malware attack on Windows 2008 server

Windows Server 2008, IIS 7.5

Hi friends. Your advice, please?

I have spent the past few days urgently cleaning several older web sites on my server that were compromised by malware. A couple of other clients have come to me for help regarding similar malware infection. The malware seems to have been placed on May 24 and 25 2013. On more than one server.

 The affected web sites have several points in common:

 1) they are nondynamic, using static HTML files; ColdFusion, PHP, ASP, etc are not involved.
 2) they use older (circa 2005 or 2006) javascripts
 3) they are old! I built these a long time ago
 4) .js files and .html files are changed
 5) possible common link is older Flash SWF files -- but that is not common on all sites

I have changed FTP passwords for affected sites. I have confirmed that only a couple of IP addresses can actually access the server via Remote Desktop Connection or FTP. So I am not sure how someone got in there and edited files. At least one client has been rather upset....

I am cleaning the HTML files and deleting the old .js and SWF files -- and doing what I can to replace these functions with modern HTML5, etc. Sites that I clean seem to stay clean so far.

Has anyone else heard of any recent (late May 24-25 2013) attacks that use .js or Flash as a vector?

Sites that I have cleaned have stayed clean so far. Do you have any ideas about how I can prevent further malware attacks?

 Just trying to get some context. Thank you.

Eric BourlandAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Andrej PirmanCommented:
I know, it is pain in the ass to close gaps in security, ifyour system is meant for public hosting.

First, regarding FTP, do not allow unsecure plain FTP! Force FTP server to accept only explicit FTP over TLS, and ban user aftr 5 missed passwords. That will help a lot.

Second, patch your server witl latest updates. Some gaps will close just by patching.

Third, in IIS (if you use IIS for web sites) do NOT allow "parent paths", and explicitelly do NOT allow directory browsingg. Ok, you may open parent paths for some web sites that need it, but generally no.

Then, you may use some good web vulnerability scanner, for example this great scanner from Accunetix
For some web stes it takes as much as 6 hours and more to scan, but report is good, with explanations on how to close open security holes.

I have done all these a lot of times, because it is hard to be friendly to all kind of users, but also be properly up to date with security patches and latest software versions. These servers are like bebies - need care all the time.

BTW... if you do not use generic programming languages, but only plain HTML, then most (if not all) security holes are within server security. Is WebDav enabled? Get rid of it. Any open ports, except 21,80? Take care, close everything in INBOUND direction, if not needed explicitly.
Also one VERY IMPORTANT thing I almost forgot to mention is folder permissions. Do different web sites use each its own security credentials? Or are they all under IUSR account? This might pose a huge risk.

Flash can be compromised, also JavaScript....ok, Flash is more vulnerable, but at the moment I don't have any advice on this.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Eric BourlandAuthor Commented:
Dear Lasby,

This is a great deal of very helpful advice. I am pretty sure I have covered most of what you have mentioned but I am going to doublecheck everything. I will get back to you later today.

Thank you again. I hope your day is going well.

Best from Eric
Eric BourlandAuthor Commented:
Also, apologies -- I meant Labsy, not Lasby. Eric
The Five Tenets of the Most Secure Backup

Data loss can hit a business in any number of ways. In reality, companies should expect to lose data at some point. The challenge is having a plan to recover from such an event.

Eric BourlandAuthor Commented:
Labsy, thank you very much for this very useful reply.

best from Eric
Andrej PirmanCommented:
Glad I was helpful.
BTW... at one of customers I found an infection, which was written specially to steal CuteFTP login information. Check your computer to not have one of these bad guyz!
Eric BourlandAuthor Commented:
Also, I apologize for being so tardy in closing this question. Life got really busy for a while.

I have done thorough scans of both of my work computers. I use Filezilla... I also take care to keep antimalware solutions updated.

Thanks again. Take care.

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft IIS Web Server

From novice to tech pro — start learning today.