Help
and 
Page 1 of 1
Website hacked
#1
bytemangler 
- member
- Group: Members
- Posts: 114
- Joined: 27-February 01
Posted 08 May 2001 - 04:58 PM
Our website has just got deface. I thought the problem is just the index.htm or default.htm being rename. I deleted them but the offended page still pop up. This is the first time for us and I don't know how to start. Can any of the network admin help me out please...thanks in advance
and
and
#2
clutch
- Carpal Tunnel
-
- Group: Moderators
- Posts: 3859
- Joined: 29-March 00
Posted 08 May 2001 - 05:53 PM
If you are using "includes" on those pages, then you might want to check all of them. Also, make sure there aren't any EXEs running that will switch the page back if it's removed. There may even be some DLLs registered that are doing this as well. If all else fails, you could just delete and restore portions of the site or the whole thing from backup. You should also try and put on some of the IIS updates that may pertain to you ( www.microsoft.com/technet ).
#3
bytemangler
- member
- Group: Members
- Posts: 114
- Joined: 27-February 01
Posted 09 May 2001 - 04:30 PM
I think there is some EXE service running in the background that put the index.htm and default.htm files back on a scheduled time. I remember removing these files and reboot the system. Any idea how to find out where the file could be?
Thanks
Thanks
#4
clutch
- Carpal Tunnel
-
- Group: Moderators
- Posts: 3859
- Joined: 29-March 00
Posted 09 May 2001 - 05:16 PM
Generally, when you look at the process tab in Task Manager you can pick these out as hackers tend to have a sense of humor about these. Also, you could do a search on any exe files that don't look familiar, and see where they are located and what their "created" dates are.
#5
bytemangler
- member
- Group: Members
- Posts: 114
- Joined: 27-February 01
Posted 09 May 2001 - 05:51 PM
I forgot to mention the worm. It was the Anti-PoizonBox message.
"f**k USA Government
f**k PoizonBOx
contact:sysadmcn@yahoo.com.cn "
"f**k USA Government
f**k PoizonBOx
contact:sysadmcn@yahoo.com.cn "
#6
CrazyKillerMan
- old hand
- Group: Members
- Posts: 761
- Joined: 14-October 00
Posted 10 May 2001 - 10:07 AM
sorry for my ignorance...but wtf is a 'poisonbox'
#8
Intlharvester
- journeyman
- Group: Members
- Posts: 90
- Joined: 25-April 00
Posted 19 May 2001 - 09:14 PM
You should format the disk and reinstall the OS.
At least in the UNIX world, it's common for hack kits to modify the kernel or 'ps' so that you can't see the evil process running. It's possible to do this on Windows, so you should consider all system binaries untrusted and blow them away.
At least in the UNIX world, it's common for hack kits to modify the kernel or 'ps' so that you can't see the evil process running. It's possible to do this on Windows, so you should consider all system binaries untrusted and blow them away.
#9
miku
- addict
- Group: Members
- Posts: 510
- Joined: 30-January 00
Posted 19 May 2001 - 09:42 PM
Well Guys that Posion Message was also in my Inetpub Directory.
Then I deleted the files from each of the Inetpub subdirectories.
After two three days they reappeared again. I deleted again. Then I updated windows from windowsupdate and now it is sound.
Are there any other security measures to be taken.
Thanks
ARC
Then I deleted the files from each of the Inetpub subdirectories.
After two three days they reappeared again. I deleted again. Then I updated windows from windowsupdate and now it is sound.
Are there any other security measures to be taken.
Thanks
ARC
Share this topic:
Page 1 of 1