Re: Rogue PHP file
- From: "Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]" <sbradcpa@xxxxxxxxxxx>
- Date: Sun, 29 Jun 2008 19:14:34 -0700
This is where the WOLF analysis comes in handy. Is there any other logs on the box that go back that far? Firewall logs? Anything?
Frank wrote:
Hi Susan,.
The folder (xampplite) was created in C:\Documents and Settings on 3/17/2008 @ 10:43 AM. Nothing else was installed around that time. The Security Event logs only go back to April, 2008.
"Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]" <sbradcpa@xxxxxxxxxxx> wrote in message news:el8BSbi2IHA.4848@xxxxxxxxxxxxxxxxxxxxxxxLook at the date/time that the Apache folder was installed.
Look to see what else was installed at the same/or close time.
Look to the event security logs (if they go back that far) around the same time.
If the time that this folder got on the server doesn't make sense, they may not have installed anything themselves.
Frank wrote:Thank you Cliff,
I have been on the phone with two other employees the owner wanted me to talk to directly. Of course none of them will admit to installing Apache server. And yes they have all sorts of DNS problems I saw right off the bat. They were very reluctant to answer any questions I asked them.
They also stated that they could not use RWW. I discovered the Default Company web was stopped. As soon as I disabled Apache I was able to restart RWW.
Thanks to everyone who posted on this topic.
"Cliff Galiher" <cgaliher@xxxxxxxxx> wrote in message news:6986DDEF-53F7-436C-B3B6-0D5C0B4CF181@xxxxxxxxxxxxxxxxOf course, you finding apache on your box negates about half of my last post. The DNS issues are still real, but are...quite obviously, not the cause.
...good luck finding out who installed apache on your box...
-Cliff
"Frank" <ffarero@xxxxxxxxxx> wrote in message news:4867d296$0$18105$9a6e19ea@xxxxxxxxxxxxxxxxxxxxxxxxxxxxUpdate,
In IIS Manager found I could not start the default company website. error msg. - "The process cannot access the file because it is being used by another program" I ran netstat -ano and found Apache on port 80. I have disabled apache through Services and will be on clients site monday morning to futher investigate.
"Gregg Hill" <greggmhill at please do not spam me at yahoo dot com> wrote in message news:uuqgo9X2IHA.528@xxxxxxxxxxxxxxxxxxxxxxxPMFJI, but your mail server answers on port 80. It should not. If you are not running a public web server on your SBS (and you should NOT be), then close port 80 to your SBS. It is not needed!
It appears to have an Apache server listening. This is the output after quitting a Telnet session to port 80:
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>501 Method Not Implemented</TITLE>
</HEAD><BODY>
<H1>
Method Not Implemented</H1>
?quit to /index.html not supported.<P>
Invalid method in request ?quit<P>
<HR>
<ADDRESS>Apache/1
.3.23 Server at localhost Port 80</ADDRESS>
</BODY></HTML>
Connection to host lost.
But then again, I could be wrong!
Gregg Hill
"Frank" <ffarero@xxxxxxxxxx> wrote in message news:4866c94d$0$12022$9a6e19ea@xxxxxxxxxxxxxxxxxxxxxxxxxxxxHi once again,
Additional info: The company website is not hosted on the server. It is hosted by a local company called tinkergraphics.com / Our DNS is managed by RoadRunner.
"SuperGumby [SBS MVP]" <not@xxxxxxxxxxx> wrote in message news:eXTwe2S2IHA.4912@xxxxxxxxxxxxxxxxxxxxxxxG'day Frank,
I am neither the 'alarmist' which Susan is nor the 'routers are evil' that you will get from Leythos.
I have the benefit of having seen your later post but, so far, I'm not really sure whether the internet name for your SBS is _actually_ mail.xxxxxxxxxx.com. There's issues about bad/poisoned DNS that would need to be investigated. SBS would need to be _pretty thoroughly 'owned'_ before 'anything.php' comes into play.
_IF_ the server has been compromised, and so far I'm not really sure it has, you should be firstly looking to PCSafety, as Susan has suggested, and then considering _HOW_ this happened and the _cost_ of addressing the issue (on your primary DC, which you should now trust _NOTHING_ from), vs externally hosting your public (www) domain.
Though SBS is thoroughly capable of hosting websites (I do it myself) it's not really a good idea, particularly considering the _very cheap_ alternatives which may not only give you greater facility and bandwidth but also less concern about 'such hacks'.
"Frank" <ffarero@xxxxxxxxxx> wrote in message news:48658f04$0$5981$9a6e19ea@xxxxxxxxxxxxxxxxxxxxxxxxxxxxHi all,
SBS 2003 server, XP pro clients, WRT54GS router, Static IP from ISP using exchange for mail.
Not sure if this is the right news group. I got a call today from a new client stating that their mail.xxxxxxxxxx.com address was being redirected to a Banking Phishing website.
They stated that they got a call from a security firm in Calif. staing it looked to them like a rogue PHP file was accepting requests. Any ideas on how to approach this to find fix it?
Thanks
- Follow-Ups:
- Re: Rogue PHP file
- From: Frank
- Re: Rogue PHP file
- References:
- Rogue PHP file
- From: Frank
- Re: Rogue PHP file
- From: SuperGumby [SBS MVP]
- Re: Rogue PHP file
- From: Frank
- Re: Rogue PHP file
- From: Gregg Hill
- Re: Rogue PHP file
- From: Frank
- Re: Rogue PHP file
- From: Cliff Galiher
- Re: Rogue PHP file
- From: Frank
- Re: Rogue PHP file
- From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
- Re: Rogue PHP file
- From: Frank
- Rogue PHP file
- Prev by Date: RE: Server Management not working correctly
- Next by Date: Re: SQL Writer error message on bootup.
- Previous by thread: Re: Rogue PHP file
- Next by thread: Re: Rogue PHP file
- Index(es):
Relevant Pages
|
