• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 613
  • Last Modified:

Have I been Hacked?

I think my SBS server has just been hacked...

Yesterday I set up Outlook Web Access and enabled Remote Administration.  I also bought and installed a new Router.  Now being fairly security conscious I decided that user A could only connect to Computer A, user B to Computer B and User C could not connect to anything.  So, basically I had disabled Outlook Web Access for some users within one group policy.  Checking this I learn't that during and after a remote login, the original user of the machine will be confronted with a Windows msg box saying Computer Locked, CTRL ALT DELETE to Login etc.

I asked one of the 'enabled' users to check their mail last night by remotely logging in.  Everyone else had checked theres with no issue except him.  This morning he reported that he could not access because he could not get beyond the login screen.  Either the username or password was wrong.
Username was fine and I double checked he wasn't typing in false data i.e. bad password.  Nothing.

Today the accounts department had just finished their work using the server for the day.  The familiar Windows Update shield was in the far right corner.  No obvious problems except historically the server has around 500meg of space which is far too little I accept.
I suddenly noticed my Outlook losing then lost connection with the server.  Checking others in the office it all started to go very wrong indeed.  Could not use Remote Access, could not bring up another Radmin service (PCAnywhere) to try and log in to it.  Plugging in a VGA screen to the server revealed that while everyone could still use the Internet - my SBS box is the DNS (I think) - it was completely unresponsive and would not even recognise a usb keyboard plugged in.
It then went black screen and rebooted.  I used the server username & password to access the desktop.

15 mins later when all was calm again I checked the server using the Radmin tools with the view of checking the Event log to try and work out the problem.  On connecting it had told me the computer was locked.  It cant be unless someone Remotely accessed it, surely!!

The event viewer only gives me a slight indication of an error.  One service had been attempting to 'connect'/download or other for 88000 seconds.  Other than that a few emails stored for a little too long and a pop3 mailbox playing up.  Nothing else.

I want to know what you think about this and how you would of reacted given the situation.
The large amount of points available suggests that changes might have to be made to the way the IT integrates with the rest of the business as it continues to have more of an effect.  I want to know Bandwidth, I want to know about Routers, I want to know about the possibility I've been victim to a Brute Force attack or that one of the 'higher up' users has mistakenly entered the Server username and password in to a false website, not our subdomain.
1 Solution
Philip ElderTechnical Architect - HA/Compute/StorageCommented:
I suggest you look at the GPO changes you made to "disable OWA" for certain users. Make sure those policy changes will not impact the server and its services too.

How could your users have the admin account name and password?!?!? No one should know that username/password combination except the one that manages the server and the owner of the business.

Are any of the "users" given domain admin rights?

chriscounter07Author Commented:
3 users know the admin rights.  Server owner (myself), business owner & one chief exec.  It is a relatively small business so trust is not an issue here.  Noted nonetheless.

AFAIK no users have been given domain admin rights.

Is there perhaps some specifc things I should be looking for in the server logs.  There is one System message displaying an unexpected shutdown.  I will check hardware issues tonight
I would recommend all of you using standard user rights for all things except administrative tasks. Then having a second administrative account each of you uses for necessary administration that has a more complicated password.

Featured Post

Cyber Threats to Small Businesses (Part 1)

This past May, Webroot surveyed more than 600 IT decision-makers at medium-sized companies to see how these small businesses perceived new threats facing their organizations.  Read what Webroot CISO, Gary Hayslip, has to say about the survey in part 1 of this 2-part blog series.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now