Re: Have I been hacked?

From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 07/05/05 

Date: Mon, 4 Jul 2005 17:21:59 -0500

If the server is not physically secured and others have access to it then
somebody could have possibly gained access as local administrator. One thing
to check is your security logs on that server for logon, account logon
events, and computer management events. By default Windows 2003 Server has
auditing of such enabled and should show who has logged onto that server and
when and also show failed logon events. Assuming auditing of computer
management was also enabled you would be able to see if user group
memberships have been changed unless an attacker cleared the security logs.
Terminal Services is secure in that by default TS traffic is encrypted but
it can allow others to logon depending on how you have security setup for
Remote Desktop. If there are other administrator accounts on the server and
those users do not use strong passwords then possibly one of those accounts
was compromised. Also keep in mind that you should NEVER user any account in
any administrator group in the domain to logon to a domain computer that is
not known to be secured. It is trivial for a user who has local
administrator access to a domain computer to configure scripts to take over
the domain if you do such or install a keyboard logger or screen scraper to
capture logon credentials. Hidden cameras can also do capture credentials
and any administrator in the domain that is logged in with their admin
account and leaves their computer unattended can also cause compromise of
the whole domain if a malicious user is able to access their computer
keyboard.

I would be sure to run a full malware scan on the server and check for the
existence of unexplained processes and port usage as possibly a
trojan/backdoor was installed while you were logged on. I like the free
tools Process Explorer, TCPView, and Autoruns from SysInternals for that.
At minimum I would also suggest that you verify that the membership in all
the administrator groups - administrators, domain admins, enterprise admins,
schema admins [I don't know what all exists on SBS] is what you expect and
change the passwords on all those accounts. If the server is badly
compromised the only solution is a rebuild and taking steps to prevent it
from happening again knowing what to do before the rebuild. FYI you should
NOT be browsing the internet, doing newsgroups, or reading email from your
server! Use a regular computer to do such while NOT logged on with an
account that has admin powers in the domain and ideally an account that is
not an administrator on that computer.--- Steve

http://www.microsoft.com/technet/security/default.mspx -- TechNet Security
Center
http://www.sysinternals.com/ --- SysInternals

"Hoof Hearted" <HoofHearted@discussions.microsoft.com> wrote in message
news:E1019B2A-3698-4891-AAD2-0A775613C7B7@microsoft.com...
> SBS 2003: When I came to sign into the newsgroup today from my server,
> there
> was a suspicious email address in the passport login dialog. I won't
> disclose
> the address here, but it contained the word 'kracker'. Someone has
> obviousy
> gained access to my server. They must have been logged in under the
> Administor account in order for the email address to be saved in this
> way.
> No internal user knows my credentials, I use a strong password anyway. I
> am
> surprised that the intruder seems to have done nothing more sinister than
> check his email.
>
> Is Terminal Services regarded as secure? My server is up to date with
> updates. Is there something I should know? Is there any other way the
> hacker
> could have got in?

Relevant Pages

  • Re: FIRED IT ADMIN HAS LOCKED US OUT OF SBS
    ... Teneo> Interesting post and Im now gonna be a party pooper... ... connections) before cutting power to the server and to the Internet ... If there are no encrypted files, just reset the DSRM account ... and try old domain Administrator account's passwords. ...
    (microsoft.public.windows.server.sbs)
  • Re: Remote desktop: cannot copy files why still not working
    ... I created a new user on the XP box, set as an administrator ... this new user account is local to the XP system, ... In my environment, when I do an RDP connection to a server, I first log ... member of the local administrators group on the server. ...
    (microsoft.public.windows.server.security)
  • Re: Remote desktop: cannot copy files why still not working
    ... this new user account is local to the XP system, and a member of the local administrator's group on that workstation. ... In my environment, when I do an RDP connection to a server, I first log on to the xp workstation using my regular, non-privileged domain account, run mstsc, and then logon to the server using a domain account that is a member of the local administrators group on the server. ... In addition, I frequently use runas to run privileged applications on the workstation using my "administrator" account, and have found that files cannot be copied between those applications and anything running under the credentials of my regular account - even though my administrator account actually does have full access to everything on the workstation - just not through my regular account's view of that workstation. ...
    (microsoft.public.windows.server.security)
  • Re: write with cURL
    ... It takes time to set up an account for you, process the billing, etc. ... Sorry, my servers are secure. ... Nothing you have told me shows me you know how to lock down a server so that it is secure - other than to use the server's file security. ...
    (alt.php)
  • Re: write with cURL
    ... shared hosting account and I will promptly remit payment. ... but to example how your PHP setup is not as secure ... information regarding the server name, login, or IP publicly. ...
    (alt.php)