Solved

server 2008 hacked

Posted on 2013-05-31
14
358 Views
Last Modified: 2013-06-06
I have a hyper-v setup and leave a vm running server 2008 always on.  Today I tried to login and it said that my clock and the clock on the remote computer were out of sync and I could not login.  I logged into the hyper-v server then connected to the vm that way.  I saw that there were three users logged in, one was mydomain\david.  I only have two or three users that I created, none of which are David.

Is there any way to figure out how this happened?  When it happened?  What David did?  And how to stop this from happening again?

When I saw this, I just shut down the vm.
0
Comment
Question by:jackjohnson44
  • 8
  • 4
  • 2
14 Comments
 
LVL 10

Expert Comment

by:bigbigpig
ID: 39210896
Just start going through the logs.  Find what account created the account 'david' and when it was created.  Look for event ID 4720.
0
 
LVL 20

Expert Comment

by:netcmh
ID: 39210965
Assess your situation, offline.
- Go through your logs, especially access logs
- Check your services
- Check your startup, processes and your server directories.

Alternatively, if you can back your data out, I would say nuke it and start from scratch making sure that you have adequate protection on your server and network, opening up only the necessary and patched services that you'd like this server to host.
0
 

Author Comment

by:jackjohnson44
ID: 39211080
Thanks, I unplugged the network cable to the internet and went into my server and connected.  When I try to login I get a "Please wait for the User Profile Service" message that doesn't go away.

I also, disabled all accounts on my host except one and changed the password for it before turning this on.  I am not sure if that matters.
0
 
LVL 20

Expert Comment

by:netcmh
ID: 39211113
Could be for any of these reasons:

Is the IPv6 disabled on the host machine?

Could be DNS related.

Try disabling the WebClient service
0
 

Author Comment

by:jackjohnson44
ID: 39211136
after a long time, it says applying user settings and just hangs
0
 

Author Comment

by:jackjohnson44
ID: 39211178
I finally got in.

When you say go though the logs, what do you mean?

I went in the event viewer, but don't know which area to look in, or where to find 4720.
0
 

Author Comment

by:jackjohnson44
ID: 39211260
I found an entry for 4720.

I have a logon with security id "NULL SID", then they added themselves to the admin group, enabled the local admin,  then created a user david and gave themselves permissions.
0
Save on storage to protect fatherhood memories

You're the dad who has everything. This Father's Day, make sure your family memories are protected. My Passport Ultra has automatic backup and password protection to keep your cherished photos and videos safe. With up to 3TB, you have plenty of room to hold the adventures ahead.

 

Author Comment

by:jackjohnson44
ID: 39211473
It looks like David downloaded a file called gamma28.zip to his desktop, which contains mmail.zip and mpatch.zip.

I am really scared to put this back on the network.  I deleted his account and reset the admin password.  I am not sure how he could have got into my system.
0
 
LVL 10

Expert Comment

by:bigbigpig
ID: 39211489
Is this system accessible from outside your LAN?  Do you see a lot of failed logon attempts?  A lot of times hackers will go through a password dictionary until something works.  Make sure you have strong passwords and good password policy like account lockouts after failed attempts.  For now change passwords for all user accounts with admin or elevated privileges.
0
 

Author Comment

by:jackjohnson44
ID: 39211521
It is accessible outside my lan.  I remote into it.  I see a ton of login attempts but I can't find the login name that they tried.  Is there any way to determine that?  I changed all passwords.

How can I set the account lockout policy?
0
 
LVL 10

Expert Comment

by:bigbigpig
ID: 39211545
Either group policy or local security policy.  I'll give you more detail when I get back to my desk.
0
 

Author Comment

by:jackjohnson44
ID: 39211563
thanks, this SUCKS!!!

Is there any way to determine what account they used to login?  It says terminal services.  I assume that is remote desktop.  I really need remote desktop, but that is about it. Basically this is my desktop away from home so I can drp into it while at a client and do my dev work there.  It has visual studio and a lot of tools.

The network is just me at home.  Again, I am a developer and have little to no idea about any sort of security or network stuff.  This is usually setup for me at work.  I have had this system at home for years without issue.
0
 
LVL 10

Accepted Solution

by:
bigbigpig earned 500 total points
ID: 39211682
To see who's logging on to your system go to the Event Viewer and create a custom view.  Filter on event 4624, those are logons.  However, it includes type 3 which is network logon (authentication) and there will be zillions in there.  But create the custom view anyway.  After you create the custom view right-click on it and click Properties.  In the Properties box click "Edit Filter".  Check the box to Edit the query manually and paste this in there.  This will make it so only type 2 and type 10 show up (console logon and remote desktop logon).  This way you can see who's logging on, where from, and how frequently.

<QueryList>
  <Query Id="0" Path="Security">
    <Select Path="Security">*[System[(EventID=4624)]] and *[EventData[Data[@Name='LogonType'] and (Data=2 or Data=10)]]</Select>
  </Query>
</QueryList>

Open in new window

0
 

Author Comment

by:jackjohnson44
ID: 39226851
Thanks for all your help.  I haven't been able to test this out yet, but I can over the weekend.  I didn't want to leave the question open because EE is telling me to close it.
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The Need In an Active Directory enviroment, the PDC emulator provide time synchronization for the domain. This is important since Active Directory uses Kerberos for authentication.  By default, if the time difference between systems is off by more …
The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…

929 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now