1

One of our companies server seems to have fallen victim to a php backdoor attack. I've managed to located and close several holes, but one seems to persist that is writing a php/webshell backdoor into our C:/windows/temp.

Microsoft Security Essentials seems to do a good job of detecting this threat and removing it before it can execute but the problem is I need to view the file security properties to see which app pool is creating these files (we have about 16 different sites on this server).

Does anyone know of a program/way that I can to monitor file writes to C:/windows/temp?

NSjonas
  • 113
  • 4

2 Answers2

2

First:

You should restore from a known good backup. At the very least, scan the server offline using a rescue CD of some kind. With that out of the way...

Next:

Use Process Explorer to see deeply into process and file activity. You can also use security policy to audit filesystem access. However, since the server is compromised, I wouldn't trust anything that it tells me.

Nuke it from orbit! (Click the picture! You'll like it!)

Community
  • 1
Wesley
  • 32,320
  • 9
  • 80
  • 116
1

For the one-off answer, Microsoft Sysinternals Process Monitor will watch any file activity that you desire and a bit more.

Jeff Ferland
  • 20,239
  • 2
  • 61
  • 85