SBS 2003 Hacked and IIS Completely removed, need to

It looks like a hacker got into the SBS 2003 server and completely uninstalled IIS.  All IIS sites were redirected to a phishing site with an .au extension.

Is it possible for something other than a purposeful uninstall to cause the server to appear to be missing these components?

Is there a log for the removal of components I can check to see if an uninstall was initiated by a user?

I understand that IIS is a difficult thing to remove from SBS so I might have to do a re-install as we've only got critical files backup for this server.

I'd like some assistance with both the recovery and attempting to determine what was done.

Thanks in Advance,

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Philip ElderTechnical Architect - HA/Compute/StorageCommented:
Check your server logs, if there are portions of the logs missing, then you will see the window of approximate entry and activity. gives you the best option for swinging your existing AD onto a new server.

You may be better off flattening though. The folks on the other end may have full control of the domain.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
What Philip said if your box got hacked, reformat and secure it better you could have a trojan running on it now.  Please check rest of your client computers also.  Just run a sniffer on your internet connection and look for weird traffic.
Praveen DMInfra Team LeadCommented:
1. IIS can be uninstalled only by admin righst user..check if any new user has been granted access under admin rights .
2. Check the >Eventvwr --> Security audit..see if any stange logins has been loged... at the suspected time
3. Check if the IUSR are intact under the user MMC...If yes..then just install IIS and other applications and replace the metabase file from backup and try starting IIS.
4. Install FW in server to trace the culprit in future.
5. Check which users are having access over CMD under c:\ drive and remove suspected users from having rights.
6. Use Firewalls like Visnetic to spot the culprit IP address.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft IIS Web Server

From novice to tech pro — start learning today.