Solved

Malicious Code Being Uploaded to Windows 2003 WebServer (with classic asp and php scripts enabled)

Posted on 2014-11-07
5
420 Views
Last Modified: 2014-11-10
We have a number of shared 2003 web servers provided through Fasthosts. A number of these have been found to have unauthorised files on them (i.e. files that we've not uploaded). Most of these appear to be simple classic ASP files that display the current date and time. However on a couple of sites there's been either a classic ASP or PHP file that creates thousands of files and folders which contain "link farms" to various fake goods websites.

We've removed the malicious content in question and reset FTP passwords on the affected domains, we've asked for assistance from FH who at present have only advised that the files in question have been uploaded, but not uploaded using FTP. They've suggested the files have been added by exploiting either Javascript or an upload script on the server, and have suggested that we update any CMS systems we may have to remove possible vulnerabilities.

Strange thing is a couple of the sites in question don't have any files on them at all and are only used for email hosting. I've explained this to them and they've said they will investigate further.

I'm confused by their comments to be honest and i think I know the answer to this but, My question is do any of you out there know if it's possible to post content to a server that would end up in a classic ASP / PHP files (with server executable code embedded) being saved to the server without having FTP access?

We have an obvious security concern, in most cases we are the only people with FTP access to the servers in question. Like i said we've changed the passwords and so far no further code since it's discovery (two days ago) has been found. Our machines have been checked for virus's and malware and they've come back clear, so it's difficult to know where to begin in trying to prevent this from happening again.

If anyone can provide any advice it will be greatly recieved, Thanks.
0
Comment
Question by:Declaro
  • 3
  • 2
5 Comments
 
LVL 35

Accepted Solution

by:
Kimputer earned 500 total points
ID: 40428114
Seems you are not in full control of these Windows 2003 server, and Fasthosts is the full admin? If so, if you have updated all you can on your side (CMS packages), you have done all you can on your side (since FTP passwords were changed, but logs already show it wasn't FTP access that transfered the files). If you have no unknown CMS packages (custom tailored), other unkown script files (php/asp), you have really done all you can (if you are NOT the administrator of the server).
If this is the case, the Windows 2003 server is compromised and it's not your fault (even if you had malicious code, the server admin would be responsible that malicious code is on your part of the webserver, not the whole system).
The admin of the server would need to do a full security sweep of the server (keep OS up to date, keep other key components up to date, like .NET, PHP, MySQL etc), but also do a full malware scan. As you can see, a lot to do, and if you're not the admin, it's just a waiting game and hope they have enough expertise to trace this, or solve this.
0
 
LVL 1

Author Comment

by:Declaro
ID: 40432614
Hi thanks for your response, your comments make sense and it would suggest the server(s) have been compromised. They are pushing for all the sites in question to be upgraded to 2008 server as the 2003 platform is no longer supported by Windows. They've refused to investigate sites that have any files on them (as they don't provide code support). 1 domain affected had no files uploaded to it, so they are going to look there first.

Have there been any reported OS vulnerabilities since support has stopped?
0
 
LVL 35

Expert Comment

by:Kimputer
ID: 40432643
Actually, you are mistaken. Windows 2003 will receive security updates until July 2015. However, you as a user, cannot tell if the admin has put updates on manual install, and maybe forgot a few months. In that case, there could have been some OS vulnerabilities (probably not out right remote, most of them user-initiated (in this case, admin initiated)).
0
 
LVL 1

Author Comment

by:Declaro
ID: 40432675
Hi thanks for the quick response you're right I've spoken to our IT dept here who have also confirmed this fact. Strange that FH have said this and are pushing so much to upgrade??

I'll wait to see what comes back from there investigation. Thanks for the response.
0
 
LVL 35

Expert Comment

by:Kimputer
ID: 40432717
Since they're the full admin of the servers, I would expect them to help you migrate (hell, if properly done, it will take no downtime, and you won't even notice it was changed).
Even if they don't help you with the migration, they could've at least provided you access to the new host with a temporary hostname for you to start migrating and testing.
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Cybersecurity has become the buzzword of recent years and years to come. The inventions of cloud infrastructure and the Internet of Things has made us question our online safety. Let us explore how cloud- enabled cybersecurity can help us with our b…
Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

25 Experts available now in Live!

Get 1:1 Help Now