Server hacked / exploided URGENT help required

[Toepes]

My Windows 2003 server was hacked last week. Some websites seems to be used for fishing.
After deleting all that stuff, it was time to format the server, but right now a new problem occures.

Some spamscript is trying to create index.php files in different domains. It already worked and SPAM was transmitted from the server

I use filemon to see where index.php is trying te be created. Problem is where to look what is initiating this process.

I can format right now, but when i restore the domains i will have the problem back.

Does this look familiar to anyone ?

Where to look ?


it shows lines in filemon like this:

42645 10:41:33 AM explorer.exe:3596 IRP_MJ_CREATE C:\inetpub\vhosts\domain.ext.httpdocs\mapname\inde x.php\ocf_QebiesnrMkudrfcoIaamtykdDa:$DATA NOT FOUND Options: Open Access: All

[lordElrond]

Firewall? do you ahve one of these PHP files thats been created?

The IRP_MJ_CREATE function is used by ASP.NET to create files, etc or access a win32 executable.

This could be a trojan, this could be a open stream from FILEMON, this could be nothing...

you need to debug this problem by eliminating the possibility of an attack. do you look at your web logs? event log? firewall logs?

i can help you here but need to know more from you.

[Toepes]

I will look in all logs to see what is going on on the same time

Will inform you a.s.a.p

[lordElrond]

At the command prompt type in netstat, make sure to copy or record what it returns and post that info.

Have you tried the MSBA?
Microsoft security baseline analyzer

I will be more than happy to help you figure this out. You can email me direct at abuse@managementusa.com

Julian

[Toepes]

I did run the programm Basline Security analyser an the thing it found is:

"Parent paths are enabled in some web sites and/or virtual directories."

These are sites withs ASP installed.

when I disable parent paths these sites don't work. According to the maker because these sides use the command Include.........