3 different servers have been hacked

By aplatt99
Apr 10, 2008
  1. A co-worker of mine also works as a contract IT consultant for several companies. Over the last 4 days, 3 of the companies servers have been trashed. A download manager has been installed. It was used to download Plesk, TomCat and several other installations, including Windows Live Messenger and OneCare. The application log show the installation of Plesk starting in the evening. Approximately 2 hours after it gets installed, it is also uninstalled and Windows Live software is installed. A user logs in to Live Messenger as By the time we reached the server, the NIC was set to forced Gigabit (not supported by the network switch), the server name was changed to EnverS and all user accouts were either deleted or midified in some way. The co-worked is currently working at the 3rd customer where all of the above was performed, except the Windows Live stuff. One of the sites has a isco 501 PIX and the logs are clean. Does not look like someone was port sniffing. ALL of the sites have port 3389 open to the server. Not the smartest thing now that he is looking back on this. Is it safe to assume 3389 was the vehicle used? Has anyone else seen this? Is there a way to tell HOW this was done if not 3389? THanks for your help. Boy does he have a busy weekend rebuilding servers and 2 active directories.

  2. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    But if he had imaged the drive, it would have taken under an hour, to get it back to normal.

    If you're asking what port and how and any other ins and outs. It may be better to answer on another angle.

    Servers are not meant to run Windows Messenger or any other sharing program (other than what is required for your network and Internet to function)
    Servers are set up to hold Data (to also allow external back ups) and house most install programs; the Active directory and all user logins (Web and network), and one last one the Internet connection.

    Not including many other lesser relevant programs. They are mainly meant to just sit there (and usually without a keyboard or monitor in most cases)

    I would suggest that you incorporate a strict policy of its usage, and incorporate some excellect security programs, even a hardware firewire (usually Linux based) for the Internet.

    Once the Server is fully operational again, have it imaged to external media.
    To avoid a similar issue next week !
  3. aplatt99

    aplatt99 TS Rookie Topic Starter

    I understand and agree with what you are saying. Perhaps I was not clear on what has happened. No one sat at the concole and loaded these applications. Live Chat was not installed by a user on the LAN or an Administrator. Plesk, Live Chat and all of that was installed by the hacker via remote. Then the installed software was used by the hacker to change the server name, erase the domain users and also install other SPAM software. After Plesk was used it was then uninstalled, as visible in the Application log. Live Chat was not uninstalled however. It was used about 2 hrs after the Plesk uninstallation was completed and the outside hacker logged in as his hotmail user. When you look at it, it really is amazing, aside from the amount of work left to do. When you say image the drive, do you just image the system drive to an external media? Is this an ongoing thing that you image it every couple of weeks, etc?
  4. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    I see, glad to hear that it wasn't normal usage of your office.


    Imaging is best described as a complete backup of the entire operating system; partition, and all system and data files into one (or more) large compressed file.

    If the computer to image (your Server) is consistantly creating backups to extrernal media (usually using Ntbackup, from Start ->Run) then it is not necessary for the image to also hold any data.

    Therefore your image will only be holding:
    Operating System
    Program Files
    All settings
    Actually it will hold everything that you see (exactly) at the time of image (that is exactly!)

    Therefore, you will only need one image, until you decide to update programs or any other large or significant change, or every 6 months or so.

    Please continue to ask for any more help in this area if required.
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...