Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Hacked - Need help asap please. 1

Status
Not open for further replies.
Tagsley

Tagsley

IS-IT--Management
Jun 25, 2002
23
US
Came in this morning and found none of the workstations had access to the W2K Server. Checked the server and was able to log in as several users, but unable to connect to resources.

When logged in as the administrator, I was unable to access the Active Directory, nor was I able to change the share rights on shared directories.

I checked the Security Event log and it appears that someone wiped the Audit log on Friday 7:00pm using an account that had been previously disabled. That account had only basic user access when it was active.

Please help if you know a way for me to-
1. Restore access to the Active Directory so that I can restore user rights, et al. It seems that my Exchange Server and Veritas Backup are also offline due to logon failures.
2. If there is no way for me to gain access to the Active Directory to reset priviledges, do I have to do a full reinstall? I do not have a valid Rdisk /s. I am concerned about being able to bring my Exchange Server up if I have to do a reinstall.
3. Could this have been an external hack job, or is it more likely that someone did it from the server terminal? The server terminal is usually left open.

Thanks in advance for your help. I will check this thread frequently if you have any questions for me.

Mark
 
Sort by date Sort by votes
This is every Admins worst nightmare..

Obviously the AD is demolished if you can't even access it. So, have you tryed restoring AD? If you have a good backup you can uninstall/reinstall AD then restore what you have from back up. That is probably the quickest resolution. I would denote AD from all DC's and then just focus on one imperticular and work outword from there once you are sure its ready to replicate. **** I'm saying all this assuming you are VERY SURE you have a good backup of AD from before this happened. **** Cause when you go to remove AD it will say ALL USER ACCOUNTS WILL BE DELETED, and THEY WILL once you remove AD from the last DC.

If your users can handle being set back to whenever you last good backup was, I'd uninstall/reinstall AD first thing, or you can take the next who knows how long of time to piece it all back together!!

Something you might wanna keep in mind: Kind out where the attack or possible mistake came from!!!

Snooter "tis better to remain silent and be thought of as a fool..
then open your mouth and remove all doubt" Mark Twain

"I should of been a doctor.." Me
 
Upvote 0 Downvote
Thank you Snootalope. I dont have a good AD backup, but I can reinstall the setting quickly enough. Its just a 10 person office. Thanks for your help.

Mark
 
Upvote 0 Downvote
It would be wise, if your server has been compromised to format and reinstall...Dont install over current OS, Format. You have no real way of telling what they planted to allow them access. And i would start by removing all accounts except admin, and then add accounts that will be used. Having an account, even disabled, that isnt used can cause problems as you now see. Also, unless you use it i would disable NetBIOS which can cause real problems.
 
Upvote 0 Downvote
I found the following files that were new as of Friday-

Polaris.zip which contains mirc.exe and some other things
Padus.discjuggler.professional.edition.v4.01.1002.winall.regged-jazz.tar which contains a Jazz.nfo file and a bunch of other tars
Stylexpinstall_1_0_1m.rar which I have no idea about

Also the directory has a Tar.exe file that seems to have been there a while.

These things dont sound so good:( Do any of them sound familiar to you?

Mark


 
Upvote 0 Downvote
They were running a FTP server off your Server to distribute Wares.

Jazz files are compressed (something like zip) as well as rar files too.
 
Upvote 0 Downvote
Wow. How did they do that? I am about to do a full reinstall, but how can I detect/stop someone from doing this?

Thanks for your help!

Mark

ps - Does this mean that they had a backdoor installed? If so, Norton Corp. Server didnt detect it:(
 
Upvote 0 Downvote
Someone most likely exploited a vulnerability that you hadn't patched/known about.

I know people who do/have done this and it's amazing how long something on a corporate server can sometimes go unnoticed by an admin. They most likley would have installed a backdoor once they were in just in case you got their other entries blocked. By Demolishing your AD though they more or less announced themself to you and telling you they were there. Make sure you've got all the latest security patches before you put it backup again and check your other DC's as well now.

Check for the following list of files:

*.MPG
*.RAR
*.ZIP (You will naturally have some of these but they are also used to try and make Admins think they are sys files)
*.ASF
*.MP3
*.WMA

You may also want to enable the View Hidden folders and go into your %systemroot% directory and check for unknown directories.

Most common directories used are PUB and UPLOAD. They are usually buried in the %systemroot%\system32 directory or in your %programfiles% directory with another app somewhere. It's a pain in the ass finding it. Best to check your Task Manager and find and terminate any processes that aren't related to your Server Install.
 
Upvote 0 Downvote
Tag install a hardware firewall, you can use all the software 1s etc but none are as good as a standalone 1, If you need to use any try using something like Winroute pro this enables NAT on the network cards or modem connections and is nearly impregnable to hackers. If you can spend cash try a small netpilot or i have a hardly used enterprise netpilot here if you want a mailserver and other goodies but thats about 2k. If you need something that doesnt need any maintanace or your a bit rusty on the old config firewall stuff theres a company in the UK i know of that are cheap and install a managed firewall running Linux and thats foolproof u pay for a small server a 400 pound dell pc and they install the firewall and manage it for a small fee about 90 pound to 200 a month. What you got to look at is the amount of money lost for the crash does this outweigh a cost of a firewall or can you survive being hacked, its a bugger i know but i have about 16000 attacks a month here but luckily im well guarded.
 
Upvote 0 Downvote
Thanks for all the info. Finally got everything reinstalled, but concerned that we might get hacked prior to installing a decent firewall.

We can spend about $1000 on a firewall solution, but the difficulty is that we have people that travel with laptops that will need access to our Exchange Server from various IPs. Any suggestions would be very welcome.

Mark
 
Upvote 0 Downvote
I would set up a router between your lan and wan using NAT.
Ensure all clients and servers are using NON INTERNET addresses (10.x.x.x or 192.168.x.x).
Then on your router map thru the relevant ports that are required to be visible on the net - i.e. if your EXTERNAL ip address was 1.2.3.4 and your 2000 server was an internal address of 10.0.0.2, I would map the relevant ports through using port address translation from 1.2.3.4 to 10.0.0.2 - The favourite ports are 25 for smtp, 80 for http web, 110 for pop3.
This would ensure that all network services that you don't want propagated to the outside world are kept local.
You can set up a firewall also, but the NAT and port translation method is cheaper and easier to configure and doesn't expose any other ports to the net -

It sounds that you were either running a FTP server or had file sharing enabled to the outside world. When you have a server that allows print and file sharing enabled for the LAN, by default, print and file sharing is enabled on the internet connection also (if your server has a real world ip address assigned to it). Print/File sharing runs on ports 137,138,139
 
Upvote 0 Downvote
The watchguard firebox 700 is an excelent friewall to use for this situation. the firebox will handle VPN sessions so your users can connect securly to your network.

Watchguard will almost setup the firewall for you if you dont know how and they have a good online training system.

i secured a 10 state WAN with 30 VPM branch officess and 24 dial-up users with a firebox and never had a successful attack. Doomhamur
Network Engineer
"Certifications? we dont need no stinking certifiaction."
 
Upvote 0 Downvote
Ack! F1lby! That must be what happened. The W2k Server has a public IP address, and we had no idea that all the shares would be visible from outside our LAN. That would explain why some of the uploaded files were in the c:\winnt\system32\drivers\etc directory I suppose.

How can we prevent similar access until we can get a firewall installed? The only ports that we need to share are POP, SMTP, HTTP, and Exchange. Is there something that we can do in the meantime? Can I limit shares by IP address without losing access to my Exchange Server?

I have had bad luck trying to portmap to an Exchange Server on previous attempts. I followed the MS docs, but while the external clients could resolve their names the could never connect. Any thoughts on this?

We will probably end up going with a Watchguard box or Sonic-something. Is there much difference between the two?

Thanks again for all the help. I am deeply appreciative of all the support I have gotten here.

Mark




 
Upvote 0 Downvote
Questions:

1. What type of internet connection do you have and what device does it use?
2. how is your server connected to the internet connection device.?
3. if you are using a router, what is the make and model?

answering these questions will help me help you better

Thanks Doomhamur
Network Engineer
"Certifications? we dont need no stinking certifiaction."
 
Upvote 0 Downvote
If you do go the firewall route, the Sonicwall units ('he says from experience') are extremely good and friendly.
If you're running ADSL, a cheapy ADSL router does the job very well.
As per previous question, how do u gain access to the net?
 
Upvote 0 Downvote
We use DSL to the Internet with fixed IPs for the LAN.
We use a Netopia R7200 SDSL Router with a Covad ensignia on the top.
There is nothing between the Server and the Router except a 10/100 switch.

Thank you for the help.

Mark
 
Upvote 0 Downvote
We use DSL to the Internet with fixed IPs for the LAN.
We use a Netopia R7200 SDSL Router with a Covad ensignia on the top.
There is nothing between the Server and the Router except a 10/100 switch.

Thank you for the help.

Mark
 
Upvote 0 Downvote
Do you have admin access to the router?
If not you'll be advised to get a dual ethernet router / firewall.
Or as a cheapy (but VERY good alternative), find an old spare PC (P200 or better), bung 3 well known NICs (3com 3c905 or similar would be good) and load a copy of Smoothwall on it - Its an ISO file
I'm evaluating at the moment and as a secure solution it works VERY well. Its based on Linux kernel but theres no Linux shell to worry about. Burn the image onto a CD, then let it boot from CD - It will overwrite all data on the hdd and create a standalone firewall - No Linux knowledge required....
 
Upvote 0 Downvote
I have been following this conversation for a while and I beleive I too was also hacked at one point. I am running win2k server and I had ftp enabled. At one point last month my bandwidth died down to a crawl. It took me a long while to figure this out and I lost several clients from it. I disabled the ftp and bandwidth was restored. I think this was an attack. Maybe it wasn't. I am on a fixed IP and going through a router. All the machines on my network have non internet IP's assigned to them from the router. We are a small web Hosting company and I am relatively new at win2k and would welcome any advice and tips to keep my server up and healthy.



Thanks
David C
 
Upvote 0 Downvote
Hello,
I have some experience with Netopia routers. They can be made secure but you will need admin access to it. Tell your ISP you got hacked and they should give it to you.

the 7200 has a good firewall with NAT and MultiNAT and even includes VPN software.

You can find the FAQs on how to configure and secure your network at
Alse download the Network Baseline security analyzer from microsoft, install it on your workstation and run it against your server. It will make recomendations on how to secure it.

Download the IIS lockdown too from microsoft and run it on your server.

If you are using exchange, read this first:

If you will take the time to do these things you will bring the chance a hacker has to make a successfull attack down to a miniscule level.

Have a nice day Doomhamur
Network Engineer
"Certifications? we dont need no stinking certifiaction."
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Abdullah Al Maruf
  • Locked
  • Question
Telnet help for
Replies
2
Views
236
gbaughma
gbaughma
Fireksf
  • Locked
  • Question
Avaya IPOCC not generate Report, Please any body if you a have any idea help me.
Replies
1
Views
110
MarkSweetland
MarkSweetland
on3mansh0w
  • Locked
  • Question
[HELP] AD GPO not applied unexpectedly
Replies
0
Views
112
on3mansh0w
on3mansh0w
CDIV
  • Locked
  • Question
Dear all, Please how can I team
Replies
0
Views
66
CDIV
CDIV
tektipssiva
  • Locked
  • Question
Need help on creating system event log
Replies
1
Views
80
markdmac
markdmac

Part and Inventory Search

Sponsor

Back
Top