We are in the process of migrating this forum. A new space will be available soon. We are sorry for the inconvenience.

Server Hacked


heise
29/11/2014, 10h27
No idea, but I guess 3rd party programs.

KonMil
29/11/2014, 02h53
do windows have this ability or i should done this with 3rd party software? something to suggest? Basically i think and i would like to have this rule: allow up to 3 failed logins then ban ip forever to any port/hole! is this possible?

heise
29/11/2014, 01h47
Sure, there is no security by obscurity, but it does reduce the amount of unwanted traffic. There are firewalls that protect against port scanning. E.g. if someone scans for port 137, 139, 445 or 3389 block their IP for 2 hours.

KonMil
29/11/2014, 01h35
i think change the port is useless because with a port scanning soon or later he will find it...

heise
29/11/2014, 01h24
Change the port and yes normal. If it is only one or a few IP, block them in your firewall.

KonMil
29/11/2014, 01h19
Check this pic: (This is on my other server)

Is this normall? This is endless...
I have a clean install now and again i can see new attemps from the same hacker...

nowwhat
29/11/2014, 00h38
Citation Envoyé par KonMil
.....
Also is it normally to have to many attacks? on my servers?
Well, that why most "Linux" installations use "Fail2Ban". This utility scans log files, and it detects those kind of 'tests' on ours servers, and blocks the IP if to many (let's say: 3) or found.
These are the blocked scans on my server http://www.papy-team.org/munin/papy-.../fail2ban.html
So, yes, these scans are normal.

Btw: normally, on a server on the Internet, you do not use password access on a server.
We all use public/privare key access.

But: I don't know if all this is possible on a Windows server.

heise
29/11/2014, 00h34
Old RDP connections use RC4 128-bit encryption, which is not considered secure anymore. How about new RDP in Windows 7/8/2012 server??


but most of them are with Administrator username
that's why you deactivate administrator account and create a new account with admin rights.


Also is it normally to have to many attacks? on my servers?
I had a VPS with 1 GB HDD. SSH tries to login filled up over 500MB of logfiles so that the server ran out of disk space and I had to delete log files before I could use it again. So simple answer: YES.

KonMil
28/11/2014, 23h50
i believe it's the first (dictionary) or then he could have access also my other server or no? (logs are difficult to understand, but i can see lots of tries with different usernames but most of them are with Administrator username). I have kis purchased on my pc so i guess i would have know if i had some kind of virus?
Also is it normally to have to many attacks? on my servers?

nowwhat
28/11/2014, 23h44
Hummm...
Then things are simpler, but you will not like it what's coming next.

The hacker broke your password (by wild guessing - see you logs if that is the case - if you see a so called dictionary attack you will recognize it)
Or ....
The big nasty one: YOUR PC at home has a trojan (this happens a lot, far more often then you thing) so the hacker took the password (and other login credentials from YOU (your keyboard)) - or they scanned your mails, and you never changed the initial password that KS gave to you.

Btw: Microsoft claims! install a WIN server (like 2008 R2) and throw away the initial pasword. leave it alone on the Internet.DO NOT connect to it anymore.
It will be there, unhacked, for several years ...... if not more.

Intercepting the password over the remote desktop SSL connection ?
Maybe the CIA (or Mossad) can handle that one if they hire the computer horse power to break the SSL strem (takes still several years).
So, not possible.

What's left ? Yep: from yours hands, keyboard, into your computer, where it becomes a SSL connection.
That is the weak party in the link.

heise
28/11/2014, 23h43
You should disable the Administrator account all together. Have an admin account for admin work, but RDP and do all your "normal" work as a restricted user account. You will have to setup RDP from the admin account for that user. And once a server has been compromised, you should reinstall it. If they infect you with a nasty rootkit, it is hard to impossible to detect.

KonMil
28/11/2014, 23h23
I don't use my server as webserver! (so no apache, php, mysql etc)
Also i have open very few ports because they needed!
All updates have been installed till last week!
The only issue that comes to my mind is that i didn't change Administrator password and i left it as is from unattended.xml from here!
Also how is possible to enable accounts again? after disabled them and change passwords.. Possibly a keylogger ? who knows!

heise
28/11/2014, 23h21
And you should not run your programs (e.g. php) at admin level. Create restricted accounts and run under those credentials, so that when something gets hacked, they cannot create new users with admin rights.

And I forgot, you do have legal windows with all updates installed?? Same for all programs you run on your server??

nowwhat
28/11/2014, 23h07
What happend is that your server is being identified as a WIN server, and all known tests for all kind of security flaws has been ran against it.
Except for a to simple "remote desktop" password, WIN server is pretty solid.

The weak point, as always, could be the famous non-secure PHP scripts file that you use on of of yours web sites on your server that permits the hacker to inject (upload) his own PHP files then permits him to upload an EXE that takes control over the server.
He's in - your out - the server is compromised.
This is just an example - all depends on what you do with your server.

You're good for a re-install.
Or: if you are as smart as the hacker, find the security breach, and close it down (but, then, your server would be hacked in the first place ...)

KonMil
28/11/2014, 21h43
I believe tha hacker left me long time to take all necessary backup...
Here's a little info.
About 3 days ago i noticed that the server had been restarted without reason!! But i say ok its nothing!
Yesterday when i logged in i noticed that a program named acunetix!! appeared on desktop, so i start to invest what is going on??
After a while i went to control Panel on Users and i noticed that 2 new users have appear!!!! (both with administrative privilages)
I went on C:/Users/ and i found the new users folders, i opened them and on Download folder there are those files:
Acunetix.Web.Vulnerability.Scanner.Consultant.Edit ion.v9.0.20140115_p30download.com.rar
New folder (8).rar
Sentry MBA AIO Toolkit v2.2.rar
FLVPlayer-Chrome.exe
on Desktop folder there are too much files...
I tryied to rdp the new accounts too see whats going on, but i get an error at first that rdp is disabled...
I fix that and i logged in to rdp .. and i saw that somw hacking programms are running on my server like Sentry, i didn't know what this is but i googled it...
After that i Changed Passwords on all users on server including me and disabled the hackers account!!
After a while hacker's users account have been enabled again and running all those hacking software!!!
I check some of the files and i found over 300000 passwords wtf? what is going on my server?
On log files i have something like brute force attack to my server with over 30k logs for the last 2 days!!! the file is 20MB of logs and its at its maxifum file size.
On my other server at ks i dont have been yet hacked but i try to see today the log files and again someone is trying to get access because i get too much failed login attemps...
i have keep a full copy of hacker's accounts and log files for further investigation.. (the problem is i can't use the log files to find what exactly happens)

nowwhat
28/11/2014, 21h07
Easy.

Say: "Thank to myself, I have a backup !".
Go straight to the Manager, and activate a server re-install.

Use your backup to initialize most of what was on your server.
But ...... there is a but !! Do NOT install all of it !!
Some of your settings (programs - services - whatever) permit a "second party" (also known as "the hacker") to gain access to your server.
So, SKIP that part - do not install that one.
=> In fact, this is the nasty issue: as a server admin, you should know about security issues - otherwise others will visit your server and try all "weak points" (security flaws) and you them so they get a "free server".

Special case: You do not have backup.
=> Now you know why everybody makes these backups all the time. Because we all need them ones .... we only don't know when ....
(A law from M. Muprhy says: When you have a backup, you will never need it. If you don't have a backup, you will need it soon".

KonMil
28/11/2014, 20h27
Hello my win server has been hacked, what i should do know?