Malicious Code Being Uploaded to Windows 2003 WebServer (with classic asp and php scripts enabled)
Posted on 2014-11-07
We have a number of shared 2003 web servers provided through Fasthosts. A number of these have been found to have unauthorised files on them (i.e. files that we've not uploaded). Most of these appear to be simple classic ASP files that display the current date and time. However on a couple of sites there's been either a classic ASP or PHP file that creates thousands of files and folders which contain "link farms" to various fake goods websites.
Strange thing is a couple of the sites in question don't have any files on them at all and are only used for email hosting. I've explained this to them and they've said they will investigate further.
I'm confused by their comments to be honest and i think I know the answer to this but, My question is do any of you out there know if it's possible to post content to a server that would end up in a classic ASP / PHP files (with server executable code embedded) being saved to the server without having FTP access?
We have an obvious security concern, in most cases we are the only people with FTP access to the servers in question. Like i said we've changed the passwords and so far no further code since it's discovery (two days ago) has been found. Our machines have been checked for virus's and malware and they've come back clear, so it's difficult to know where to begin in trying to prevent this from happening again.
If anyone can provide any advice it will be greatly recieved, Thanks.