• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 293
  • Last Modified:

SBS 2003 Hacked and IIS Completely removed, need to

It looks like a hacker got into the SBS 2003 server and completely uninstalled IIS.  All IIS sites were redirected to a phishing site with an .au extension.

Is it possible for something other than a purposeful uninstall to cause the server to appear to be missing these components?

Is there a log for the removal of components I can check to see if an uninstall was initiated by a user?

I understand that IIS is a difficult thing to remove from SBS so I might have to do a re-install as we've only got critical files backup for this server.

I'd like some assistance with both the recovery and attempting to determine what was done.

Thanks in Advance,

3 Solutions
Philip ElderTechnical Architect - HA/Compute/StorageCommented:
Check your server logs, if there are portions of the logs missing, then you will see the window of approximate entry and activity.

www.sbsmigration.com gives you the best option for swinging your existing AD onto a new server.

You may be better off flattening though. The folks on the other end may have full control of the domain.

What Philip said if your box got hacked, reformat and secure it better you could have a trojan running on it now.  Please check rest of your client computers also.  Just run a sniffer on your internet connection and look for weird traffic.
Praveen DMInfra Team LeadCommented:
1. IIS can be uninstalled only by admin righst user..check if any new user has been granted access under admin rights .
2. Check the >Eventvwr --> Security audit..see if any stange logins has been loged... at the suspected time
3. Check if the IUSR are intact under the user MMC...If yes..then just install IIS and other applications and replace the metabase file from backup and try starting IIS.
4. Install FW in server to trace the culprit in future.
5. Check which users are having access over CMD under c:\ drive and remove suspected users from having rights.
6. Use Firewalls like Visnetic to spot the culprit IP address.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Train for your Pen Testing Engineer Certification

Enroll today in this bundle of courses to gain experience in the logistics of pen testing, Linux fundamentals, vulnerability assessments, detecting live systems, and more! This series, valued at $3,000, is free for Premium members, Team Accounts, and Qualified Experts.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now