Have I been Hacked?
Posted on 2009-02-18
I think my SBS server has just been hacked...
Yesterday I set up Outlook Web Access and enabled Remote Administration. I also bought and installed a new Router. Now being fairly security conscious I decided that user A could only connect to Computer A, user B to Computer B and User C could not connect to anything. So, basically I had disabled Outlook Web Access for some users within one group policy. Checking this I learn't that during and after a remote login, the original user of the machine will be confronted with a Windows msg box saying Computer Locked, CTRL ALT DELETE to Login etc.
I asked one of the 'enabled' users to check their mail last night by remotely logging in. Everyone else had checked theres with no issue except him. This morning he reported that he could not access because he could not get beyond the login screen. Either the username or password was wrong.
Username was fine and I double checked he wasn't typing in false data i.e. bad password. Nothing.
Today the accounts department had just finished their work using the server for the day. The familiar Windows Update shield was in the far right corner. No obvious problems except historically the server has around 500meg of space which is far too little I accept.
I suddenly noticed my Outlook losing then lost connection with the server. Checking others in the office it all started to go very wrong indeed. Could not use Remote Access, could not bring up another Radmin service (PCAnywhere) to try and log in to it. Plugging in a VGA screen to the server revealed that while everyone could still use the Internet - my SBS box is the DNS (I think) - it was completely unresponsive and would not even recognise a usb keyboard plugged in.
It then went black screen and rebooted. I used the server username & password to access the desktop.
15 mins later when all was calm again I checked the server using the Radmin tools with the view of checking the Event log to try and work out the problem. On connecting it had told me the computer was locked. It cant be unless someone Remotely accessed it, surely!!
The event viewer only gives me a slight indication of an error. One service had been attempting to 'connect'/download or other for 88000 seconds. Other than that a few emails stored for a little too long and a pop3 mailbox playing up. Nothing else.
I want to know what you think about this and how you would of reacted given the situation.
The large amount of points available suggests that changes might have to be made to the way the IT integrates with the rest of the business as it continues to have more of an effect. I want to know Bandwidth, I want to know about Routers, I want to know about the possibility I've been victim to a Brute Force attack or that one of the 'higher up' users has mistakenly entered the Server username and password in to a false website, not our subdomain.