malware attack on Windows 2008 server
Posted on 2013-06-02
Windows Server 2008, IIS 7.5
Hi friends. Your advice, please?
I have spent the past few days urgently cleaning several older web sites on my server that were compromised by malware. A couple of other clients have come to me for help regarding similar malware infection. The malware seems to have been placed on May 24 and 25 2013. On more than one server.
The affected web sites have several points in common:
1) they are nondynamic, using static HTML files; ColdFusion, PHP, ASP, etc are not involved.
3) they are old! I built these a long time ago
4) .js files and .html files are changed
5) possible common link is older Flash SWF files -- but that is not common on all sites
I have changed FTP passwords for affected sites. I have confirmed that only a couple of IP addresses can actually access the server via Remote Desktop Connection or FTP. So I am not sure how someone got in there and edited files. At least one client has been rather upset....
I am cleaning the HTML files and deleting the old .js and SWF files -- and doing what I can to replace these functions with modern HTML5, etc. Sites that I clean seem to stay clean so far.
Has anyone else heard of any recent (late May 24-25 2013) attacks that use .js or Flash as a vector?
Sites that I have cleaned have stayed clean so far. Do you have any ideas about how I can prevent further malware attacks?
Just trying to get some context. Thank you.