I have a Windows Server 2019 VPS for hosting websites. It has all the latest updates. But somehow there is a (partial) hacking attempt. I first noticed it by the SMS I got for high CPU usage of the Microsoft Register Server (regsvr32.exe). With the help of this site and Process Explores that the cause was a DLL in the ProgramDAta folder.
There I found a zip with the name set.zip. Containing the following 5 files. comhij.dll, let.exe, rn.bat, x.mof and xg.dll. Is seems that the .bat file got executed and was running the script. But it failed somehow, maybe Windows Defender or something else was blocking it causing the high CPU. I know this because the last lines in the .bat causes it to delete itself. And I could not find any of the changes the script wanted to make.
I copied the zip to my own PC, and Norton 360 immediately identified the let.exe as Hacktool, the comhij.dll as Trojan Horse and xg.dll as Trojan.Get.MTB.
The Server has the Windows Firewall active and at the provider level TransIP there is also a Firewall active.
I was able to find out that the set.zip was created by one of the AppPools (hosting a DotNetNuke CMS if that matters) with no FTP access.
So my question is how to find out how this happened and how I can prevent it in the future? And how an AppPool can write a file to disk outside it's root directory? On request I could post the entire .bat script.
