Re: Hacked 2003 SBS Server - temp fix required

In article <upnTlUZnIHA.4684@xxxxxxxxxxxxxxxxxxxx>, me@xxxxxxxx says...
All,

I'm trying to get thoughts and ideas on how to clean an infected/hacked
server as a temp measure to delay actually formatting and rebuilding it:

A customer has had their 2003 SBS Prem SP2 server hacked into (Exch 2003
SP2, SQL 2000 SP4) - it seems someone decided it was a good idea to open up
TCP:1433 on the NAT firewall to allow incoming traffic from anywhere, so
that they could access the DB from home - and the sa password was blank!!
Less than a day later and the server was on it's knees.

Stop, don't even consider trying to remove the malware and others.

The first thing you need to do is block ALL INBOUND AND OUTBOUND.

The Second thing you need to do is BACKUP DATA.

The Third thing you need to do is WIPE the system, rebuild from scratch,
meaning format and reinstall from CD.

Install a quality Server based AV solution - Symantec Corp Ed 10.1.7 or
End Point Protection would be my preference.

Backup OS/Base config

Load apps from CD/Media, not tape/backup or anywhere that was saved from
compromised computer/network.

Restore data, not apps, from backup, do not restore EXE/COM/BAT file
types.

Scan for malware using AV, Spy Bot Search and Destroy and AdAware

Enable on the the following ports inbound:

SMTP (TCP 25)
RWW (TCP 4125)
HTTPS (TCP 443)

Block outbound ports tcp 135-139, 455, 1433, 1434

Shoot person that put hold for DB into NAT device.

Teach them how to use RWW to access their computers remotely.

There is nothing you can run, nothing you can do, to ensure that the
server is 100% clean. Yes, people with large EGO's will tell you that
you can clean it, that you don't need to wipe it, but anyone that would
certify, with liability included, will tell you that they won't clean
it, that they would wipe/reinstall in a CLEAN environment.

With SA access they had complete access to the OS, to browse their
network, to do anything they wanted as a domain administrator.

--
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@xxxxxxxxxx (remove 999 for proper email address)
.

Relevant Pages

  • RE: Outlook(R) Mobile Access probelms
    ... sorry ut we are about to start ANOTHER clean install. ... Did you use the backup files to restore your SBS Server? ... > Microsoft CSS Online Newsgroup Support ... > check http://support.microsoft.com for regional support phone numbers. ...
    (microsoft.public.windows.server.sbs)
  • Re: 2000 database restore on 2003
    ... At that point you would have to remove the server from AD ... If you goal is to get to E2k3 from E2k and have a clean build of the box ... In place upgrade the E2k to E2k3. ... Backup the edb and stm files to a safe location ...
    (microsoft.public.exchange2000.information.store)
  • Re: can more then one server run on a small business 2003 network
    ... Well, a fresh install will be clean, but as I said, it is not necessary to ... STILL have access to the accounting folders. ... >> the second 2003 DC to a member server if desired and do whatever you need ...
    (microsoft.public.windows.server.sbs)
  • Re: Hacked 2003 SBS Server - temp fix required
    ... I'm trying to get thoughts and ideas on how to clean an infected/hacked ... server as a temp measure to delay actually formatting and rebuilding it: ... Less than a day later and the server was on it's knees. ...
    (microsoft.public.windows.server.security)
  • Re: AD all screwed up
    ... I will be removing our current AD server from our environment and I ... want to know if I should clean up AD first, ... MVP Microsoft MVP - Directory Services ... Infinite Diversities in Infinite Combinations ...
    (microsoft.public.windows.server.active_directory)