I have an Azure VM running Windows 2008 R2 Server. I have a web site running on the server under IIS 7.5. About 1 month ago, my VM was invaded and the person managed to create a new user (junjun), and upload 2 files with malicious code.
I cleaned it, uploaded my files, created IP restrictions for RDP access, but I still have a very strange issue involving a 404 error page. It looks like something is forcing my pages to return a 404 error or 500 server error page, and once this is done, it is using my own 404 / 500 pages but rewritten with some javascript codes and spammy links.
If I type my pages directly, the pages are normal, but if I search them with "search as Google" the codes show up. One is written inside head tags, the others right before closing html tag, and all the links are rewritten (even commented ones).
Is anyone having the same issue?
the links point to Louis Vuitton, Goosenews, and the code has some page_speed related script. All info from the hacker (site, Google user name and code) show at the end of the last script, just before closing html tags.
Thanks