Solved

server 2008 hacked

Posted on 2013-05-31
14
356 Views
Last Modified: 2013-06-06
I have a hyper-v setup and leave a vm running server 2008 always on.  Today I tried to login and it said that my clock and the clock on the remote computer were out of sync and I could not login.  I logged into the hyper-v server then connected to the vm that way.  I saw that there were three users logged in, one was mydomain\david.  I only have two or three users that I created, none of which are David.

Is there any way to figure out how this happened?  When it happened?  What David did?  And how to stop this from happening again?

When I saw this, I just shut down the vm.
0
Comment
Question by:jackjohnson44
  • 8
  • 4
  • 2
14 Comments
 
LVL 10

Expert Comment

by:bigbigpig
ID: 39210896
Just start going through the logs.  Find what account created the account 'david' and when it was created.  Look for event ID 4720.
0
 
LVL 20

Expert Comment

by:netcmh
ID: 39210965
Assess your situation, offline.
- Go through your logs, especially access logs
- Check your services
- Check your startup, processes and your server directories.

Alternatively, if you can back your data out, I would say nuke it and start from scratch making sure that you have adequate protection on your server and network, opening up only the necessary and patched services that you'd like this server to host.
0
 

Author Comment

by:jackjohnson44
ID: 39211080
Thanks, I unplugged the network cable to the internet and went into my server and connected.  When I try to login I get a "Please wait for the User Profile Service" message that doesn't go away.

I also, disabled all accounts on my host except one and changed the password for it before turning this on.  I am not sure if that matters.
0
 
LVL 20

Expert Comment

by:netcmh
ID: 39211113
Could be for any of these reasons:

Is the IPv6 disabled on the host machine?

Could be DNS related.

Try disabling the WebClient service
0
 

Author Comment

by:jackjohnson44
ID: 39211136
after a long time, it says applying user settings and just hangs
0
 

Author Comment

by:jackjohnson44
ID: 39211178
I finally got in.

When you say go though the logs, what do you mean?

I went in the event viewer, but don't know which area to look in, or where to find 4720.
0
 

Author Comment

by:jackjohnson44
ID: 39211260
I found an entry for 4720.

I have a logon with security id "NULL SID", then they added themselves to the admin group, enabled the local admin,  then created a user david and gave themselves permissions.
0
Why spend so long doing email signature updates?

Do you spend loads of your time carrying out email signature updates? Not very interesting are they? Don’t let signature updates get you down. Let Exclaimer Cloud - Signatures for Office 365 make managing email signatures a breeze.

 

Author Comment

by:jackjohnson44
ID: 39211473
It looks like David downloaded a file called gamma28.zip to his desktop, which contains mmail.zip and mpatch.zip.

I am really scared to put this back on the network.  I deleted his account and reset the admin password.  I am not sure how he could have got into my system.
0
 
LVL 10

Expert Comment

by:bigbigpig
ID: 39211489
Is this system accessible from outside your LAN?  Do you see a lot of failed logon attempts?  A lot of times hackers will go through a password dictionary until something works.  Make sure you have strong passwords and good password policy like account lockouts after failed attempts.  For now change passwords for all user accounts with admin or elevated privileges.
0
 

Author Comment

by:jackjohnson44
ID: 39211521
It is accessible outside my lan.  I remote into it.  I see a ton of login attempts but I can't find the login name that they tried.  Is there any way to determine that?  I changed all passwords.

How can I set the account lockout policy?
0
 
LVL 10

Expert Comment

by:bigbigpig
ID: 39211545
Either group policy or local security policy.  I'll give you more detail when I get back to my desk.
0
 

Author Comment

by:jackjohnson44
ID: 39211563
thanks, this SUCKS!!!

Is there any way to determine what account they used to login?  It says terminal services.  I assume that is remote desktop.  I really need remote desktop, but that is about it. Basically this is my desktop away from home so I can drp into it while at a client and do my dev work there.  It has visual studio and a lot of tools.

The network is just me at home.  Again, I am a developer and have little to no idea about any sort of security or network stuff.  This is usually setup for me at work.  I have had this system at home for years without issue.
0
 
LVL 10

Accepted Solution

by:
bigbigpig earned 500 total points
ID: 39211682
To see who's logging on to your system go to the Event Viewer and create a custom view.  Filter on event 4624, those are logons.  However, it includes type 3 which is network logon (authentication) and there will be zillions in there.  But create the custom view anyway.  After you create the custom view right-click on it and click Properties.  In the Properties box click "Edit Filter".  Check the box to Edit the query manually and paste this in there.  This will make it so only type 2 and type 10 show up (console logon and remote desktop logon).  This way you can see who's logging on, where from, and how frequently.

<QueryList>
  <Query Id="0" Path="Security">
    <Select Path="Security">*[System[(EventID=4624)]] and *[EventData[Data[@Name='LogonType'] and (Data=2 or Data=10)]]</Select>
  </Query>
</QueryList>

Open in new window

0
 

Author Comment

by:jackjohnson44
ID: 39226851
Thanks for all your help.  I haven't been able to test this out yet, but I can over the weekend.  I didn't want to leave the question open because EE is telling me to close it.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Trying to figure out group policy inheritance and which settings apply where can be a chore.  Here's a very simple summary I've written which might help.  Keep in mind, this is just a high-level conceptual overview where I try to avoid getting bogge…
New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now