Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Server 2003 being Hacked

Status
Not open for further replies.
Tona955

Tona955

Technical User
Oct 19, 2007
8
GB
Hi All,

I have just rebuilt my client Server 2003 system, installed all updates and service packs, also 5 Client Lic Terminal server.

I noticed last week that the company data folder was missing/deleted...not even in the rec bin.

Further investagation showed that someone was hacking in through RDP, one evening while monitering the server through my RDP connection I noticed another RDP session, I remote controlled onto it and found someone listing an item on ebay, i took as much details down as i could i.e, Ebay username / email addresses, location post code etc, this hacker then cleared his tracks buy clearing cookies, removing any pics and login out. How strange..
I checked the securiy log and found a login through SAM and managed to get an ip address...hmmm traced to an IP address in China.
I immediatly changed the server admin password, all users were requested to change passward on login and I also changed the Netgear router admin password.

But, this chap still managed to get in over the past few days to the point where i have disabled RDP completely, leaving me to use VNC...so far so good.

I do need RDP to be enabled though.

My question is how do I tackle this and secure my server, there are only 6 users on the network with no Exchange services.

Would really appreciate some help with this one.
Many thanks in advance.
Toan955
 
Sort by date Sort by votes
So every time you enable RDP this person can logon?

Do you know what account they're using to logon?

Download a copy of the MBSA from MS and run it, it will tell you if any of your services (MS ones at least) are running with a weak or blank password.
 
Upvote 0 Downvote
Inherited a hacked 2003 network a couple of months ago. First thing the hacker did was place keyloggers on the server and wks. Same MO until all the keyloggers were removed.

........................................
Chernobyl disaster..a must see pictorial
 
Upvote 0 Downvote
Since you have an IP address, can you deny all connections through your firewall from that IP Address?
 
Upvote 0 Downvote
Thanks all for your quick resonse..

Am back on site tonight to investagate further, I cant remember teh logon account he's using think it was (system$)as in the AD i can see new added users such as system$, iss$, various names we have a wks called Floor01 and I have also seen a new user calles Fl00r01, but do remember the security log saying something about SAM logon account...will download MBSA as suggested and ty it.

Technome...how do i check for keyloggers on the net? are these scropt files...somewhere.

Yes I do know the IP address (218.80.92.51 port 3827 ) but not sure if this person could come in through another address, i blocked this port 3827 but did not stop him, I think the router can block outgoing URL's only..will check again.

many thanks again
 
Upvote 0 Downvote
Try this one. I am sure you have disabled or removed the accounts. You can change the RDP port but i would imagine her runs port scan and figures it out. Also, look for Firmware updates for your netgear. I personally would take Netscreen over anything in its class. Enable full login on the server as well, turn all the log options on to get more details.
This is a good tool you can use to chekc the processes for key loggers..
 
Upvote 0 Downvote
How I got rid of the key loggers, etc....

Turn off system restore.

Delete contents of \prefetch

Check add/remove software for added programs

Check with msconfig for strange resident programs

The hacker manipulated the Symantec AV software, so do not trust the AV to find anything. Best to remove and reinstall AV after scanning as below.

Scan with a couple online AV scanners in safemode.

Scan with Anti malware programs, at least two in safe mode.

Scan with two downloaded root kit revealers in safe mode.

I opened Regedit, and checked hkey_local_machine and hkey_current_user, software for strange additions

The hacker hid a couple keyloggers in directories
which Symantec was manipulated into not scanning; he hid a downloader program in the Symantec directory.

My hacker created a couple of users with Administrator rights, and upgraded a couple of legitimate users to administrators. The hacker got a bit confident, and created users with the $ sign following the name (bad move on his part, to obvious).

Lastly I was lucky, it was a small network, the guy was in the system for a month, destroyed no data, so I knew what ever odd executables I found within the time, were likely his. I cruised all directories, lookup up any odd executables I found on google, such as c2.exe, c8.exe, 5.exe, 88.exe
The dumb ass hacker should have changed the date and time attributes, made them match system installation time/date, making it much harder to locate them. One of the keyloggers I found, was not pick up by any AV or anti malware program, found it by searching.

The hacker also downloaded and installed Roboform, which did not show in add/remove software.

Rename the Administrator account (be careful of services running under Administrator). In system security, create a lockout (for say 4 minutes) after a few bad login attempts

Are you confident that there is no wireless access on the system ?

After your confident your clean, change ALL passwords. Be dilgent, miss one bad program and he is back, maybe with vengence.



........................................
Chernobyl disaster..a must see pictorial
 
Upvote 0 Downvote
Rootkit Revealer is worth running it doesn't look for known files but instead reports anything suspicious for you to review.


It's worth remembering that MS always say you should restore a rooted server as it's almost impossible to tell (even for them) if you have removed everything. In fact quite often a few more common programs are installed to make you think you’ve found it all.
 
Upvote 0 Downvote
It's worth remembering that MS always say you should restore a rooted server as it's almost impossible to tell (even for them) if you have removed everything."

Agree, for what I went through for 2 days (18 hours/per), rebuilding would be the practical thing to do. In my case, the new client had no passwords/license numbers and the software was downloaded with no records. Technically I should have walked out at the beginning.
If the hacker was just a wee bit better, I would not have found all the key loggers and down-loader.

Interesting point, the hacker was going through multiple networks (bots) to get to the hacked network, and was purchasing tons of stuff off the Internet from the compromised server ( one day he spent approx 10 hours "purchasing"). The purchased stuff was delivered to hotels, he moved on to other hotels after a few days. Called one of the hotels, they were not the least interested unless a police report was filed. I only know this, as I clocked into this server via RDP at 3 Am on a Saturday and shutdown the server, before he was able to delete his user profile.


........................................
Chernobyl disaster..a must see pictorial
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

MaioMaio
  • Locked
  • Question
Server Remote Desktop License
Replies
0
Views
397
MaioMaio
MaioMaio
Aquiles Vidal
  • Locked
  • Question
Web Browsers in Windows Server or Terminal Server
Replies
0
Views
478
Aquiles Vidal
Aquiles Vidal
rzammit82
  • Locked
  • Question
Windows Server 2016 - DNS/AD problem
Replies
1
Views
621
suncit
suncit
antonio_dsanchez
  • Locked
  • Question
post-installation WSUS windows server 2016
Replies
0
Views
400
antonio_dsanchez
antonio_dsanchez
jamescpp
  • Locked
  • Question
Windos OpenSSH server vulnerability
Replies
0
Views
488
jamescpp
jamescpp

Part and Inventory Search

Sponsor

Back
Top