Re: Rogue PHP file

---

• From: "Frank" <ffarero@xxxxxxxxxx>
• Date: Sat, 28 Jun 2008 19:29:15 -0400

---

Hi once again,

Additional info: The company website is not hosted on the server. It is
hosted by a local company called tinkergraphics.com / Our DNS is managed by
RoadRunner.
"SuperGumby [SBS MVP]" <not@xxxxxxxxxxx> wrote in message
news:eXTwe2S2IHA.4912@xxxxxxxxxxxxxxxxxxxxxxx

G'day Frank,

I am neither the 'alarmist' which Susan is nor the 'routers are evil' that
you will get from Leythos.

I have the benefit of having seen your later post but, so far, I'm not
really sure whether the internet name for your SBS is _actually_
mail.xxxxxxxxxx.com. There's issues about bad/poisoned DNS that would need
to be investigated. SBS would need to be _pretty thoroughly 'owned'_
before 'anything.php' comes into play.

_IF_ the server has been compromised, and so far I'm not really sure it
has, you should be firstly looking to PCSafety, as Susan has suggested,
and then considering _HOW_ this happened and the _cost_ of addressing the
issue (on your primary DC, which you should now trust _NOTHING_ from), vs
externally hosting your public (www) domain.

Though SBS is thoroughly capable of hosting websites (I do it myself) it's
not really a good idea, particularly considering the _very cheap_
alternatives which may not only give you greater facility and bandwidth
but also less concern about 'such hacks'.

"Frank" <ffarero@xxxxxxxxxx> wrote in message
news:48658f04$0$5981$9a6e19ea@xxxxxxxxxxxxxxxxxxxxxxxxxxxx

Hi all,

SBS 2003 server, XP pro clients, WRT54GS router, Static IP from ISP using
exchange for mail.

Not sure if this is the right news group. I got a call today from a new
client stating that their mail.xxxxxxxxxx.com address was being
redirected to a Banking Phishing website.
They stated that they got a call from a security firm in Calif. staing it
looked to them like a rogue PHP file was accepting requests. Any ideas on
how to approach this to find fix it?

Thanks

.

---

• Follow-Ups:
  • Re: Rogue PHP file
    • From: Gregg Hill

• References:
  • Rogue PHP file
    • From: Frank
  • Re: Rogue PHP file
    • From: SuperGumby [SBS MVP]

• Prev by Date: Re: Rogue PHP file
• Next by Date: Re: Vista, Outlook 2007 & Profiles
• Previous by thread: Re: Rogue PHP file
• Next by thread: Re: Rogue PHP file
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Cannot Access FTP or Company Website (Externally Hosted) - HELP!!! ... Start the DNS Management console by Start> Programs> ... Enter the external IP of the website as provided by your ISP or web ... I assume that you used CEICW to configure your SBS. ... Ethernet adapter Server Local Area Connection: ... (microsoft.public.windows.server.sbs) Re: SBS2003 - Cannot restore GPO following Article 888943 ... As to the second DNS setting, the system worked quite well prior to ... forwarders on the SBS server DNS. ... >another installation of SBS 2003? ... >This newsgroup only focuses on SBS technical issues. ... (microsoft.public.windows.server.sbs) Re: Urgent! New router and big disaster ... Go back to pointing the external NIC DNS Servers to the SBS server IP ... make sure the DHCP Client Service is running on the server. ... Next I Select a local router device with an ip address. ... (microsoft.public.windows.server.sbs) Re: Internet Speed ... I think what we are trying to say is to use the DHCP from the SBS and NOT ... DNS and WINS point to the SBS. ... as the server IP address. ... it is recommend to configure all SBS client computers' IP and DNS ... (microsoft.public.windows.server.sbs) Re: Website hosting issues ... Maybe your DNS is catched. ... What did you mean by "I am getting the company website"? ... The Companyweb SBS ... server) when you put websitename.com. ... (microsoft.public.windows.server.sbs)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(16)