?

Log in

No account? Create an account

I've been cracked... - John C. Kirk

Aug. 5th, 2002

02:08 am - I've been cracked...

Previous Entry Share Next Entry

Aargh - someone's been playing silly buggers with my server. The hazards of having a permanent connection to the internet, with static IP address - makes you a target for this type of thing. (No, I'm not going to refer to "hacking" in this context.)

Our internet connection tends to die periodically - think it's because we're using a USB ADSL modem, rather than a router (a situation I intend to rectify). When this happened earlier, I went to reboot the server as usual. I then saw a message from the anti-virus software, saying it had moved two files on the C drive that were infected. They were both called "server.exe" - one was in the root, and one was in the winnt\system32 folder. After the reboot, I noticed a service running - "Serv-U FTP Server". That's not something I've installed, and it was running out of a random folder in the profiles area. Suspiciously, it was created today at the same time as the anti-virus software found the infected files. In fact, I had two copies of the folder structure (on different drives), but only one contained files.

I've got rid of that service, and tried to delete the folders. However, they've got names like AUX and COM1, which means Explorer won't handle that problem.
Q120716 had the solution, although it requires you to own a copy of the Windows 2000 Resource Kit to get the necessary file - fortunately, I do have a copy. (Bought it a while back, after I got stumped by one of Lorna's problems with her PC.)

I definitely need to get a proper copy of the anti-virus software, since it's still protecting me after the evaluation period expired. The only problem is that it isn't sold in the UK (yet), so I'll need to order it from the USA.

There were some other issues - for instance, the Guest account had wound up in the Administrators group. I've removed it, and disabled it - I suspect that someone got in a different way, then made that change as a backdoor. From my reading, it looks like the FTP business is something that warez d00dz use, as a way to hijack a server as a file-dump.

Next step is to sort out some proper logging, so that I can track down the little shits responsible for this.

Anyway, I've now locked down the server, and it seems to be running smoothly now. I'll keep an eye on it, to make sure nothing else happens. And just to clarify, please do not send comments like "Windows is crap - you should use Unix"!

Current Mood: annoyedannoyed

Comments:

From:coffee_bofh
Date:August 5th, 2002 04:45 am (UTC)

dammit...

(Link)
That`s not good!
Have you any idea how they got in? IIS or Terminal Services?
(Reply) (Thread)
[User Picture]
From:johnckirk
Date:August 5th, 2002 05:52 am (UTC)

Re: dammit...

(Link)
Not sure - some kind of buffer overrun would be my main guess, based on the security bulletins I've been getting. IIS seems like the most likely culprit, except that I haven't got it configured properly to actually serve web pages, so that should be vaguely secure... I've never done anything special with Terminal Services - I'm not actually sure whether it's installed at all. I'll have another prod when I get home tonight.

In the meantime, I've now ordered an Alcatel Speedtouch 510 router, which has some firewall support in it (e.g. port blocking), so hopefully that should improve the reliability and security.
(Reply) (Parent) (Thread)