Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

HELP!! Server 2003 being hacked

Status
Not open for further replies.
Tona955

Tona955

Technical User
Oct 19, 2007
8
GB
Hi all,
I have a client with Windows 2003 which I recently rebuilt due to a hard drive failure, there are five XP workstations, a netgear router for internet access through a home broadband service with dynamic IP address.(Wannadoo)UK.
Norton Corporate 10 for antivirus and veritas backup exec for backups.
For the past month since the rebuild I have noticed accounts setup in the AD that I have not setup, examples are xxx, sex, meagain,onlyme etc, comming in through RDP i think, I managed to remote onto one of his TS sessions one night and found him listing some item on ebay, I managed to write down some email address and IP addreses but am not sure what I can do with this information.

I keep restarting the router inorder to renew IP addresses, I have changed all passwords with no luck, I need RDP open for support an the client also used RDP at times.

The hacker has not dont anything distructive as yet, so I am not sure what his purpose is.
The IP address that he used takes me to some company or ISP in China.

I would really appreciate some help with this as I do not trust the server.

Many thanks in advance.

Kind Regards
 
Sort by date Sort by votes
First and foremost, contact your local law enforcement. They can give you information about who else needs the information you have. You might also drop a note to the handlers at as they should have some good tips for you as well.

Second, give up on the server. At this point, there is no way you can save it. You need to take what backups you can and rebuild it from scratch. The first thing this hacker probably did was install back doors that you will not be able to find, no matter how hard you look. If you have things partitioned, your data may be okay, but you still will want to restore each item individually and make sure that it is really your information. Don't lay back down an image as it is probably corrupted too.

There are some good guides out there on the internet for securing Windows 2003, most of the best are from Microsoft. Do a search on TechNet or with Google to find them and follow their suggestions. There are secure ways to set this up, but you have to be careful any time you expose a DC to the internet. You might look into a VPN solution that would allow you to turn off RDP from non-local IP netblocks. As long as the VPN is secure, you can still remotely access it.
 
Upvote 0 Downvote
Hi
Many thanks for the prompt response, you have given soem good suggestions and information. I was kinda thinking that a reformat and a rebuild would be required.

I shall also checkout the relevent orginisations.

Thankyou once agin.
 
Upvote 0 Downvote
Sounds very familar.....

Same MO as I had with a hacker on a network I was called in on. RDPed into the network at 5 am to catch him, the hacker was using the server to purchase items from Ebay, Amazon etc. If half way smart he has used multiple networks to get to yours to cover his tracks, has temporary email addresses, has ordered items set to motels which he stays in only for a few days or to a large business's address at which he has access to the mail room. If smart, almost impossible to catch him.

"I keep restarting the router in order to renew IP addresses, I have changed all passwords with no luck, I need RDP open for support an the client also used RDP at times."

Sounds like the hacker has key loggers on your network or remote endpoints. The guy who hacked the network I was called in on had at least 6 individual programs, on multiple machines. He also manipulated Symantec to ignore the key loggers. As long as the key loggers are in place, passwords are useless. Consider all credit card and bank pin numbers enter via any of the machines compromised.
Luckily I cleared the network of the key loggers, but it required scanning with multiple AV scanners, and a manual search of all directories on all machines...very tedious and as Jet042 points out, your extremely lucky if you can find all the malware created by the hacker. In my case, the hacker logged in with an admin password, upgraded "users" to have admin powers at the beginning, later on he created new users ( which was stupid on his part).

If there is any chance anyone with admin passwords has a wireless network, suspect this is as an avenue for placing key logger on machines, for that matter a key logger can install through an email attachment..all is takes is one compromised machine, either at work or home.
Agree with Jet042, RDP via VPN is more secure.

"The hacker has not done anything distructive as yet"
If he get a might angry, he will wipe you entire network, kill the RDP access until the network, including remote "home" machines are clean. In my situation, the hacker created various issues on the network, to keep admins occupied...for a month, no one looked for a hacker, everyone was to busy fighting network brush fires.


........................................
Chernobyl disaster..a must see pictorial
 
Upvote 0 Downvote
block his IP address range at the router or better yet only allow your IP for RDP connections at the router level
 
Upvote 0 Downvote
HI,

I have finally managed to carry out this job.

Formatted and rebuilt the Server, formatted all XP workstations and rebuilt, replaced the router. Also I changed the company internal IP address and also the server name and all workstation names were also changed.

Once I had the network Server and workstations up and running on the network with all updates patches and antivirus applications I connected teh internet router to the network and configured internet connectivity and also updated all systems.

After only a day I find the hacker is in again and had added users to the active directory.

I am so P-Off at this, It took me almost all weekend to complete this job, I have no idea as to what to do next.

Any ideas would be appreciated.

Kind Regards
 
Upvote 0 Downvote
Call in the professionals. By formatting everything, you've lost all logs.

Crank up auditing on everything.

Stop all inbound traffic for RDP and any other remote access software.

Pat Richard MVP
Plan for performance, and capacity takes care of itself. Plan for capacity, and suffer poor performance.
 
Upvote 0 Downvote
Do not open RDP on the firewall, I used to see this problem a lot in my old job where small businesses used RDP through the firewall. Get a decent business class router that can act as a vpn endpoint for you or, if you must, use RRAS on a W2K3 box. Once connected to the VPN you can then use RDP.

Paul
MCSE 2003
MCSA 2003
MCITP Enterprise Administrator

If there are no stupid questions, then what kind of questions do stupid people ask? Do they get smart just in time to ask questions?
Scott Adams
 
Upvote 0 Downvote
I agree with 58Sniper.
Its got to a point where you have spent more time trying to fix this than it would to hire a consultant/pro.
Not to mention the fact the hacker can steal you company data and use it for illegal purposes (you can also think of your company getting thought of as incompentant then too).

I dont want to give tips on this as I'd like you to have this fixed by a pro buuuut:
Think of how he is getting in...the internet. You could factory reset your router to clear any port forwarding. Also disable UPNP from it too. He sounds like he knows what he's doing so he'll probably have another way to remote in.

Tell users there is no remote access and physically disconnect the router from the internet.
 
Upvote 0 Downvote
Also port scan the entire network ip range and see what ports are running, especially on client machines. If he got back in that fast hes going to ensure he has more than one way in like bTkalternate said. You might possibly find some weird port open that shouldnt be there. I had this problem and quickly squashed it, and then called our local FBI field ofc because of the govt data we have. Also make sure you use strong passwords for the network. Our password policy is 10 characters min, and it has to include alphanumeric characters and no password can be repeated more than twice. Also ensure they are changing their passwords frequently like every 30 or 60 days, and disable any accounts that you do not need. Our enterprise has every local admin account and the actually domain admin account disabled and i created a different admin account for the enterprise and for local machine use. This makes it a little harder because the account isnt labled administrator.

Wm. Reynolds
Premise Communications
Texas Public Safety Solutions


- - - - - - - - - - - - -

Network Error:
Hit any user to continue
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

MaioMaio
  • Locked
  • Question
Server Remote Desktop License
Replies
0
Views
397
MaioMaio
MaioMaio
Aquiles Vidal
  • Locked
  • Question
Web Browsers in Windows Server or Terminal Server
Replies
0
Views
478
Aquiles Vidal
Aquiles Vidal
Abdullah Al Maruf
  • Locked
  • Question
Telnet help for
Replies
2
Views
486
gbaughma
gbaughma
rzammit82
  • Locked
  • Question
Windows Server 2016 - DNS/AD problem
Replies
1
Views
621
suncit
suncit
antonio_dsanchez
  • Locked
  • Question
post-installation WSUS windows server 2016
Replies
0
Views
400
antonio_dsanchez
antonio_dsanchez

Part and Inventory Search

Sponsor

Back
Top