Re: infected IIS

On Jan 5, 11:55 am, Kevin <Ke...@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
I have a Windows 2003 server running Citrix. The server has been infected
with a virus. I'm not sure what virus. I'm scanning now. What has happened is
as follows:

when I attempt to log on to the citrix server remotely, the normal login has
been replaced with a website "discount pharmacy". I have checked my DNS and A
records and the mapping is correct. If I disconnect the server from the
internet and attempt to browse the site times out. Therefore, it is local to
my machine. I have monitored IIS and the server is connected but the "default
website manager" is STOPPED. When I try to start the "default website" it
states that it cannot start because it is being used by another process. The
problem is not Citrix but I need to find out if it would have changed a
registry key that tells Windows to use IIS or does anyone have any ideas?

Any help would be appreciated.
--
Thanks for your help.

Kevin



You can use:
NETSTAT -ano

to determine what process has a port open that IIS also wants to use
for "Default Website" and go from there.

Sounds like someone has hacked your server and is running another web
server process to serve up the "discount pharmacy" website. That would
not be an infection.

You should reformat this machine and clean install it.

You may want to do forensics to figure out how someone hacked your
server so that you don't find yourself in the same situation after
rebuilding this machine. I do not see any credible evidence that an
IIS vulnerability led to the hack, so you will have to investigate
further.

To be safe, you may also want to investigate the security of other
related machines in your organization.


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//
.

Relevant Pages

  • Re: IIS 6 fails anonymous connection
    ... > I have a newly built Windows Server 2003, with IIS 6 installed. ... > NTFS for website folders is set to IUSR RO, ... Integrated authentication, I can view it. ...
    (microsoft.public.inetserver.iis.security)
  • Re: Can I run an Internet web server from a Win2K computer?
    ... You can deffinately run an internet website from IIS on Windows 2000 Pro., ... Be aware though, that there can be no more than 10 simultaneous connections, but for your homegrown website, I would think that this is not a problem. ... You will have to set up your broadband router to forward incoming HTTP connections on port 80 to the computer hosting the website ... I'm trying to use the web server that comes with Windows 2000 ...
    (microsoft.public.win2000.general)
  • Re: HOW MORE FRUSTRATING CAN THIS GET!!!
    ... because security is more open by default and the IIS ... If you're deploying your own website you have three ... configure inbound HTTP Server and HTTPS Server packet ... the following Publishing methods employ rules ...
    (microsoft.public.isa)
  • RE: Frontpage 2003 publish web from remote iis 6.0 server to remote iis 6.0 server slow
    ... IIS 6.0 is slower than IIS 5.0 when you use the WriteClient API to ... | from an IIS 6.0 website to another IIS 6.0 website running on a remote ... | Windows 2003 server. ... | machines using the 'Remote Web Site' and 'Remote Web Site Properties' ...
    (microsoft.public.frontpage.extensions.windowsnt)
  • Enable Bandwidth throttling programmatically using WMI in C#
    ... Does anybody has the script to add Bandwidth throttling and Website ... public string IPAddress ... /// Gets or sets the name of the IIS server that site ... ManagementObject ...
    (microsoft.public.win32.programmer.wmi)