win32/agent.jt and .asp files being maliciously amended - help!
Posted on 2009-02-20
I'm at my wits end with this - I've taken over a server which seems to have an infection on it.
I was called in because the website, written in .asp and with a SQL back-end, had started redirecting users to other sites, such as donepoker.com.
Having checked the site, the amendments had been made to the .asp files, not the database tables.
First thing I did was get Kaspersky on the system, which found 10 viruses and promptly removed them. I then installed Windows Defender, which found the win32/agent.jt trojan and removed it (it came back a day later).
I've also changed the database username/password, changed the site's folder permissions/name, deleted any user accounts that looked remotely dodgy and rebooted.
2 hours later the site was redirecting to corrupt websites again. No infection this time, just altered code in the website folder. I promptly overwrote the bad code with a backup saved in another folder, and the site is back to normal.
So basically, what the hell do I do to keep this system safe? It's using Windows Firewall (I've since asked the data centre to get the system behind their own firewall, something that had been "overlooked" apparantly).
Any ideas/suggestions would be most welcome - I feel like I've been firefighting all day.