Solved

server 2008 hacked

Posted on 2013-05-31
14
365 Views
Last Modified: 2013-06-06
I have a hyper-v setup and leave a vm running server 2008 always on.  Today I tried to login and it said that my clock and the clock on the remote computer were out of sync and I could not login.  I logged into the hyper-v server then connected to the vm that way.  I saw that there were three users logged in, one was mydomain\david.  I only have two or three users that I created, none of which are David.

Is there any way to figure out how this happened?  When it happened?  What David did?  And how to stop this from happening again?

When I saw this, I just shut down the vm.
0
Comment
Question by:jackjohnson44
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 4
  • 2
14 Comments
 
LVL 10

Expert Comment

by:bigbigpig
ID: 39210896
Just start going through the logs.  Find what account created the account 'david' and when it was created.  Look for event ID 4720.
0
 
LVL 20

Expert Comment

by:netcmh
ID: 39210965
Assess your situation, offline.
- Go through your logs, especially access logs
- Check your services
- Check your startup, processes and your server directories.

Alternatively, if you can back your data out, I would say nuke it and start from scratch making sure that you have adequate protection on your server and network, opening up only the necessary and patched services that you'd like this server to host.
0
 

Author Comment

by:jackjohnson44
ID: 39211080
Thanks, I unplugged the network cable to the internet and went into my server and connected.  When I try to login I get a "Please wait for the User Profile Service" message that doesn't go away.

I also, disabled all accounts on my host except one and changed the password for it before turning this on.  I am not sure if that matters.
0
Webinar: Aligning, Automating, Winning

Join Dan Russo, Senior Manager of Operations Intelligence, for an in-depth discussion on how Dealertrack, leading provider of integrated digital solutions for the automotive industry, transformed their DevOps processes to increase collaboration and move with greater velocity.

 
LVL 20

Expert Comment

by:netcmh
ID: 39211113
Could be for any of these reasons:

Is the IPv6 disabled on the host machine?

Could be DNS related.

Try disabling the WebClient service
0
 

Author Comment

by:jackjohnson44
ID: 39211136
after a long time, it says applying user settings and just hangs
0
 

Author Comment

by:jackjohnson44
ID: 39211178
I finally got in.

When you say go though the logs, what do you mean?

I went in the event viewer, but don't know which area to look in, or where to find 4720.
0
 

Author Comment

by:jackjohnson44
ID: 39211260
I found an entry for 4720.

I have a logon with security id "NULL SID", then they added themselves to the admin group, enabled the local admin,  then created a user david and gave themselves permissions.
0
 

Author Comment

by:jackjohnson44
ID: 39211473
It looks like David downloaded a file called gamma28.zip to his desktop, which contains mmail.zip and mpatch.zip.

I am really scared to put this back on the network.  I deleted his account and reset the admin password.  I am not sure how he could have got into my system.
0
 
LVL 10

Expert Comment

by:bigbigpig
ID: 39211489
Is this system accessible from outside your LAN?  Do you see a lot of failed logon attempts?  A lot of times hackers will go through a password dictionary until something works.  Make sure you have strong passwords and good password policy like account lockouts after failed attempts.  For now change passwords for all user accounts with admin or elevated privileges.
0
 

Author Comment

by:jackjohnson44
ID: 39211521
It is accessible outside my lan.  I remote into it.  I see a ton of login attempts but I can't find the login name that they tried.  Is there any way to determine that?  I changed all passwords.

How can I set the account lockout policy?
0
 
LVL 10

Expert Comment

by:bigbigpig
ID: 39211545
Either group policy or local security policy.  I'll give you more detail when I get back to my desk.
0
 

Author Comment

by:jackjohnson44
ID: 39211563
thanks, this SUCKS!!!

Is there any way to determine what account they used to login?  It says terminal services.  I assume that is remote desktop.  I really need remote desktop, but that is about it. Basically this is my desktop away from home so I can drp into it while at a client and do my dev work there.  It has visual studio and a lot of tools.

The network is just me at home.  Again, I am a developer and have little to no idea about any sort of security or network stuff.  This is usually setup for me at work.  I have had this system at home for years without issue.
0
 
LVL 10

Accepted Solution

by:
bigbigpig earned 500 total points
ID: 39211682
To see who's logging on to your system go to the Event Viewer and create a custom view.  Filter on event 4624, those are logons.  However, it includes type 3 which is network logon (authentication) and there will be zillions in there.  But create the custom view anyway.  After you create the custom view right-click on it and click Properties.  In the Properties box click "Edit Filter".  Check the box to Edit the query manually and paste this in there.  This will make it so only type 2 and type 10 show up (console logon and remote desktop logon).  This way you can see who's logging on, where from, and how frequently.

<QueryList>
  <Query Id="0" Path="Security">
    <Select Path="Security">*[System[(EventID=4624)]] and *[EventData[Data[@Name='LogonType'] and (Data=2 or Data=10)]]</Select>
  </Query>
</QueryList>

Open in new window

0
 

Author Comment

by:jackjohnson44
ID: 39226851
Thanks for all your help.  I haven't been able to test this out yet, but I can over the weekend.  I didn't want to leave the question open because EE is telling me to close it.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Know what services you can and cannot, should and should not combine on your server.
A safe way to clean winsxs folder from your windows server 2008 R2 editions
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question