Solved

Strange php file on my windows server

Posted on 2010-09-01
13
724 Views
Last Modified: 2013-12-13
I discovered a file on my web server called wso.php in the root of the web directory. I didn't put it there and the contents contain references to milw0rm.com
Can anyone shed some light on what this is and what any hackers might have been trying to do with it? Do I need to change every password on the machine? Which would be a pain since all my scripts would then need to be edited as well.
0
Comment
Question by:TuscolaCounty
  • 7
  • 3
  • 3
13 Comments
 
LVL 8

Accepted Solution

by:
nahime earned 300 total points
ID: 33576430
It's a web shell, with that the hacker have full access to your machine trought the user that run the apache daemon,
Maybe you have to investigate on how that file come up to your server and yes, you have to clean your system and if you can change every password.
P.S.
Upgrade your system.
0
 
LVL 5

Assisted Solution

by:bernardbrink
bernardbrink earned 200 total points
ID: 33576432
Sure looks like it, but i'll need the script to see what 'they' were trying to do.
If it's the same as:
http://de.pastebin.ca/raw/1893071
it will find a lot of rights/opendirs etc etc and send it to a server
0
 

Author Comment

by:TuscolaCounty
ID: 33576701
That certainly looks like it. But milw0rm.com no longer exists, so the script still works?
I removed it from the web directory, created a new file by the same name with read only attribute and gave it minimal security rights.
I have seen this happen on a windows 2003 server too, so i am not thinking updating from 2000 server to 2003 will make a difference.
I am currently creating specific rules within the firewall to block absolutely everything that isn't needed.
For example, the rules are set in priority, top rule cancels bottom rule.
allow port 80
allow my IP to VNC
allow my IP to FTP
Block All Ports, all IP's
These rules basically say to allow me in through vnc and ftp, and allow the rest of the world to browse my web sites, and block everything else.
Shouldn't this stop anything bad from happening?
0
 

Author Comment

by:TuscolaCounty
ID: 33576730
Oh and FYI: I am not using apache
php, mysql, abyss web server, mailenable mail server
0
 
LVL 5

Expert Comment

by:bernardbrink
ID: 33576869
That looks good yes.
The site is maybe down, but you can never be sure about these things.
the newly created file + no rights is also a good solution.
0
 

Author Comment

by:TuscolaCounty
ID: 33576975
What I am trying to avoid is changing all the passwords on the machine. My master password is VERY secure, and it would break all my apps and scripts if I changed it. Not to mention mysql breaking, etc. uggg
0
Swamped with email signature updates?

Have you been given a load of changes to make to your users’ email signatures? Having to manually implement multiple signatures for every department? Let Exclaimer save you from being swamped with email signature updates!

 
LVL 5

Assisted Solution

by:bernardbrink
bernardbrink earned 200 total points
ID: 33577217
Normally the AD password are not to be copyed or read. So that's fine. But mysql is more unsecure with password saving. That could be een problem.
0
 

Author Comment

by:TuscolaCounty
ID: 33577322
I have now put in a firewall rule blocking port 3306 from the outside world. So mysql should be safe right?
0
 
LVL 8

Assisted Solution

by:nahime
nahime earned 300 total points
ID: 33577418
With the port under firewall your mysql server "should" be secure.
If the hacker "entered" in your server using that web shell and executed some privilege excalation script maybe have root access with some backdoor. You have to investigate further to know what happened on your machine.
0
 

Author Comment

by:TuscolaCounty
ID: 33577431
Yes I plan to check the web traffic logs for the date the file was placed.
0
 

Author Comment

by:TuscolaCounty
ID: 33577497
Also, I did use apache at one point, switched to abyss. Could remnants of apache be an exploit?
0
 
LVL 8

Assisted Solution

by:nahime
nahime earned 300 total points
ID: 33577843
If apache is running and accessible from the outside world yes otherwise no :)
0
 

Author Comment

by:TuscolaCounty
ID: 33578009
Ok thanks
0

Featured Post

Integrate social media with email signatures

Is your company active on social media? Do you also use email signatures? Including social media icons in your email signature is a great way to get fans for free. Let all your email users know you’re on social media quickly and easily, in a single click.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Article by: kevp75
Hey folks, 'bout time for me to come around with a little tip. Thanks to IIS 7.5 Extensions and Microsoft (well... really Windows 8, and IIS 8 I guess...), we can now prime our Application Pools, when IIS starts. Now, though it would be nice t…
If you don't have the right permissions set for your WordPress location in IIS, you won't be able to perform automatic updates. Here's how to fix the problem.
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.
The viewer will learn how to create a basic form using some HTML5 and PHP for later processing. Set up your basic HTML file. Open your form tag and set the method and action attributes.: (CODE) Set up your first few inputs one for the name and …

910 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now