server compromised!
For the last four days, new administrative users have been created on my W2K3 server - only I did not create them! I deleted the first two, but another was created over the weekend. Only two others in the company can log on to the server and neither is creating users, so I believe that the person creating the users is outside our local network and accessing the server through the Internet. Confirming this is the contents of the new user's profile - 40MB of photos of women's purses, with captions in Japanese (not anything that we are hosting). We are running Apache web server and host several websites on this server.
1. How can I best lock down the server to prevent unauthorized access while still keeping our web server up?
2. What are the potential holes in security that I should look at to prevent this type of access? I am running the server behind a hardware firewall that I thought was secured...
Thanks for your suggestions!
Mark
1. How can I best lock down the server to prevent unauthorized access while still keeping our web server up?
2. What are the potential holes in security that I should look at to prevent this type of access? I am running the server behind a hardware firewall that I thought was secured...
Thanks for your suggestions!
Mark
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Is there a True Image Backup of this machine?
ASKER
Thanks for the quick replies - I am working on password changes and will be able to tell soon if that helps prevent access problems to the server.
In looking throgh the server log files, I just discovered that the remote user who is creating new administrator accounts on my local machine is logging in to my server using Remote Desktop. I will be checking the security settings there - if you have any ideas about securing Remote Desktop, let me know.
Mark
In looking throgh the server log files, I just discovered that the remote user who is creating new administrator accounts on my local machine is logging in to my server using Remote Desktop. I will be checking the security settings there - if you have any ideas about securing Remote Desktop, let me know.
Mark
Opps sorry It was Windows Machine.. :)
You can apply rules in your Windows Firewall to block Remote Desktop connections. Windows Firewall can be found in the Control Panel.
You can apply rules in your Windows Firewall to block Remote Desktop connections. Windows Firewall can be found in the Control Panel.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Web access and Remote Desktop access. There are lots of portholes to your Web server.
Go to this machine and deny access to RDP.
To do this:
Right Click on "My Computer Icon"
Select "properties".
Selet the "remote" Tab
Uncheck "Allow remote Access to this computer"
You too will be denied remote access, You will get an error saying something like, "there are currently no Terminal servers to permit this request"
Is there any PII, (Personally Identifyable Information on this PC)? That would be social security numbers, names, addresses, phone numbers, bank card statements?
Go to this machine and deny access to RDP.
To do this:
Right Click on "My Computer Icon"
Select "properties".
Selet the "remote" Tab
Uncheck "Allow remote Access to this computer"
You too will be denied remote access, You will get an error saying something like, "there are currently no Terminal servers to permit this request"
Is there any PII, (Personally Identifyable Information on this PC)? That would be social security numbers, names, addresses, phone numbers, bank card statements?
LOL Nyah:
Looks like your fingers type faster than mine.
Looks like your fingers type faster than mine.
What has happened can not be turned back. Though there are many safety mechanisms to do in future. How is apache running? As a CGI-module ? Also there need to be Brute Force attack prevention mechanisms on your server. Let me suggest you a few good applications which will possibly reduce chances of attack on your server:
1- As the 1st comment, change all the administrative passwords. Also never make weak passwords which are easy to break like admin, cisco etc as there are added in the dictionary attacks. Always use a combination of digits and words as passwords like "def^$89". It is relatively harder to crack. Always make a security policy to change passwords by every week.
2- There are many hardware firewalls available which are Infact UTM (Unified Threat Management) like Juniper, SonicWall, Cisco which has IDP (Intrusion Detection and Prevention) , screening and all security features inherited in them. I recommend to have such a UTM with strong security policy. If you do not favor hardware based firewalls then have something like Untangle, SmoothWall based software UTM.
3-There are many good applications for preventing BF attacks. You may check the below site for good applications:
http://rfxnetworks.com/proj.php
All the projects at the above sites I have personally used in one of the largest hosting company and they proved to be very handy.