Website hosted on Windows 2003 is hacked.

[Paheli]

Hello guys, I comprise a site hosted resting on windows 2003 server. Basically website is running asp.net 1.1. The site is excellent apart commencing one page. The page within question is inside an “admin area” and makes use of Forms Authentication. At what time you are logged in and struggle to go to the page you are redirected to several other pages. If you are not logged in you are in use to the sites normal "you need to login page" as regular. I don’t understand why this is happening. Is my site hacked by any other person? Please help me. Any ideas what I can do?

[Amie]

Fundamentally you been hacked. First edit the message and break that link. Drag your pages offline and establish posting safety examination and review their records of the entire of them and observe if you be able to find it. This is similar to asking "how long is a piece of string" however to attempt to assist through asking some questions. It depends on how far you want to take and what you like then do about it. If it were my company server I would look to find out how they got and if there was some form of monitoring (ie, was an inside job) Would you like to: try to track down hackers - almost impossible.? I just get the patch up and working again as soon as possible? To find out how they got there to help strengthen their defenses for the next time?

[HiSpeed]

My first advice would be to take the server down - I guess you have physical access to it and is not hosted by a third party and have a copy of the records for you to view off-line "while the server is back up and running - I guess you do not want to run a forensic work in this case. After that, patch it with all the latest MS patches. If you would like to just set up then all the MS patch, Firewall, etc. Remove the hacked page and paste it back into the web. Then take a look at the records. If you have MS records, records HTTP Security Server logs, logs of any power and see if you find any anomalies in the records.

[BiGMaCHiNe]

The way I see is that if you've been committed to success has no choice but to reformat the hard drive and reinstall everything. You never know if you've caught any and all malware installed by the attacker. I do not take any chances. Clean the disc and start over. That was one of the things I wanted to add but forgot. You may have no existence. The rootkits that are not detected in the antivirus software or anything. The top line patch that Microsoft says should have been a patch to handle * after * the reconstruction of the operating system.

[Paheli]

Hello thank you for all of your quick replies. And this all information is helpful to solve my issue within some extent. Nevertheless I would like you to ask one more question. The consequence of the hack simply appears to have an effect on one url surrounded by one of my sites, within that at what time this url is requested it redirect to peripheral site. Any ideas n what I be supposed to be looking for? How would they accomplish this? Please share all of your great knowledge with me thank you.

[Connect_Me]

You should know how to alter the code - was a SQL injection or did so by hacking your entry or IIS error? That's what you need to drive through records to see - and hopefully there is a track that - looking for strange POST or whatever should not be there in normal HTTP traffic. At what time the reconstruction of the box, make sure to patch it. In addition, if you are running 2003 SP1 run the security configuration wizard and disable anything you do not need.

[Wguy2008]

I think it's safe to assume that this person changed your log files to ensure that you cannot follow. If you have a database, as you say. My guess is you download your entire database not including your knowledge. Me personally, I would have rooted your server (s), downloaded from your database and then change / edit the log files and I never returned and went alone. Do you have a name in the public domain or are trying to access the local web server LAN? Watch your IP settings, type ipconfig / all and searching the DNS settings. This is a local network / DNS server and router are the ISP DNS ips?