HI, My name is Tom, im new to the forum and have a serious server problem. I'm running Windows 2K3 SP2, dedicated server hosted at a data center. I've had the server for a few months, no issues. Recently I started getting hit with IIS problems. (This box is serving out pages and handling email as well). I ran AVG, it found 2 backdoors. I checked user accounts and found 2 user accounts that I never made. I deleted the accounts. In event viewer for security I see a ton of anonymous logon success, I enabled BlockAnonymous under LSA in the registry. That took care of the anonymous logons. However, there is still an active connection in netstat, shows up as a different port everytime I reboot in the range of 1025-1029 PID of 780, netstat shows seclogon (svchost.exe) Port: 1029 From an IP I do not recognize. As soon as I kill the process in the task manager I see an event trigger in the security portion of event viewer with "Anonymous User Logoff". If I reboot the server, the same process under svchost.exe starts and if I kill the process, same thing in event viewer. The server is up to date as far as patches and critical updated. I've ran every virus scanner known to man, found everything I could. I also found one on my own that no virus scan found which was ys.exe, no file info or anything running as a process. I renamed it and removed any known path in registry. I should also explain, when I first got the server I setup windows firewall to allow the normal RDP exception, Port 80 for IIS and whatever else was needed. However, it seems Windows Firewall for 2K3 server does not handle IIS with multiple sites under various IP's. Basically I am running my sites off ip range from x.x.x.226-x.x.x.229, if I enable the firewall only the default site x.x.x.226 is displayed. If I try to browse to any other site using an ip above 226 it timeouts as if the server is down. So long story short, somewhere along the line IIS or another process killed windows firewall and turned it off so everything is wide open. Which leads me to my next question... what is a good firewall to use that will allow multi-ip hosting through IIS? Thank you everyone for your help! I will stick around and contribute to as many posts as I can!

Could it have been an exploit attack through IIS? I don't know all that much about firewalls, but have you tried a hardware-based solution? PC LOAD LETTER.