bytemangler 0 Posted May 8, 2001 Our website has just got deface. I thought the problem is just the index.htm or default.htm being rename. I deleted them but the offended page still pop up. This is the first time for us and I don't know how to start. Can any of the network admin help me out please...thanks in advance and Share this post Link to post
clutch 1 Posted May 8, 2001 If you are using "includes" on those pages, then you might want to check all of them. Also, make sure there aren't any EXEs running that will switch the page back if it's removed. There may even be some DLLs registered that are doing this as well. If all else fails, you could just delete and restore portions of the site or the whole thing from backup. You should also try and put on some of the IIS updates that may pertain to you ( www.microsoft.com/technet ). Share this post Link to post
bytemangler 0 Posted May 9, 2001 I think there is some EXE service running in the background that put the index.htm and default.htm files back on a scheduled time. I remember removing these files and reboot the system. Any idea how to find out where the file could be? Thanks Share this post Link to post
clutch 1 Posted May 9, 2001 Generally, when you look at the process tab in Task Manager you can pick these out as hackers tend to have a sense of humor about these. Also, you could do a search on any exe files that don't look familiar, and see where they are located and what their "created" dates are. Share this post Link to post
bytemangler 0 Posted May 9, 2001 I forgot to mention the worm. It was the Anti-PoizonBox message. "f**k USA Government f**k PoizonBOx contact:sysadmcn@yahoo.com.cn " Share this post Link to post
CrazyKillerMan 0 Posted May 10, 2001 sorry for my ignorance...but wtf is a 'poisonbox' Share this post Link to post
DosFreak 2 Posted May 11, 2001 Interesting.... I was going through my Sidewinder logs and noticed a website that said the same thing. I flagged it for later study. Thanks for the reminder! Share this post Link to post
Intlharvester 0 Posted May 19, 2001 You should format the disk and reinstall the OS. At least in the UNIX world, it's common for hack kits to modify the kernel or 'ps' so that you can't see the evil process running. It's possible to do this on Windows, so you should consider all system binaries untrusted and blow them away. Share this post Link to post
miku 0 Posted May 19, 2001 Well Guys that Posion Message was also in my Inetpub Directory. Then I deleted the files from each of the Inetpub subdirectories. After two three days they reappeared again. I deleted again. Then I updated windows from windowsupdate and now it is sound. Are there any other security measures to be taken. Thanks ARC Share this post Link to post