Knowledgebase

Knowledgebase

Portal Home > Knowledgebase > Articles Database > My server IIS IUSR has been hacked


My server IIS IUSR has been hacked




Posted by maroc2010, 09-15-2010, 12:28 PM
Greetings - Couple of days ago, my server was hacked, I believe there is an internal process that changes IIS IUSR password, and when that happens, all of my websites get prompted to provide a userId and password. After, I changed the IUSR password, things got back to normal. But I am still seeing attempts on the log to that IUSR still getting attacked.. Your input/advice is greatly appreciated. Thank you. -AJ
Posted by GOT, 09-15-2010, 12:34 PM
Are they trying to do this via RDP? Do you have a firewall installed?
Posted by maroc2010, 09-15-2010, 12:48 PM
Thanks Jon for your prompt response. Yes, I do have firewall software installed. Regaring RDP, only myself and my colleauge use RDP to maintain the server remotely. I am not sure whether the Virus got thru RDP, FTP, a website Form or thru other means. How do I find out how the Virus got thru? is there any tools out there I can use to scan the box in hopes I can get an idea as to how the Virus got thru.. FYI - I am able to see the Virus process called "host32", but once it is deleted, another gets created with a different name.. Like I said in my previous thread, this virus is still trying to modify IUSR password every 5 minutes.. Thanks again.
Posted by GOT, 09-15-2010, 01:02 PM
what are you using as your AV? I would install AVG or NOD32
Posted by maroc2010, 09-15-2010, 01:17 PM
Yes, I did install AVG yesterday, that's how I found "host32" virus. But, after it gets deleted, another one gets created, this is beyond me.. Do you know if there are any tools out there that would help me pinpoint how the Virus got thru to my server to begin with. This will help me find the security holes so I can prevent this from happening again. Thank you.
Posted by GOT, 09-15-2010, 01:38 PM
Once its gotten in, its extremely difficult to tell how it got there. If AVG can't clean it, try NOD32.


Was this answer helpful?

Add to Favourites Add to Favourites    Print this Article Print this Article

Also Read
Fantastico De Luxe 2.8.2 with Soholaunch Pro sitebuilder (Views: 611)
DTHEE|host @ DTHEE.com (Views: 578)
new reseller how do I get my site started (Views: 593)
Some simple question regarding SolusVM with KVM VPS (Views: 576)
What's Up With Page-Zone? (Views: 586)


Language:

Contact us

Copyright © 2018 DC International LLC. - All Rights Reserved.