Re: Hacked 2003 SBS Server - temp fix required
- From: "kj [MVP SBS]" <james.kevin.r.SPAMFREE@xxxxxxxxx>
- Date: Fri, 18 Apr 2008 13:34:02 -0700
"Leythos" <void@xxxxxxxxxxx> wrote in message
news:MPG.226cfe7fc0faaa439896cc@xxxxxxxxxxxxxxxxxxxx
In article <upnTlUZnIHA.4684@xxxxxxxxxxxxxxxxxxxx>, me@xxxxxxxx says...
All,
I'm trying to get thoughts and ideas on how to clean an infected/hacked
server as a temp measure to delay actually formatting and rebuilding it:
A customer has had their 2003 SBS Prem SP2 server hacked into (Exch 2003
SP2, SQL 2000 SP4) - it seems someone decided it was a good idea to open
up
TCP:1433 on the NAT firewall to allow incoming traffic from anywhere, so
that they could access the DB from home - and the sa password was blank!!
Less than a day later and the server was on it's knees.
Agreed to all of Leythos recommendations, plus since this is Premium, use
the included edition of ISA 2004 installation if a proper firewall doesn't
exist otherwise.
Stop, don't even consider trying to remove the malware and others.
The first thing you need to do is block ALL INBOUND AND OUTBOUND.
The Second thing you need to do is BACKUP DATA.
The Third thing you need to do is WIPE the system, rebuild from scratch,
meaning format and reinstall from CD.
Install a quality Server based AV solution - Symantec Corp Ed 10.1.7 or
End Point Protection would be my preference.
Backup OS/Base config
Load apps from CD/Media, not tape/backup or anywhere that was saved from
compromised computer/network.
Restore data, not apps, from backup, do not restore EXE/COM/BAT file
types.
Scan for malware using AV, Spy Bot Search and Destroy and AdAware
Enable on the the following ports inbound:
SMTP (TCP 25)
RWW (TCP 4125)
HTTPS (TCP 443)
Block outbound ports tcp 135-139, 455, 1433, 1434
Shoot person that put hold for DB into NAT device.
Teach them how to use RWW to access their computers remotely.
There is nothing you can run, nothing you can do, to ensure that the
server is 100% clean. Yes, people with large EGO's will tell you that
you can clean it, that you don't need to wipe it, but anyone that would
certify, with liability included, will tell you that they won't clean
it, that they would wipe/reinstall in a CLEAN environment.
With SA access they had complete access to the OS, to browse their
network, to do anything they wanted as a domain administrator.
--
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@xxxxxxxxxx (remove 999 for proper email address)
.
- References:
- Hacked 2003 SBS Server - temp fix required
- From: Paul Hadfield
- Re: Hacked 2003 SBS Server - temp fix required
- From: Leythos
- Hacked 2003 SBS Server - temp fix required
- Prev by Date: Re: RODC 2008 account and delegation
- Next by Date: Re: Win2003 Server automated password changes. What about Mac cli
- Previous by thread: Re: Hacked 2003 SBS Server - temp fix required
- Next by thread: EFS..share file to many user
- Index(es):
Relevant Pages
|
Loading
