Windows, so you should consider all system binaries untrusted and blow them away.

Share this post


Link to post

Well Guys that Posion Message was also in my Inetpub Directory.

 

Then I deleted the files from each of the Inetpub subdirectories.

 

After two three days they reappeared again. I deleted again. Then I updated windows from windowsupdate and now it is sound.

 

Are there any other security measures to be taken.

 

Thanks

ARC

Share this post


Link to post

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
Sign in to follow this  

×