Server was hacked

[smokinsarg]

I have a 2003 SBS Server here that was hacked previously, twice. The hacker disalbled my IIS server, installed apache and was hosting a phishing pay-pal site off the server. I have completely removed the Apache server and any services and files associates with the hacker. I have also created a new Administrative account for the domain and disabled the default administrator account. Is there any way I check to see if this hacker can get in again? Can someone also tell me how this server was hacked into originally?

 

[58sniper]

Without looking through logs and configs, no one will be able to tell you how your server was compromised.

Limit who has administrative access. Install all service packs and hotfixes, as well as security updates.

Force an immediate password change on EVERY USER. EVERY USER. Including yourself.

Keep your AV software updated.

Disable all non-essential accounts.

Pat Richard, MCSE MCSA:Messaging CNA
Microsoft Exchange MVP
Want to know how email works? Read for yourself -

http://www.ietf.org/rfc/rfc2821.txt

 

[TheLad]

And check your firewall rules to see if you have any holes there that could have been exploited.

--------------------------------------
"Insert funny comment in here!"
--------------------------------------

 

[supportahm1980]

install Tripwire to alert you of any file changes.

monitor all services on that server and have it alert you if one goes offline or is disabled. you can use nagios or gfi.

 

[kmcferrin]

Most likely they got in through some sort of exploit. They probably also installed some sort of Trojan or backdoor program so that they could get back in if they were discovered. We recently had a sever hacked, and the intruder installed several tools. Once of them phoned home occasionally on port 80 (rarely blocked outbound from firewalls), and once it connected to home the hacker could issue commands to open up further holes, reinstall his programs, etc.

Once you have been hacked, the only safe course of action is to rebuild the server. You can try to clean it up, but there's no way for you to be sure that he didn't install a rootkit or something that's still hiding somewhere, waiting to let him back in. That's probably how it got hacked the second time.

 

[smokinsarg]

Thanks everyone for your response. Your all saying what I've been thinking. The server is only about 4 months old and we only have 5 users connected to it at this time. I'm going to backup all the data and mailboxes and reinstall the OS.
I've been having some other problems with the system as well. My profile is not being saved on the server, when I install programs, they come up with an error message because they cant add the shortcuts to the Start Menu. We run Trend Micro software and the directories are no longer present in the IIS server. The Dashboard is browser based and now I cant login to check it. I tried updating it, but it continues to fail. I even tried to install it on an apache server, but it still failed. Not worth any more effort. I was more curious than anything else to find out how they are doing it, but F*@! it now! Thanks again everyone for all your comments.

 

[kmcferrin]

IIRC, Trend uses an Apache install for it's web-based dashboard. So it probably got trashed when the hacker installed his own Apache.

When you rebuild the OS, make sure that do delete the existing partitions. You don't want any of that old stuff hanging around. Just make sure to make a backup first in case you need something.

 

[smokinsarg]

The CSM Suite can run on IIS or can isntall its own Apache server. Both options do not work. As for backup, we are running Backup Exec 11 daily and I am checking those religously. Thanks for Partition deletion idea, I may not have thought of that.