Re: Rogue PHP file
- From: "Frank" <ffarero@xxxxxxxxxx>
- Date: Sun, 29 Jun 2008 14:21:05 -0400
Update,
In IIS Manager found I could not start the default company website. error
msg. - "The process cannot access the file because it is being used by
another program" I ran netstat -ano and found Apache on port 80. I have
disabled apache through Services and will be on clients site monday morning
to futher investigate.
"Gregg Hill" <greggmhill at please do not spam me at yahoo dot com> wrote in
message news:uuqgo9X2IHA.528@xxxxxxxxxxxxxxxxxxxxxxx
PMFJI, but your mail server answers on port 80. It should not. If you are
not running a public web server on your SBS (and you should NOT be), then
close port 80 to your SBS. It is not needed!
It appears to have an Apache server listening. This is the output after
quitting a Telnet session to port 80:
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>501
Method Not Implemented</TITLE>
</HEAD><BODY>
<H1>
Method Not Implemented</H1>
?quit to /index.html not supported.<P>
Invalid
method in request ?quit<P>
<HR>
<ADDRESS>Apache/1
.3.23 Server at localhost Port 80</ADDRESS>
</BODY></HTML>
Connection to host lost.
But then again, I could be wrong!
Gregg Hill
"Frank" <ffarero@xxxxxxxxxx> wrote in message
news:4866c94d$0$12022$9a6e19ea@xxxxxxxxxxxxxxxxxxxxxxxxxxxx
Hi once again,
Additional info: The company website is not hosted on the server. It is
hosted by a local company called tinkergraphics.com / Our DNS is managed
by RoadRunner.
"SuperGumby [SBS MVP]" <not@xxxxxxxxxxx> wrote in message
news:eXTwe2S2IHA.4912@xxxxxxxxxxxxxxxxxxxxxxx
G'day Frank,
I am neither the 'alarmist' which Susan is nor the 'routers are evil'
that you will get from Leythos.
I have the benefit of having seen your later post but, so far, I'm not
really sure whether the internet name for your SBS is _actually_
mail.xxxxxxxxxx.com. There's issues about bad/poisoned DNS that would
need to be investigated. SBS would need to be _pretty thoroughly
'owned'_ before 'anything.php' comes into play.
_IF_ the server has been compromised, and so far I'm not really sure it
has, you should be firstly looking to PCSafety, as Susan has suggested,
and then considering _HOW_ this happened and the _cost_ of addressing
the issue (on your primary DC, which you should now trust _NOTHING_
from), vs externally hosting your public (www) domain.
Though SBS is thoroughly capable of hosting websites (I do it myself)
it's not really a good idea, particularly considering the _very cheap_
alternatives which may not only give you greater facility and bandwidth
but also less concern about 'such hacks'.
"Frank" <ffarero@xxxxxxxxxx> wrote in message
news:48658f04$0$5981$9a6e19ea@xxxxxxxxxxxxxxxxxxxxxxxxxxxx
Hi all,
SBS 2003 server, XP pro clients, WRT54GS router, Static IP from ISP
using exchange for mail.
Not sure if this is the right news group. I got a call today from a new
client stating that their mail.xxxxxxxxxx.com address was being
redirected to a Banking Phishing website.
They stated that they got a call from a security firm in Calif. staing
it looked to them like a rogue PHP file was accepting requests. Any
ideas on how to approach this to find fix it?
Thanks
.
- Follow-Ups:
- Re: Rogue PHP file
- From: Cliff Galiher
- Re: Rogue PHP file
- References:
- Rogue PHP file
- From: Frank
- Re: Rogue PHP file
- From: SuperGumby [SBS MVP]
- Re: Rogue PHP file
- From: Frank
- Re: Rogue PHP file
- From: Gregg Hill
- Rogue PHP file
- Prev by Date: Re: SBS 2003 - Move companyweb from one server to another
- Next by Date: Re: Rogue PHP file
- Previous by thread: Re: Rogue PHP file
- Next by thread: Re: Rogue PHP file
- Index(es):
Relevant Pages
|
Loading
