Solved

2008 server hacked - how to secure?

Posted on 2014-04-07
13
722 Views
Last Modified: 2014-05-05
Someone setup the user name and password for a server as:
administrator
letmein

Of course this is one of the most common so was hacked
I found a app called DUBrute running on it and searching other servers

However, i'm puzzled
I created a new account under a different name, with a secure password
and set the admin account to have 0 access to things like file/remote desktop (wasn't in admin group any more)

However, someone still managed to get back in
I presume they installed a backdoor account which wasn't showing up anywhere??
1.What are the usual things to check after being hacked
2. what should i do to lock down the server?
0
Comment
Question by:websss
  • 5
  • 3
  • 3
  • +2
13 Comments
 
LVL 53

Expert Comment

by:McKnife
ID: 39982595
Hi.

You should return the server to a trusted state. Preferrably, this is done by replaying an image backup of a date were you cannot find symptoms/folders of infection.
0
 

Author Comment

by:websss
ID: 39982599
Thanks
Yes i'm restoring to an old image as we speak
I figured they could have installed their own software which i would never know about!
How should i lock down the server now?
0
 
LVL 53

Expert Comment

by:McKnife
ID: 39982616
"locking down" is a commonly used, but totally empty term, a better term to use is "harden". The default state a cleanly installed server is in has (after being patched) no holes. The firewall is up, it cannot be reached from outside. So all you need to do is see what services you are using (those do open ports) and if those are patched (if non-windows services) and configured securely.
Nevertheless, we could also harden it by using security options and turning of unneeded options. We cannot tell you what to do because we don't know what that server is used
-for
-and by whom
-and how
0
 

Author Comment

by:websss
ID: 39982619
sorry
i'm new to all this
Its a SQL DB server
0
 
LVL 53

Accepted Solution

by:
McKnife earned 125 total points
ID: 39982628
Ok, for sql servers there are security best practices.
https://www.google.de/search?q=sql+servers+there+are+security+best+practices#q=sql+server+security+best+practices

With no more details, this is all I can give you. But to be honest, securing SQL is not my topic.
0
 

Author Comment

by:websss
ID: 39982629
Ok thanks, i'll take a look first
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 35

Assisted Solution

by:Mahesh
Mahesh earned 125 total points
ID: 39982641
After server get hacked you need to think of Server locking:
It depends where your server is placed
I mean, in DMZ or regular corporate LAN ?

In case of DMZ you should block all ports opening towards server except essential \ required port to access server (The definition of essential ports is what application is installed on server and the protocol and method required to access it EX: Http / Https etc)
Also consider installing Intrusion detection systems (IDS) in DMZ to block suspicious activities

If server is part of Corporate LAN ensure that very few users will be server administrators
Rename administrator account
Disable built-in administrator account

Apart from above, common security measures are as below
Install proper AV security software and keep it updated
Install Windows Defender \ Anti Malware software and keep it updated
install latest windows patches  \ security updates on regular basis
disable unwanted services, block schedule tasks, disable SMB (TCP 445) access to server from common segments, disable direct non interrupted internet access on server, disable RDP from all segments except management workstations

Mahesh.
0
 

Author Comment

by:websss
ID: 39982645
Thanks
Its a VPS in a london datacenter with a public IP address
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 39982657
VPS stands for Virtual Private Server ?

Also you can block ping protocol from internet to this server..

I guess public IP is there for to directly RDP in to server for management ?

Since this is SQL database server, I don't see any reason to place public IP to this server and publish it to internet

You can use VPN to get in your data center through VPN gateway and once you get in through VPN, then just connect to server with RDP for management

Once you remove server public IP and unpublish it from internet, the attack surface will be minimized by 90%

Mahesh.
0
 

Author Comment

by:websss
ID: 39982667
Thanks
We have GPS devices reporting position updates to the server
They communicate by TCP and hit the IP directly
Not sure if there is a way around this?
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 39982765
OK
I am not aware how GPS software works

But according to me Software and Database should be separate.
Applications are published to internet and Database remains at back end

So in that case GPS device need to be connected to GPS software on server and any data that needs to be stored in SQL database should be read-write out from backend servers (SQL DB Servers) and SQL servers should not be published on internet

This is my understanding, however if this is not the case, then you need to ensure that GPS application will communicate with SQL DB with static port (1433) only and from GPS devices only
If you allowed dynamic ports for accessing SQL database from internet, probably you are opening huge port range from internet.

Mahesh.
0
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 125 total points
ID: 39982980
You need the connections to the SQL server to be secured, not only with a username and password, but so that username and password can't be sniffed:
http://www.mssqltips.com/sqlservertip/2436/what-does-my-sql-server-data-look-like-over-the-wire/
http://www.mssqltips.com/tipImages2/2436_Wireshark5.jpg
Do not use simple authentication methods, you have to have encrypted connections. It may also be possible for someone to look at your APP and find a static username+pass so make sure that username has very restricted rights in your DB/Tables, and NO rights on the host server.
What port you run on makes no difference, it will be found, you  need to acknowledge that fact and make the rest of the transaction as secure as possible.
-rich
0
 
LVL 16

Assisted Solution

by:Mike T
Mike T earned 125 total points
ID: 39989345
Hi,

It's tricky. Restoring from a backup is sensible in that it will remove the malware DUbrute, but it does nothing to protect you. To go James Bond, you've come to work and found a bug and removed it, but unless you find out where they got in, they will just get in and put another bug somewhere harder to find.

You need to dig into the logs and find the entry point and secure that first. Consider all accounts to be compromised and change username and passwords. Consider adding certificates to transactions.

Audit everything - the eventlogs, the SQL logs - export backups for analysis elsewhere as the logs will continue to grow
Get Security Compliance Manager (SCM) and apply the hardening for both OS and SQL.
Patch the OS
Patch SQL
Harden the firewall as mentioned, both the hardware firewall and the OS level
Consider running app-locker which blocks unknown apps (you teach it what to trust first)
As well as AV, consider enabling Host Intrusion Protection (HIPs) - McAfee ePO has it but there's a cost and I doubt it's cheap.


There's certainly a lot of work to do. I would also tell the owners of other servers at the datacenter that they have at least been scanned, since the SQL box was used as a zombie. If they find out and you haven't told them things could get ugly.

You need to establish when it first started too.
I don't know SQL or networking enough to suggest anything for them, but you've plenty to do already - it's sounding like a team effort - a server guy, SQL SBA and a networking guy at the bare minimum.

Mike
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Many companies are looking to get out of the datacenter business and to services like Microsoft Azure to provide Infrastructure as a Service (IaaS) solutions for legacy client server workloads, rather than continuing to make capital investments in h…
Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now