Welcome to WebmasterWorld Guest from 220.127.116.11
Forum Moderators: ocean10000
Anyone had such experience before?
Also, please recommend a good anti-virus program for Windows Server 2003. This is for a dedicated web server (IIS 6 on Windows 2003 Server).
Thanks in advance.
Basically changing the passwords, will only get you so far if they exploited a program on the server, more then likely they can do it again, and you will end up in the same situation.
There is always the possibility that they attackers installed a root kit on your machine, and anything you do besides a full format/reinstall might not be able to remove it.
I would reformat and reinstall to be sure, then it is essential you patch and lock down the system, and then keep up to date with patches.
AV software installed on your server won't necessarily protect against attacks where the server is compromised, you have to lockdown the box (see Securing IIS6 [microsoft.com]) and keep up-to-date with patches.
I think you should be able to check the footer setting in IIS MSC, it's in "Web site properties" -> "Documents" tab -> "Enable document footer" on IIS5. HTH.
Footer setting in IIS are not modified. Moreover the extra line is at the top. Most probably this virus is latest version of JS.Toofer
JS.Toofer used to modify the physical file on server. But in our case the HTML gets added even though it does not exist in the file.
When we start WWW services, pages work fine for few minutes, and then randomly it starts inserting the extra HTML line. So the HTML may appear sometimes and not not the other times .. certainly is not coming from the file itself, but somewhere else, at the IIS level.
Moreover, this happens for not just one but all sites hosted on the server.
Updates: we do regularly. Securing IIS link will certainly help.
The problem still exists so are having to keep our sites down ... until we find the problem.