One of my dedicated servers windows 2003 got hacked by Russian spammers installing ams mail software.
The hosting provider is slow to respond been over 24 hours that's the trouble with small companies.
So been trying to see if I can get it back.
Site is running php/mysql/IIS. Php has curl, zip, gd, imap,mycrpt support
There were two admin account's but the password on them all has been changed and so has most of the other local accounts.
Able to write to any file using MySQL outfile so usedthat to write files and execute php code. I can do basic limited account commands such as net user but can't change the password using net user administrator newpassword
Limited account that I have access is the default I_USER account for IIS
Was able to upload some of the php shells such as c99 which was great for file browsing but not much more than that. Checked opened ports to see if the malware added a backdoor or anything I could jump into didn't see anything except alot of email being sent out to taiwan and ip's pointed to russia.
Right now I am leaning on using mysql outfile some how to restore access not sure what to write to. I believe mysql is under a system level account so should be able to write to any file. I wrote to startup folder a batch file to change the password for the accounts if they retry to login. Basically want to see if there is a file I can write to that would be executed if I reboot the server or any other idea.