ASP error script and trojan

26 May 2006 4:02 PM

Eco

Our web server is found that is hacked occassionally. The server will have
the following issues.

1. webpage directory will be added some *.htm file, part of file contents
are shown as follows.
     <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
     "http://www.w3.org/TR/html4/loose.dtd">
     <html>
     <head>
     <title>Hacked Mr.Trojan-Msn: Tro***@Trojan.Gen.Tr</title>
     <meta http-equiv="Content-Type" content="text/html;
     ..............

2. ASP error scripts will be popup and the the main web site cannot be
accessed. The website can be accessed again after close the error scripts
window manually.

According to our webpage designer, our server is infected with trojan. But
we've scanned and can't find anything through virus scanner.

Actually, what anti-hack or anti-virus software will install on your IIS
Server? Any comments?

Below lists the web server info.
- Windows 2000 Server w/ built in IIS 5.0
- All windows secuirty / pack is always be udpated.
- Symantec Antivirus 10.0
- Hardware firewall only open http port for this server.

27 May 2006 3:43 PM

Jeff Cochran

>According to our webpage designer, our server is infected with trojan. But
>we've scanned and can't find anything through virus scanner.
>
>Actually, what anti-hack or anti-virus software will install on your IIS
>Server? Any comments?

You have been hacked and don't know how or what might be happening.
Flatten the box. Wipe the drives, reinstall from scratch and restore
only known good files. Lock the box down this time. Use the security
checklists at Microsoft.

Jeff

27 May 2006 6:15 PM

Eco

"Jeff Cochran" <jeff.nospam@zina.com>

???????:447e7363.151700***@msnews.microsoft.com...

> >According to our webpage designer, our server is infected with trojan.
> >But
>>we've scanned and can't find anything through virus scanner.
>>
>>Actually, what anti-hack or anti-virus software will install on your IIS
>>Server? Any comments?
>
> You have been hacked and don't know how or what might be happening.
> Flatten the box. Wipe the drives, reinstall from scratch and restore
> only known good files. Lock the box down this time. Use the security
> checklists at Microsoft.
>

Thanks for your reply and I have some questions.
---- Wipe the drives, reinstall from scratch and restore only known good
files.
You mean reinstall the whole box / windows??

--- Lock the box down this time. Use the security checklists at Microsoft.
security checklists? can be found within Microsoft site??

29 May 2006 5:55 AM

Bernard Cheah [MVP]

a) Yes, as you may not know what other backdoor the hacker has installed.

b) www.microsoft.com/iis/ for start, then google MS site for "IIS Security"

--
Regards,
Bernard Cheah
http://www.iis.net/
http://www.iis-resources.com/
http://msmvps.com/blogs/bernard/

Show quoteHide quote

"Eco" <e**@hotmail.com> wrote in message
news:Od0LCmbgGHA.4892@TK2MSFTNGP02.phx.gbl...
>
> "Jeff Cochran" <jeff.nospam@zina.com>
> ???????:447e7363.151700***@msnews.microsoft.com...
>> >According to our webpage designer, our server is infected with trojan.
>> >But
>>>we've scanned and can't find anything through virus scanner.
>>>
>>>Actually, what anti-hack or anti-virus software will install on your IIS
>>>Server? Any comments?
>>
>> You have been hacked and don't know how or what might be happening.
>> Flatten the box. Wipe the drives, reinstall from scratch and restore
>> only known good files. Lock the box down this time. Use the security
>> checklists at Microsoft.
>>
>
> Thanks for your reply and I have some questions.
> ---- Wipe the drives, reinstall from scratch and restore only known good
> files.
> You mean reinstall the whole box / windows??
>
> --- Lock the box down this time. Use the security checklists at
> Microsoft.
> security checklists? can be found within Microsoft site??
>
>