Website hacked
Our website has just got deface. I thought the problem is just the index. htm or default. htm being rename. I deleted them but the offended page still pop up. This is the first time for us and I don't know how to start.
Our website has just got deface. I thought the problem is just the index.htm or default.htm being rename. I deleted them but the offended page still pop up. This is the first time for us and I don't know how to start. Can any of the network admin help me out please...thanks in advance
and
and
Participate on our website and join the conversation
This topic is archived. New comments cannot be posted and votes cannot be cast.
Responses to this topic
If you are using "includes" on those pages, then you might want to check all of them. Also, make sure there aren't any EXEs running that will switch the page back if it's removed. There may even be some DLLs registered that are doing this as well. If all else fails, you could just delete and restore portions of the site or the whole thing from backup. You should also try and put on some of the IIS updates that may pertain to you ( www.microsoft.com/technet ).
I think there is some EXE service running in the background that put the index.htm and default.htm files back on a scheduled time. I remember removing these files and reboot the system. Any idea how to find out where the file could be?
Thanks
Thanks
I forgot to mention the worm. It was the Anti-PoizonBox message.
"f**k USA Government
f**k PoizonBOx
contact:sysadmcn@yahoo.com.cn "
"f**k USA Government
f**k PoizonBOx
contact:sysadmcn@yahoo.com.cn "
sorry for my ignorance...but wtf is a 'poisonbox'
You should format the disk and reinstall the OS.
At least in the UNIX world, it's common for hack kits to modify the kernel or 'ps' so that you can't see the evil process running. It's possible to do this on Windows, so you should consider all system binaries untrusted and blow them away.
At least in the UNIX world, it's common for hack kits to modify the kernel or 'ps' so that you can't see the evil process running. It's possible to do this on Windows, so you should consider all system binaries untrusted and blow them away.
Well Guys that Posion Message was also in my Inetpub Directory.
Then I deleted the files from each of the Inetpub subdirectories.
After two three days they reappeared again. I deleted again. Then I updated windows from windowsupdate and now it is sound.
Are there any other security measures to be taken.
Thanks
ARC
Then I deleted the files from each of the Inetpub subdirectories.
After two three days they reappeared again. I deleted again. Then I updated windows from windowsupdate and now it is sound.
Are there any other security measures to be taken.
Thanks
ARC
