cancel
Showing results for 
Search instead for 
Did you mean: 

Server hacked - anyone recognise the pattern?

albany
Grafter
Posts: 81
Registered: ‎18-08-2007

Server hacked - anyone recognise the pattern?

Went to my server (Win XP Pro SP2) last night and found "support" logged on.  Not one of my accounts so immediately got it offline and started investigating. Shocked
The "support" account was created about 80 minutes before I found it and all I've found so far is a program called box.exe on the desktop of that account and a boxinfo html file which has specs of my machine, basic network specs, some performance measures and information about was is installed and running.  The account was a hidden account and had admin rights.  Also, the first thing which happened (according to windows event log) was XP firewall being turned off.
The box is scanned for viruses every night using AVG free but I don't regularly do a spyware scan - (I rarely install stuff or change the config).  I've left scans (Lavasoft Adaware, Windows Defender and another AVG scan) running overnight which I haven't looked at yet.
I've looked at what files were created and modified between account creation and my finding it and haven't seen anything suspicious.
Naturally in retrospect, I can think of ways the machine could have been slightly more secure but it was far from open. Embarrassed  To be fair, I've been running a home server for about ten years and this is the first successful hack.
The only thing I've changed recently was to turn off my static IP because I was concerned about sitting long-term on a single IP! But I can't see how that would have caused the problem except perhaps putting me in a different IP range which is being scanned.
Anyone recognise this pattern and can point me specifically to what else may have been done and indeed how someone got in?
Am I being stupidly complacent to believe I've caught this before any real harm was done?
My guess is I've stupidly installed a Trojan along the way and (again easy with hindsight) I've been a bit lazy about blocking outbound traffic on the network. Embarrassed
8 REPLIES
astarsolutions
Grafter
Posts: 393
Registered: ‎26-07-2007

Re: Server hacked - anyone recognise the pattern?

How is the machine connected to the Internet?
If its a router do you forward any ports to the machine?
And does the machine do anything connected with the Internet, web/mail server etc...?
albany
Grafter
Posts: 81
Registered: ‎18-08-2007

Re: Server hacked - anyone recognise the pattern?

Behind NAT router.  Ports 80, 25, 143, 443  and 3389 forwarded.  Running IIS, Mercury Mail with IMAP and SMTP modules, RDP and Squirrelmail. 
Ports 80, 443 and 3389 are restricted using windows firewall to only respond to LAN and single work IP (router doesn't have very flexible SPI). 
All apps. patched and up-to-date.  Haven't had a chance to check IIS log but will do so when I get home.
astarsolutions
Grafter
Posts: 393
Registered: ‎26-07-2007

Re: Server hacked - anyone recognise the pattern?

I can't offer any advice as to the cause but I run a similar setup so I would be interested to hear how it became infected (if you find out).
albany
Grafter
Posts: 81
Registered: ‎18-08-2007

Re: Server hacked - anyone recognise the pattern?

Well,
I've run scans and found nothing.  Nothing in logs so maybe I've just been lucky. Undecided
Have thoroughly pruned installed apps and user accounts and tightened up on firewall setup.  Anything calling home now will get very well recorded.
Have installed IDS software and will see what happens - all ready to auto cut-off at the slightest sniff of another attempt! Cool
Arthur, If I ever work it out I'll let you know.
Community Veteran
Posts: 1,576
Thanks: 3
Registered: ‎13-04-2007

Re: Server hacked - anyone recognise the pattern?

You can get your server hacked just by opening port 80 if its not fully patched a simple perl script will have it in seconds.
You should get a security scanner and run it against the servers
try
http://osvdb.org/
or ms basline tool from
http://www.microsoft.com/technet/security/tools/mbsahome.mspx
albany
Grafter
Posts: 81
Registered: ‎18-08-2007

Re: Server hacked - anyone recognise the pattern?

Thanks,
Will do.  Baseline tool was happy but haven't tried osvdb.
Andy
VileReynard
All Star
Posts: 11,191
Thanks: 305
Fixes: 11
Registered: ‎01-09-2007

Re: Server hacked - anyone recognise the pattern?

I don't understand how opening a port such as 80 can cause a machine to be compromised?
Surely this can only happen if a pre-existing program (such as a web server) responds and behaves in an inappropriate way?

MikeWhitehead
Grafter
Posts: 748
Registered: ‎19-08-2007

Re: Server hacked - anyone recognise the pattern?

My start to checking the machine would be running nmap against it and see what it throws back. Then run a Nessus scan to see what that says, checking alongside OSVDB etc. The best way to get your box as secure as possible is to bombard it with lots of security tools. The more possibilities checked, the less holes for someone to get through.