Server hacked - anyone recognise the pattern?
Went to my server (Win XP Pro SP2) last night and found "support" logged on. Not one of my accounts so immediately got it offline and started investigating. 
The "support" account was created about 80 minutes before I found it and all I've found so far is a program called box.exe on the desktop of that account and a boxinfo html file which has specs of my machine, basic network specs, some performance measures and information about was is installed and running. The account was a hidden account and had admin rights. Also, the first thing which happened (according to windows event log) was XP firewall being turned off.
The box is scanned for viruses every night using AVG free but I don't regularly do a spyware scan - (I rarely install stuff or change the config). I've left scans (Lavasoft Adaware, Windows Defender and another AVG scan) running overnight which I haven't looked at yet.
I've looked at what files were created and modified between account creation and my finding it and haven't seen anything suspicious.
Naturally in retrospect, I can think of ways the machine could have been slightly more secure but it was far from open.
To be fair, I've been running a home server for about ten years and this is the first successful hack.
The only thing I've changed recently was to turn off my static IP because I was concerned about sitting long-term on a single IP! But I can't see how that would have caused the problem except perhaps putting me in a different IP range which is being scanned.
Anyone recognise this pattern and can point me specifically to what else may have been done and indeed how someone got in?
Am I being stupidly complacent to believe I've caught this before any real harm was done?
My guess is I've stupidly installed a Trojan along the way and (again easy with hindsight) I've been a bit lazy about blocking outbound traffic on the network.
The "support" account was created about 80 minutes before I found it and all I've found so far is a program called box.exe on the desktop of that account and a boxinfo html file which has specs of my machine, basic network specs, some performance measures and information about was is installed and running. The account was a hidden account and had admin rights. Also, the first thing which happened (according to windows event log) was XP firewall being turned off.
The box is scanned for viruses every night using AVG free but I don't regularly do a spyware scan - (I rarely install stuff or change the config). I've left scans (Lavasoft Adaware, Windows Defender and another AVG scan) running overnight which I haven't looked at yet.
I've looked at what files were created and modified between account creation and my finding it and haven't seen anything suspicious.
Naturally in retrospect, I can think of ways the machine could have been slightly more secure but it was far from open.
To be fair, I've been running a home server for about ten years and this is the first successful hack.The only thing I've changed recently was to turn off my static IP because I was concerned about sitting long-term on a single IP! But I can't see how that would have caused the problem except perhaps putting me in a different IP range which is being scanned.
Anyone recognise this pattern and can point me specifically to what else may have been done and indeed how someone got in?
Am I being stupidly complacent to believe I've caught this before any real harm was done?
My guess is I've stupidly installed a Trojan along the way and (again easy with hindsight) I've been a bit lazy about blocking outbound traffic on the network.
Well,
I've run scans and found nothing. Nothing in logs so maybe I've just been lucky.
Have thoroughly pruned installed apps and user accounts and tightened up on firewall setup. Anything calling home now will get very well recorded.
Have installed IDS software and will see what happens - all ready to auto cut-off at the slightest sniff of another attempt!
Arthur, If I ever work it out I'll let you know.
I've run scans and found nothing. Nothing in logs so maybe I've just been lucky.
Have thoroughly pruned installed apps and user accounts and tightened up on firewall setup. Anything calling home now will get very well recorded.
Have installed IDS software and will see what happens - all ready to auto cut-off at the slightest sniff of another attempt!
Arthur, If I ever work it out I'll let you know.
I don't understand how opening a port such as 80 can cause a machine to be compromised?
Surely this can only happen if a pre-existing program (such as a web server) responds and behaves in an inappropriate way?
Surely this can only happen if a pre-existing program (such as a web server) responds and behaves in an inappropriate way?
