Re: Rogue PHP file
- From: "Cliff Galiher" <cgaliher@xxxxxxxxx>
- Date: Sun, 29 Jun 2008 13:02:11 -0600
Of course, you finding apache on your box negates about half of my last post. The DNS issues are still real, but are...quite obviously, not the cause.
....good luck finding out who installed apache on your box...
-Cliff
"Frank" <ffarero@xxxxxxxxxx> wrote in message news:4867d296$0$18105$9a6e19ea@xxxxxxxxxxxxxxxxxxxxxxxxxxxx
Update,
In IIS Manager found I could not start the default company website. error msg. - "The process cannot access the file because it is being used by another program" I ran netstat -ano and found Apache on port 80. I have disabled apache through Services and will be on clients site monday morning to futher investigate.
"Gregg Hill" <greggmhill at please do not spam me at yahoo dot com> wrote in message news:uuqgo9X2IHA.528@xxxxxxxxxxxxxxxxxxxxxxxPMFJI, but your mail server answers on port 80. It should not. If you are not running a public web server on your SBS (and you should NOT be), then close port 80 to your SBS. It is not needed!
It appears to have an Apache server listening. This is the output after quitting a Telnet session to port 80:
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>501 Method Not Implemented</TITLE>
</HEAD><BODY>
<H1>
Method Not Implemented</H1>
?quit to /index.html not supported.<P>
Invalid method in request ?quit<P>
<HR>
<ADDRESS>Apache/1
.3.23 Server at localhost Port 80</ADDRESS>
</BODY></HTML>
Connection to host lost.
But then again, I could be wrong!
Gregg Hill
"Frank" <ffarero@xxxxxxxxxx> wrote in message news:4866c94d$0$12022$9a6e19ea@xxxxxxxxxxxxxxxxxxxxxxxxxxxxHi once again,
Additional info: The company website is not hosted on the server. It is hosted by a local company called tinkergraphics.com / Our DNS is managed by RoadRunner.
"SuperGumby [SBS MVP]" <not@xxxxxxxxxxx> wrote in message news:eXTwe2S2IHA.4912@xxxxxxxxxxxxxxxxxxxxxxxG'day Frank,
I am neither the 'alarmist' which Susan is nor the 'routers are evil' that you will get from Leythos.
I have the benefit of having seen your later post but, so far, I'm not really sure whether the internet name for your SBS is _actually_ mail.xxxxxxxxxx.com. There's issues about bad/poisoned DNS that would need to be investigated. SBS would need to be _pretty thoroughly 'owned'_ before 'anything.php' comes into play.
_IF_ the server has been compromised, and so far I'm not really sure it has, you should be firstly looking to PCSafety, as Susan has suggested, and then considering _HOW_ this happened and the _cost_ of addressing the issue (on your primary DC, which you should now trust _NOTHING_ from), vs externally hosting your public (www) domain.
Though SBS is thoroughly capable of hosting websites (I do it myself) it's not really a good idea, particularly considering the _very cheap_ alternatives which may not only give you greater facility and bandwidth but also less concern about 'such hacks'.
"Frank" <ffarero@xxxxxxxxxx> wrote in message news:48658f04$0$5981$9a6e19ea@xxxxxxxxxxxxxxxxxxxxxxxxxxxxHi all,
SBS 2003 server, XP pro clients, WRT54GS router, Static IP from ISP using exchange for mail.
Not sure if this is the right news group. I got a call today from a new client stating that their mail.xxxxxxxxxx.com address was being redirected to a Banking Phishing website.
They stated that they got a call from a security firm in Calif. staing it looked to them like a rogue PHP file was accepting requests. Any ideas on how to approach this to find fix it?
Thanks
.
- Follow-Ups:
- Re: Rogue PHP file
- From: Frank
- Re: Rogue PHP file
- References:
- Rogue PHP file
- From: Frank
- Re: Rogue PHP file
- From: SuperGumby [SBS MVP]
- Re: Rogue PHP file
- From: Frank
- Re: Rogue PHP file
- From: Gregg Hill
- Re: Rogue PHP file
- From: Frank
- Rogue PHP file
- Prev by Date: Re: Rogue PHP file
- Next by Date: Re: SBS 2003 - Move companyweb from one server to another
- Previous by thread: Re: Rogue PHP file
- Next by thread: Re: Rogue PHP file
- Index(es):
Relevant Pages
|
Loading
