?
Solved

windows 2003 server hacked into... please assist

Posted on 2004-11-29
17
Medium Priority
?
259 Views
Last Modified: 2010-04-11
Hi

We have a dedicated server 2003 OS. Recently we found that there were tons of new folders which contained some hacked stuff. I dont know how they got to the folders in the first place. There are folders in the inetpub folders and outside it as well.

If we are a self managed server... do we need to do some settings to prevent such access to the hard disk over the net ?

KC
0
Comment
Question by:chops123
  • 4
  • 4
  • 3
  • +4
15 Comments
 
LVL 8

Expert Comment

by:anil_u
ID: 12694798
inetpub folder would suggest IIS is being used. The first thing to do is use the IIS Lockdown tool to stop everything you dont need in IIS.
http://www.microsoft.com/downloads/details.aspx?FamilyID=dde9efc0-bb30-47eb-9a61-fd755d23cdec&displaylang=en

The next would be to make sure that the server 03 has been patched with the latest updates available from www.microsoft.com

Do you have a firewall, make sure that all unessecary ports a blocked.

0
 
LVL 2

Author Comment

by:chops123
ID: 12694838
Dont have a firewall installed. Please suggest a good and cheap one if possible.
0
 
LVL 2

Author Comment

by:chops123
ID: 12694874
IIS lockdown isnt supported on IIS 6.0 on windows server 2003. .. doesnt work.
0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 
LVL 8

Accepted Solution

by:
anil_u earned 400 total points
ID: 12694928
Yes, sorry, should have realised it was IIS 6,

I prefer to use Sygate
http://www.sygate.com/

however most people would probably tell you to use Zone Alarm
http://www.zonelabs.com/store/content/home.jsp

Both are free for home use and and relativly cheap to buy for an organisation.
0
 

Expert Comment

by:pedramxp
ID: 12696554
I think First you should use ICF in windows 2003 if you don't like it use kerio it is free and you can manage it better than Zonealarm or sygate.
0
 
LVL 6

Assisted Solution

by:knoxj81
knoxj81 earned 400 total points
ID: 12698044
Chops123,  =)

I disagree with going with a software firewall only. I would suggest using a linksys hardware firewall or Dlink. This will help protect your network a lot better than a software firewall, cost you about 70 bucks. If you decided you really want a software firewall or just don't have the 70 bucks check out this free version of Sygate Personal, http://smb.sygate.com/products/spf_standard.htm. I don't recommend Zone Alarm or Kerio, here's a severe security flaw found in Kerio Personal Firewall: http://eeye.com/html/research/advisories/AD20041109.html

Lets move on to see what damage has been done, so we can begin to patch and repair,

Detection / Prevention:

First, run a virus scan @ http://housecall.trendmicro.com/housecall/start_corp.asp
- Even if you already have virus protection. This will help identify any backdoors that might be in use to easily access your system. Most lilky they're just accessing through a specigic port via FTP, telnet and using your system to store illegal software.

Now, we want to see what ports you have open. So lets run some online port scans:
Sygate online port scan(s): http://scan.sygate.com I'd run the Quick Scan, Trojan Scan, TCP Scan(depending on results).

Now, I would go into IIS snapin and check the footer. See if anything there has been modified. There's a virus from a few months ago that took advantage of this to spread, as well as a new one released last week.

Please advise results of scan(s) & test(s) and advise for further instructions/suggestions.

Good Luck,

Jorden
0
 
LVL 9

Expert Comment

by:caball88
ID: 12700272
ok sounds like your server is pretty open and you need to re-evaluate your security. here is the basic guide from microsoft on what you can do. start off with the basics before you start to build an elaborate strategy. microsoft has a security baseline scanner that you can run on the machine to give you an idea of potential flaws. its not the greatest tool but its a start. iis 6 that comes with windows 2003 comes in a locked down state to iis lockdown and urlscan are not needed. some but some people still install urlscan as a way to prevent unauthorized url commands. i agree with others that a firewall is a must. you can use the windows firewall if you are strapped for cash but i would even just shell out for a simple linksys firewall you can configure to block all ports except 80/443. this will eliminate the potential avenues of hacking.

microsoft iss info:
http://www.microsoft.com/security/guidance/prodtech/IIS.mspx
0
 
LVL 6

Expert Comment

by:knoxj81
ID: 12700865
sygate is free. Windows firewall will be bypassed with ease.
0
 
LVL 17

Expert Comment

by:Jared Luker
ID: 12700978
Chops123,

I would recommend setting up a firewall with an old beater PC (an old pentium would do nicely), and IPCop.  www.ipcop.org

You can use it along with 2 nics to set up a firewall with proven, stable linux based utilities.  Once you have it set up, anything that you need to configure can be done through IPCops web interface.

IPCop makes it pretty painless if you read the docs first.  If you have an old PC, this is the way to go (aka free)!  IPCop is free.

Jared
0
 
LVL 9

Expert Comment

by:rshooper76
ID: 12701183
I would put a hardware firewall in place on the networks perimeter, and I would recommend a good one like a PIX.  If you only have a DSL connection or cable connection a Cisco 831 router with IOS Firewall woudl also work.  Whatever you choose take the time to set it up correctly and log its activities.  It is more than worth your time and money to do it the right way.  Also secure the server, if you don't need IIS don't install it.  Do your research and only run the services that you need.  Keep the server updated and keep an eye on the logs.
0
 
LVL 2

Author Comment

by:chops123
ID: 12702686
Thanks for those valuable comments... will revert back with the results to those suggestions

KC
0
 
LVL 2

Author Comment

by:chops123
ID: 12704641
The following ports are being shown open on doing a trojan scan

21,23,25,80,6969

TCP scan: ALmost all ports are open. I believe port 23 is for SSH which is probably more vulnerable as pointed out by the system.

Please comment
0
 
LVL 8

Expert Comment

by:anil_u
ID: 12705333
Why is port 6969 open?
the rest are common ports which if you do not use their service, you should close.
21: FTP
23: Telnet
25: SMTP
80: Internet
0
 
LVL 6

Expert Comment

by:knoxj81
ID: 12711659
Chops, =)

Do you have an Ipod? If not, the port 6969 is definitly a trojan/backdoor.

Port 6969
    Netwin DSMTP v2.7q remote-root exploit by noir will leave a root shell at this port.

or could be:
http://www.sarc.com/avcenter/venc/data/backdoor.danton.html

I recommend running the trendmicro virus scan, also installing sygate atleast until you can buy a hardware firewall.

let me know details, I'll give more recommendations when I get off work.

good luck,

Jorden
0
 
LVL 6

Expert Comment

by:knoxj81
ID: 12711758
Also, found this at eeye.com:
http://seclists.org/lists/bugtraq/2000/Nov/0051.html  read the part on remote exploiting.

Try to telnet to your webserves IP + port 6969  ex. telnet 64.121.121.55 6969   , this is good to see what that port is being used for, sometimes your see a hackers welcome screen or tag, which can help identify the exact exploit/backdoor in use.

IIS 6 is a lot more secure than IIS 5 and earlier versions. However, there are cross-site scripting exploits even for IIS6.

Regardless of how, your server is or was compromised and you havea vulnerable port open.

Please advise,

Jorden
0

Featured Post

Vote for the Most Valuable Expert

It’s time to recognize experts that go above and beyond with helpful solutions and engagement on site. Choose from the top experts in the Hall of Fame or on the right rail of your favorite topic page. Look for the blue “Nominate” button on their profile to vote.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Tech spooks aren't just for those who are tech savvy, it also happens to those of us running a business. Check out the top tech spooks for business owners.
Your business may be under attack from a silent enemy that is hard to detect. It works stealthily in the shadows to access and exploit your critical business information, sensitive confidential data and intellectual property, for commercial gain. T…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

807 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question