Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies. Only from Platform Scholar.
Course Of The Month
11 days, 3 hours left to enrollBecome a Premium Member and unlock a new, free course in leading technologies each month.
Solved
Strange php file on my windows server
Posted on 2010-09-01
I discovered a file on my web server called wso.php in the root of the web directory. I didn't put it there and the contents contain references to milw0rm.com
Can anyone shed some light on what this is and what any hackers might have been trying to do with it? Do I need to change every password on the machine? Which would be a pain since all my scripts would then need to be edited as well.
Can anyone shed some light on what this is and what any hackers might have been trying to do with it? Do I need to change every password on the machine? Which would be a pain since all my scripts would then need to be edited as well.
[X]
Welcome to Experts Exchange
Add your voice to the tech community where 5M+ people just like you are talking about what matters.
- Help others & share knowledge
- Earn cash & points
- Learn & ask questions
-
7
3
3
13 Comments
It's a web shell, with that the hacker have full access to your machine trought the user that run the apache daemon,
Maybe you have to investigate on how that file come up to your server and yes, you have to clean your system and if you can change every password.
P.S.
Upgrade your system.
Maybe you have to investigate on how that file come up to your server and yes, you have to clean your system and if you can change every password.
P.S.
Upgrade your system.
Sure looks like it, but i'll need the script to see what 'they' were trying to do.
If it's the same as:
http://de.pastebin.ca/raw/1893071
it will find a lot of rights/opendirs etc etc and send it to a server
If it's the same as:
http://de.pastebin.ca/raw/1893071
it will find a lot of rights/opendirs etc etc and send it to a server
That certainly looks like it. But milw0rm.com no longer exists, so the script still works?
I removed it from the web directory, created a new file by the same name with read only attribute and gave it minimal security rights.
I have seen this happen on a windows 2003 server too, so i am not thinking updating from 2000 server to 2003 will make a difference.
I am currently creating specific rules within the firewall to block absolutely everything that isn't needed.
For example, the rules are set in priority, top rule cancels bottom rule.
allow port 80
allow my IP to VNC
allow my IP to FTP
Block All Ports, all IP's
These rules basically say to allow me in through vnc and ftp, and allow the rest of the world to browse my web sites, and block everything else.
Shouldn't this stop anything bad from happening?
I removed it from the web directory, created a new file by the same name with read only attribute and gave it minimal security rights.
I have seen this happen on a windows 2003 server too, so i am not thinking updating from 2000 server to 2003 will make a difference.
I am currently creating specific rules within the firewall to block absolutely everything that isn't needed.
For example, the rules are set in priority, top rule cancels bottom rule.
allow port 80
allow my IP to VNC
allow my IP to FTP
Block All Ports, all IP's
These rules basically say to allow me in through vnc and ftp, and allow the rest of the world to browse my web sites, and block everything else.
Shouldn't this stop anything bad from happening?
That looks good yes.
The site is maybe down, but you can never be sure about these things.
the newly created file + no rights is also a good solution.
The site is maybe down, but you can never be sure about these things.
the newly created file + no rights is also a good solution.
What I am trying to avoid is changing all the passwords on the machine. My master password is VERY secure, and it would break all my apps and scripts if I changed it. Not to mention mysql breaking, etc. uggg
Normally the AD password are not to be copyed or read. So that's fine. But mysql is more unsecure with password saving. That could be een problem.
I have now put in a firewall rule blocking port 3306 from the outside world. So mysql should be safe right?
With the port under firewall your mysql server "should" be secure.
If the hacker "entered" in your server using that web shell and executed some privilege excalation script maybe have root access with some backdoor. You have to investigate further to know what happened on your machine.
If the hacker "entered" in your server using that web shell and executed some privilege excalation script maybe have root access with some backdoor. You have to investigate further to know what happened on your machine.
Featured Post
The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.
Question has a verified solution.
If you are experiencing a similar issue, please ask a related question
Background Information
Recently I have fixed file server permission issues for one of my client. The client has 1800 users and one Windows Server 2008 R2 domain joined file server with 12 TB of data, 250+ shared folders and the folder structure i…
3 proven steps to speed up Magento powered sites. The article focus is on optimizing time to first byte (TTFB), full page caching and configuring server for optimal performance.
The viewer will learn how to count occurrences of each item in an array.
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…
Suggested Courses
Earn Certification
HTML5 Specialist - Certification
Free withPremium
Course of the Month11 days, 3 hours left to enroll
628 members asked questions and received personalized solutions in the past 7 days.
Join the community of 500,000 technology professionals and ask your questions.