infected IIS

I have a Windows 2003 server running Citrix. The server has been infected
with a virus. I'm not sure what virus. I'm scanning now. What has happened is
as follows:

when I attempt to log on to the citrix server remotely, the normal login has
been replaced with a website "discount pharmacy". I have checked my DNS and A
records and the mapping is correct. If I disconnect the server from the
internet and attempt to browse the site times out. Therefore, it is local to
my machine. I have monitored IIS and the server is connected but the "default
website manager" is STOPPED. When I try to start the "default website" it
states that it cannot start because it is being used by another process. The
problem is not Citrix but I need to find out if it would have changed a
registry key that tells Windows to use IIS or does anyone have any ideas?

Any help would be appreciated.
--
Thanks for your help.

Kevin

Re: infected IIS

On Jan 5, 11:55=A0am, Kevin wrote:
> I have a Windows 2003 server running Citrix. The server has been infected
> with a virus. I'm not sure what virus. I'm scanning now. What has happened=
is
> as follows:
>
> when I attempt to log on to the citrix server remotely, the normal login h=
as
> been replaced with a website "discount pharmacy". I have checked my DNS an=
d A
> records and the mapping is correct. If I disconnect the server from the
> internet and attempt to browse the site times out. Therefore, it is local =
to
> my machine. I have monitored IIS and the server is connected but the "defa=
ult
> website manager" is STOPPED. When I try to start the "default website" it
> states that it cannot start because it is being used by another process. T=
he
> problem is not Citrix but I need to find out if it would have changed a
> registry key that tells Windows to use IIS or does anyone have any ideas?
>
> Any help would be appreciated.
> --
> Thanks for your help.
>
> Kevin



You can use:
NETSTAT -ano

to determine what process has a port open that IIS also wants to use
for "Default Website" and go from there.

Sounds like someone has hacked your server and is running another web
server process to serve up the "discount pharmacy" website. That would
not be an infection.

You should reformat this machine and clean install it.

You may want to do forensics to figure out how someone hacked your
server so that you don't find yourself in the same situation after
rebuilding this machine. I do not see any credible evidence that an
IIS vulnerability led to the hack, so you will have to investigate
further.

To be safe, you may also want to investigate the security of other
related machines in your organization.


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//