websss
asked on
2008 server hacked - how to secure?
Someone setup the user name and password for a server as:
administrator
letmein
Of course this is one of the most common so was hacked
I found a app called DUBrute running on it and searching other servers
However, i'm puzzled
I created a new account under a different name, with a secure password
and set the admin account to have 0 access to things like file/remote desktop (wasn't in admin group any more)
However, someone still managed to get back in
I presume they installed a backdoor account which wasn't showing up anywhere??
1.What are the usual things to check after being hacked
2. what should i do to lock down the server?
administrator
letmein
Of course this is one of the most common so was hacked
I found a app called DUBrute running on it and searching other servers
However, i'm puzzled
I created a new account under a different name, with a secure password
and set the admin account to have 0 access to things like file/remote desktop (wasn't in admin group any more)
However, someone still managed to get back in
I presume they installed a backdoor account which wasn't showing up anywhere??
1.What are the usual things to check after being hacked
2. what should i do to lock down the server?
ASKER
Thanks
Yes i'm restoring to an old image as we speak
I figured they could have installed their own software which i would never know about!
How should i lock down the server now?
Yes i'm restoring to an old image as we speak
I figured they could have installed their own software which i would never know about!
How should i lock down the server now?
"locking down" is a commonly used, but totally empty term, a better term to use is "harden". The default state a cleanly installed server is in has (after being patched) no holes. The firewall is up, it cannot be reached from outside. So all you need to do is see what services you are using (those do open ports) and if those are patched (if non-windows services) and configured securely.
Nevertheless, we could also harden it by using security options and turning of unneeded options. We cannot tell you what to do because we don't know what that server is used
-for
-and by whom
-and how
Nevertheless, we could also harden it by using security options and turning of unneeded options. We cannot tell you what to do because we don't know what that server is used
-for
-and by whom
-and how
ASKER
sorry
i'm new to all this
Its a SQL DB server
i'm new to all this
Its a SQL DB server
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Ok thanks, i'll take a look first
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks
Its a VPS in a london datacenter with a public IP address
Its a VPS in a london datacenter with a public IP address
VPS stands for Virtual Private Server ?
Also you can block ping protocol from internet to this server..
I guess public IP is there for to directly RDP in to server for management ?
Since this is SQL database server, I don't see any reason to place public IP to this server and publish it to internet
You can use VPN to get in your data center through VPN gateway and once you get in through VPN, then just connect to server with RDP for management
Once you remove server public IP and unpublish it from internet, the attack surface will be minimized by 90%
Mahesh.
Also you can block ping protocol from internet to this server..
I guess public IP is there for to directly RDP in to server for management ?
Since this is SQL database server, I don't see any reason to place public IP to this server and publish it to internet
You can use VPN to get in your data center through VPN gateway and once you get in through VPN, then just connect to server with RDP for management
Once you remove server public IP and unpublish it from internet, the attack surface will be minimized by 90%
Mahesh.
ASKER
Thanks
We have GPS devices reporting position updates to the server
They communicate by TCP and hit the IP directly
Not sure if there is a way around this?
We have GPS devices reporting position updates to the server
They communicate by TCP and hit the IP directly
Not sure if there is a way around this?
OK
I am not aware how GPS software works
But according to me Software and Database should be separate.
Applications are published to internet and Database remains at back end
So in that case GPS device need to be connected to GPS software on server and any data that needs to be stored in SQL database should be read-write out from backend servers (SQL DB Servers) and SQL servers should not be published on internet
This is my understanding, however if this is not the case, then you need to ensure that GPS application will communicate with SQL DB with static port (1433) only and from GPS devices only
If you allowed dynamic ports for accessing SQL database from internet, probably you are opening huge port range from internet.
Mahesh.
I am not aware how GPS software works
But according to me Software and Database should be separate.
Applications are published to internet and Database remains at back end
So in that case GPS device need to be connected to GPS software on server and any data that needs to be stored in SQL database should be read-write out from backend servers (SQL DB Servers) and SQL servers should not be published on internet
This is my understanding, however if this is not the case, then you need to ensure that GPS application will communicate with SQL DB with static port (1433) only and from GPS devices only
If you allowed dynamic ports for accessing SQL database from internet, probably you are opening huge port range from internet.
Mahesh.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You should return the server to a trusted state. Preferrably, this is done by replaying an image backup of a date were you cannot find symptoms/folders of infection.