Solved

How to fix and secure SBS 2003 IIS after being hacked by phishing site

Posted on 2009-05-15
4
681 Views
Last Modified: 2013-11-16
I have a client SBS 2003 server who had their IIS hacked.

All websites on IIS have been redirected to :

http://0xcfe190c7/ks/?http://www.commbank.com.au/personal/survey/default.aspx

Currently I've disabled ports 80 and 443 to the server via their firewall appliance, but I'm not sure where to start on re-setting it and securing it afterwords

I"ve requested all users scan their systems for viruses and we're changing all the passwords.

Thanks in advance!

Fred
0
Comment
Question by:fredimac
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 17

Expert Comment

by:Andres Perales
ID: 24398826
Do you have backups of these websites?  If so, your best and quickest option is to delete those websites and create new websites, and restore those websites.

Never put you websites in the default location of C:\Inetpub\wwwroot always change that location, never use the IUSR_computername account as your account for anonymous access, change it!  Never install all you websites on a single website, with the same IP address or the same IP address of the server.

Goodluck!
0
 
LVL 2

Author Comment

by:fredimac
ID: 24399021
Are you familiar with SBS server?  The sites that were hacked (really IIS was hacked) were the companywbsite and OWA, I've never had to move those before.   I almost suspect that someone's weak password was cracked.
0
 
LVL 13

Expert Comment

by:Praveen DM
ID: 24399261
Passwords are generally cracked from compromised client PCs and also specially Password sved browser like mozilla has done this manytimes....

Compell your users to use strong passwords and no easy passwords..set GP for strong pwds..ask them not to mark password remember in browsers

Use S/W firewall in server like Visneic that has saved us many many times from hackers and intruders and from DDOS attack.

Update AV scanners in server and scn for virus.

Check "cmd"  in c: driveif any user or group has access that must not have access on the same

0
 
LVL 13

Accepted Solution

by:
Praveen DM earned 500 total points
ID: 24399290
1. Use Good S/W firewall
2. Use and update Virus scanners in server and scan server compltly.
3. Update security patches of MS if left any in updates
4. Use and force your clients to change and use only strong passwords.
5. Do not give access to any IUSR or client groups on CMD in server.
6. Disable Webdev if not used in server.
7. Check sites and isolate that has scripts and executables enabled and check zip files in client drive if they have any strange exe files which are infected .
8. check if any CSS files are compromised and code injected as they are prime way to deface sites.

Block unused and unwanted ports in server.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

You may have discovered the 'Compatibility View Settings' workaround for making your SBS 2008 Remote Web Workplace 'connect to a computer' section stops 'working around' after a Windows 10 client upgrade.  That can be fixed so it 'works around' agai…
If you are a web developer, you would be aware of the <iframe> tag in HTML. The <iframe> stands for inline frame and is used to embed another document within the current HTML document. The embedded document could be even another website.
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question