Re: Rogue PHP file

Thank you Cliff,

I have been on the phone with two other employees the owner wanted me to
talk to directly. Of course none of them will admit to installing Apache
server. And yes they have all sorts of DNS problems I saw right off the bat.
They were very reluctant to answer any questions I asked them.

They also stated that they could not use RWW. I discovered the Default
Company web was stopped. As soon as I disabled Apache I was able to restart
RWW.

Thanks to everyone who posted on this topic.
"Cliff Galiher" <cgaliher@xxxxxxxxx> wrote in message
news:6986DDEF-53F7-436C-B3B6-0D5C0B4CF181@xxxxxxxxxxxxxxxx
Of course, you finding apache on your box negates about half of my last
post. The DNS issues are still real, but are...quite obviously, not the
cause.

...good luck finding out who installed apache on your box...

-Cliff

"Frank" <ffarero@xxxxxxxxxx> wrote in message
news:4867d296$0$18105$9a6e19ea@xxxxxxxxxxxxxxxxxxxxxxxxxxxx
Update,

In IIS Manager found I could not start the default company website. error
msg. - "The process cannot access the file because it is being used by
another program" I ran netstat -ano and found Apache on port 80. I have
disabled apache through Services and will be on clients site monday
morning to futher investigate.
"Gregg Hill" <greggmhill at please do not spam me at yahoo dot com> wrote
in message news:uuqgo9X2IHA.528@xxxxxxxxxxxxxxxxxxxxxxx
PMFJI, but your mail server answers on port 80. It should not. If you
are not running a public web server on your SBS (and you should NOT be),
then close port 80 to your SBS. It is not needed!

It appears to have an Apache server listening. This is the output after
quitting a Telnet session to port 80:

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>501
Method Not Implemented</TITLE>

</HEAD><BODY>

<H1>
Method Not Implemented</H1>
?quit to /index.html not supported.<P>
Invalid
method in request ?quit<P>

<HR>

<ADDRESS>Apache/1
.3.23 Server at localhost Port 80</ADDRESS>
</BODY></HTML>
Connection to host lost.

But then again, I could be wrong!

Gregg Hill


"Frank" <ffarero@xxxxxxxxxx> wrote in message
news:4866c94d$0$12022$9a6e19ea@xxxxxxxxxxxxxxxxxxxxxxxxxxxx
Hi once again,

Additional info: The company website is not hosted on the server. It is
hosted by a local company called tinkergraphics.com / Our DNS is
managed by RoadRunner.
"SuperGumby [SBS MVP]" <not@xxxxxxxxxxx> wrote in message
news:eXTwe2S2IHA.4912@xxxxxxxxxxxxxxxxxxxxxxx
G'day Frank,

I am neither the 'alarmist' which Susan is nor the 'routers are evil'
that you will get from Leythos.

I have the benefit of having seen your later post but, so far, I'm not
really sure whether the internet name for your SBS is _actually_
mail.xxxxxxxxxx.com. There's issues about bad/poisoned DNS that would
need to be investigated. SBS would need to be _pretty thoroughly
'owned'_ before 'anything.php' comes into play.

_IF_ the server has been compromised, and so far I'm not really sure
it has, you should be firstly looking to PCSafety, as Susan has
suggested, and then considering _HOW_ this happened and the _cost_ of
addressing the issue (on your primary DC, which you should now trust
_NOTHING_ from), vs externally hosting your public (www) domain.

Though SBS is thoroughly capable of hosting websites (I do it myself)
it's not really a good idea, particularly considering the _very cheap_
alternatives which may not only give you greater facility and
bandwidth but also less concern about 'such hacks'.

"Frank" <ffarero@xxxxxxxxxx> wrote in message
news:48658f04$0$5981$9a6e19ea@xxxxxxxxxxxxxxxxxxxxxxxxxxxx
Hi all,

SBS 2003 server, XP pro clients, WRT54GS router, Static IP from ISP
using exchange for mail.

Not sure if this is the right news group. I got a call today from a
new client stating that their mail.xxxxxxxxxx.com address was being
redirected to a Banking Phishing website.
They stated that they got a call from a security firm in Calif.
staing it looked to them like a rogue PHP file was accepting
requests. Any ideas on how to approach this to find fix it?

Thanks












.

Relevant Pages

  • RE: Port Forwarding With 2 NIC Configuration
    ... Can SBS do 1-to-1 Natting? ... > and incoming/outgoing port, ... > automatically redirected from the SBS server to port 81 of the internal ... > Microsoft CSS Online Newsgroup Support ...
    (microsoft.public.windows.server.sbs)
  • Re: Still cant connect to RWW or OWA remotely
    ... it certainly appears to be something about the SBS configuration. ... Meridian.local Ethernet adapter Local Area Connection: ... Windows SMALL BUSINESS SERVER 2003 Windows IP Configuration ... 192.168.254.254) directly to a port on the router and then ...
    (microsoft.public.windows.server.sbs)
  • Re: Still cant connect to RWW or OWA remotely
    ... it certainly appears to be something about the SBS configuration. ... Meridian.local Ethernet adapter Local Area Connection: ... Windows SMALL BUSINESS SERVER 2003 Windows IP Configuration ... 192.168.254.254) directly to a port on the router and then ...
    (microsoft.public.windows.server.sbs)
  • RE: ISA access rules, help
    ... please let me know whether you're using ISA 2000 or ISA 2004 ... (SBS SP0 or SBS SP1). ... the ISA server will not be used as a proxy server. ... Since SBS already used port 80, ...
    (microsoft.public.windows.server.sbs)
  • Re: OWA Problem
    ... Port 443 is open and that is what you need. ... Firewall and publish your OWA to internet. ... Click Start on your SBS server, ...
    (microsoft.public.windows.server.sbs)
Loading