Link to home
Start Free TrialLog in
Avatar of chops123
chops123

asked on

windows 2003 server hacked into... please assist

Hi

We have a dedicated server 2003 OS. Recently we found that there were tons of new folders which contained some hacked stuff. I dont know how they got to the folders in the first place. There are folders in the inetpub folders and outside it as well.

If we are a self managed server... do we need to do some settings to prevent such access to the hard disk over the net ?

KC
Avatar of anil_u
anil_u

inetpub folder would suggest IIS is being used. The first thing to do is use the IIS Lockdown tool to stop everything you dont need in IIS.
http://www.microsoft.com/downloads/details.aspx?FamilyID=dde9efc0-bb30-47eb-9a61-fd755d23cdec&displaylang=en

The next would be to make sure that the server 03 has been patched with the latest updates available from www.microsoft.com

Do you have a firewall, make sure that all unessecary ports a blocked.

Avatar of chops123

ASKER

Dont have a firewall installed. Please suggest a good and cheap one if possible.
IIS lockdown isnt supported on IIS 6.0 on windows server 2003. .. doesnt work.
ASKER CERTIFIED SOLUTION
Avatar of anil_u
anil_u

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
I think First you should use ICF in windows 2003 if you don't like it use kerio it is free and you can manage it better than Zonealarm or sygate.
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
ok sounds like your server is pretty open and you need to re-evaluate your security. here is the basic guide from microsoft on what you can do. start off with the basics before you start to build an elaborate strategy. microsoft has a security baseline scanner that you can run on the machine to give you an idea of potential flaws. its not the greatest tool but its a start. iis 6 that comes with windows 2003 comes in a locked down state to iis lockdown and urlscan are not needed. some but some people still install urlscan as a way to prevent unauthorized url commands. i agree with others that a firewall is a must. you can use the windows firewall if you are strapped for cash but i would even just shell out for a simple linksys firewall you can configure to block all ports except 80/443. this will eliminate the potential avenues of hacking.

microsoft iss info:
http://www.microsoft.com/security/guidance/prodtech/IIS.mspx
sygate is free. Windows firewall will be bypassed with ease.
Chops123,

I would recommend setting up a firewall with an old beater PC (an old pentium would do nicely), and IPCop.  www.ipcop.org

You can use it along with 2 nics to set up a firewall with proven, stable linux based utilities.  Once you have it set up, anything that you need to configure can be done through IPCops web interface.

IPCop makes it pretty painless if you read the docs first.  If you have an old PC, this is the way to go (aka free)!  IPCop is free.

Jared
I would put a hardware firewall in place on the networks perimeter, and I would recommend a good one like a PIX.  If you only have a DSL connection or cable connection a Cisco 831 router with IOS Firewall woudl also work.  Whatever you choose take the time to set it up correctly and log its activities.  It is more than worth your time and money to do it the right way.  Also secure the server, if you don't need IIS don't install it.  Do your research and only run the services that you need.  Keep the server updated and keep an eye on the logs.
Thanks for those valuable comments... will revert back with the results to those suggestions

KC
The following ports are being shown open on doing a trojan scan

21,23,25,80,6969

TCP scan: ALmost all ports are open. I believe port 23 is for SSH which is probably more vulnerable as pointed out by the system.

Please comment
Why is port 6969 open?
the rest are common ports which if you do not use their service, you should close.
21: FTP
23: Telnet
25: SMTP
80: Internet
Chops, =)

Do you have an Ipod? If not, the port 6969 is definitly a trojan/backdoor.

Port 6969
    Netwin DSMTP v2.7q remote-root exploit by noir will leave a root shell at this port.

or could be:
http://www.sarc.com/avcenter/venc/data/backdoor.danton.html

I recommend running the trendmicro virus scan, also installing sygate atleast until you can buy a hardware firewall.

let me know details, I'll give more recommendations when I get off work.

good luck,

Jorden
Also, found this at eeye.com:
http://seclists.org/lists/bugtraq/2000/Nov/0051.html  read the part on remote exploiting.

Try to telnet to your webserves IP + port 6969  ex. telnet 64.121.121.55 6969   , this is good to see what that port is being used for, sometimes your see a hackers welcome screen or tag, which can help identify the exact exploit/backdoor in use.

IIS 6 is a lot more secure than IIS 5 and earlier versions. However, there are cross-site scripting exploits even for IIS6.

Regardless of how, your server is or was compromised and you havea vulnerable port open.

Please advise,

Jorden