OVH Community, your new community space.

Server Hacked

29/11/2014, 09h27
No idea, but I guess 3rd party programs.

29/11/2014, 01h53
do windows have this ability or i should done this with 3rd party software? something to suggest? Basically i think and i would like to have this rule: allow up to 3 failed logins then ban ip forever to any port/hole! is this possible?

29/11/2014, 00h47
Sure, there is no security by obscurity, but it does reduce the amount of unwanted traffic. There are firewalls that protect against port scanning. E.g. if someone scans for port 137, 139, 445 or 3389 block their IP for 2 hours.

29/11/2014, 00h35
i think change the port is useless because with a port scanning soon or later he will find it...

29/11/2014, 00h24
Change the port and yes normal. If it is only one or a few IP, block them in your firewall.

29/11/2014, 00h19
Check this pic: (This is on my other server)

Is this normall? This is endless...
I have a clean install now and again i can see new attemps from the same hacker...

28/11/2014, 23h38
Citation Envoyé par KonMil
Also is it normally to have to many attacks? on my servers?
Well, that why most "Linux" installations use "Fail2Ban". This utility scans log files, and it detects those kind of 'tests' on ours servers, and blocks the IP if to many (let's say: 3) or found.
These are the blocked scans on my server
So, yes, these scans are normal.

Btw: normally, on a server on the Internet, you do not use password access on a server.
We all use public/privare key access.

But: I don't know if all this is possible on a Windows server.

28/11/2014, 23h34
Old RDP connections use RC4 128-bit encryption, which is not considered secure anymore. How about new RDP in Windows 7/8/2012 server??

but most of them are with Administrator username
that's why you deactivate administrator account and create a new account with admin rights.

Also is it normally to have to many attacks? on my servers?
I had a VPS with 1 GB HDD. SSH tries to login filled up over 500MB of logfiles so that the server ran out of disk space and I had to delete log files before I could use it again. So simple answer: YES.

28/11/2014, 22h50
i believe it's the first (dictionary) or then he could have access also my other server or no? (logs are difficult to understand, but i can see lots of tries with different usernames but most of them are with Administrator username). I have kis purchased on my pc so i guess i would have know if i had some kind of virus?
Also is it normally to have to many attacks? on my servers?

28/11/2014, 22h44
Then things are simpler, but you will not like it what's coming next.

The hacker broke your password (by wild guessing - see you logs if that is the case - if you see a so called dictionary attack you will recognize it)
Or ....
The big nasty one: YOUR PC at home has a trojan (this happens a lot, far more often then you thing) so the hacker took the password (and other login credentials from YOU (your keyboard)) - or they scanned your mails, and you never changed the initial password that KS gave to you.

Btw: Microsoft claims! install a WIN server (like 2008 R2) and throw away the initial pasword. leave it alone on the Internet.DO NOT connect to it anymore.
It will be there, unhacked, for several years ...... if not more.

Intercepting the password over the remote desktop SSL connection ?
Maybe the CIA (or Mossad) can handle that one if they hire the computer horse power to break the SSL strem (takes still several years).
So, not possible.

What's left ? Yep: from yours hands, keyboard, into your computer, where it becomes a SSL connection.
That is the weak party in the link.

28/11/2014, 22h43
You should disable the Administrator account all together. Have an admin account for admin work, but RDP and do all your "normal" work as a restricted user account. You will have to setup RDP from the admin account for that user. And once a server has been compromised, you should reinstall it. If they infect you with a nasty rootkit, it is hard to impossible to detect.

28/11/2014, 22h23
I don't use my server as webserver! (so no apache, php, mysql etc)
Also i have open very few ports because they needed!
All updates have been installed till last week!
The only issue that comes to my mind is that i didn't change Administrator password and i left it as is from unattended.xml from here!
Also how is possible to enable accounts again? after disabled them and change passwords.. Possibly a keylogger ? who knows!

28/11/2014, 22h21
And you should not run your programs (e.g. php) at admin level. Create restricted accounts and run under those credentials, so that when something gets hacked, they cannot create new users with admin rights.

And I forgot, you do have legal windows with all updates installed?? Same for all programs you run on your server??

28/11/2014, 22h07
What happend is that your server is being identified as a WIN server, and all known tests for all kind of security flaws has been ran against it.
Except for a to simple "remote desktop" password, WIN server is pretty solid.

The weak point, as always, could be the famous non-secure PHP scripts file that you use on of of yours web sites on your server that permits the hacker to inject (upload) his own PHP files then permits him to upload an EXE that takes control over the server.
He's in - your out - the server is compromised.
This is just an example - all depends on what you do with your server.

You're good for a re-install.
Or: if you are as smart as the hacker, find the security breach, and close it down (but, then, your server would be hacked in the first place ...)

28/11/2014, 20h43
I believe tha hacker left me long time to take all necessary backup...
Here's a little info.
About 3 days ago i noticed that the server had been restarted without reason!! But i say ok its nothing!
Yesterday when i logged in i noticed that a program named acunetix!! appeared on desktop, so i start to invest what is going on??
After a while i went to control Panel on Users and i noticed that 2 new users have appear!!!! (both with administrative privilages)
I went on C:/Users/ and i found the new users folders, i opened them and on Download folder there are those files:
New folder (8).rar
Sentry MBA AIO Toolkit v2.2.rar
on Desktop folder there are too much files...
I tryied to rdp the new accounts too see whats going on, but i get an error at first that rdp is disabled...
I fix that and i logged in to rdp .. and i saw that somw hacking programms are running on my server like Sentry, i didn't know what this is but i googled it...
After that i Changed Passwords on all users on server including me and disabled the hackers account!!
After a while hacker's users account have been enabled again and running all those hacking software!!!
I check some of the files and i found over 300000 passwords wtf? what is going on my server?
On log files i have something like brute force attack to my server with over 30k logs for the last 2 days!!! the file is 20MB of logs and its at its maxifum file size.
On my other server at ks i dont have been yet hacked but i try to see today the log files and again someone is trying to get access because i get too much failed login attemps...
i have keep a full copy of hacker's accounts and log files for further investigation.. (the problem is i can't use the log files to find what exactly happens)

28/11/2014, 20h07

Say: "Thank to myself, I have a backup !".
Go straight to the Manager, and activate a server re-install.

Use your backup to initialize most of what was on your server.
But ...... there is a but !! Do NOT install all of it !!
Some of your settings (programs - services - whatever) permit a "second party" (also known as "the hacker") to gain access to your server.
So, SKIP that part - do not install that one.
=> In fact, this is the nasty issue: as a server admin, you should know about security issues - otherwise others will visit your server and try all "weak points" (security flaws) and you them so they get a "free server".

Special case: You do not have backup.
=> Now you know why everybody makes these backups all the time. Because we all need them ones .... we only don't know when ....
(A law from M. Muprhy says: When you have a backup, you will never need it. If you don't have a backup, you will need it soon".

28/11/2014, 19h27
Hello my win server has been hacked, what i should do know?