A Hack attempt on our small business server.

Hello experts, One of my clients got hack attempt to their windows small business server 2008, the hacker created a folder on all PC's which includes bitcoin mining utility and some trojan's, looking at the firewall logs It appears that server is configured with two public IP's, so there is a main public IP 67.7.XXX.XXX and then another public IP 67.42.XXX.XXX, this is part of the DMZ vlan. All ports are exposed to the public on this, including 3389. The logs quite a bit of activity on port 3389 during the hack attempt time frame, can you please help me fix this issue to prevent further hacks.

Yasir ArfatJunior System AdministratorAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Keelyn HenningIT System AdministratorCommented:
What PCs are in their DMZ? And why would they have all ports open?
not going to like it.  What I would do is shutdown the network (internet access in and out), backup all data, redo all compromised hosts/servers.  If you're 100% confident you can just delete the folder and be good (meaning there is no rootkit, or app to reinstall and restarting removes it, then you can just do that instead of reinstall).  If you're not 100% confident, then only full reinstalls will guarantee the hacker's stuff is gone.

If you know what is being communicated to from the mining utility, then you can monitor for that after you clean all the systems.

When  you're ready to bring the internet access back. firewall ALL inbound to start.  Look for the mining utility sending data out (this should actually be getting denied, but logged).  Once you're comfortable that outbound is reasonably secure, then open up ONLY the necessary ports.  Personally, I even firewalled outbound ports to only what a client should be accessing (port 80, 443, etc.; if you run local email, then firewall 25 even or only allow 25 to your real email server otherwise hosts can become open relays potentially)

On another note.  Dual-vlanning a server is not a good idea.  At the very least they should be different VMs to provide better segmentation.  Having an exposed host (even limited ports) attached to your internal network provides a perfect pivot point for hackers making their job VERY easy.  In effect, you don't have a DMZ.
Cliff GaliherCommented:
SBS 2008 is a domain controller.  Once a DC is compromised, the whole network is compromised. The *only* prudent action is to rebuild from scratch.  Migrate known safe files and data (*ONLY DATA!!!*) but that's about it.  A bad network design is a bad network design and trying to fix the problem after the fact is costly and never easy.  Just ask Experian.
Webinar: Cyber Crime Becomes Big Business

The rising threat of malware-as-a-service is not one to be overlooked. Malware-as-a-service is growing and easily purchased from a full-service cyber-criminal store in a “Virus Depot” fashion. Join us in our upcoming webinar as we discuss how to best defend against these attacks!

Yasir ArfatJunior System AdministratorAuthor Commented:
We have scanned the SBS server as well as all workstations with multiple Virus and Malware suites and cleaned up all suspicious applications, we have also deleted the folder which was created by the hackers, so hopefully, it will work out the way it did so far so good no issues again since then but the hacker made it through the second public ip which has most of the ports opened i am not sure why they were left open by previous network support guys, may they have configuered as DMZ to access Intranet site which is accessible via FTP port and it is password protected, I think the hacker made it through port 3389 as per firewall logs activity, but i just checked RDP port is closed, any suggestions please
Cliff GaliherCommented:
They clearly had unrestricted access to the system.  They could have done MANY things not file related.  Added accounts to AD.  Added service account.  Adjusted existing service account passwords and granted them permissions that you'd rarely if ever know where to look or find.  Thus my suggestion to rebuild.  They can easily have left many back doors to regain access, and SBS is...by design...exposed to the internet via Exchange, RWA, etc...so you can't really stop them from using those backdoors whenever they like.

Rebuild.  Rebuild.  Rebuild.
Yasir ArfatJunior System AdministratorAuthor Commented:
what if I restore to the previous restore point would that help or restore the server from bare metal backup
Keelyn HenningIT System AdministratorCommented:
They might have gotten into your restore point so I say bare metal
Agree. It sucks. But total wipe and reinstall is only sure fire way your good again. But I'd still follow other items I mentioned above.
Cliff GaliherCommented:
Definitely not a restore point.  Only from bare metal after you've determined when the intrusion first happened (don't guess!) and from before that point.

Usually when a small business is targeted, the hackers will take a few weeks to poke around, see if they can scrape some passwords, do other nefarious but hidden things, then only start mining bitcoins after they've done their business.  If you see the bitcoin stuff, they don't care.  They've already done much worse.  Getting some bitcoins is just icing on a rich cake.

Restoring a compromised back wouldn't make you more secure, and they can just jump back in and redo what they've done before.  You either need to rebuild (FROM SCRATCH) or do a thorough forensic analysis and only restore a backup you *KNOW* you can trust.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
David Johnson, CD, MVPOwnerCommented:
Once a computer or network is compromised you cannot trust that machine ever again without a wipe and reload. Restoring from backup to prior your guess as when the hacker gained access is not guaranteed for success
Shaun VermaakTechnical SpecialistCommented:
Why do you call it a hack attempt? They were hacked.

In addition to the other comments, inform all users to change passwords that are similar to passwords used in this environment and to treat all documents as compromised.
Block 3389 port on firewall and if they want to use RDP from external then change the RDP listening port from HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\PortNumber and update the same on firewall.

Have scanning on systems in safe mode
Shaun VermaakTechnical SpecialistCommented:
Changing port won't help, unfortunately.

Apply firewall and only allow the appropriate IPs, users and/or computers
Yasir ArfatJunior System AdministratorAuthor Commented:
Thanks, guys I am going to advise them bare-metal recovery I have also closed RDP and applied geo-IP solution for FTP access hope this would help i will keep you guys posted here.
Seth SimmonsSr. Systems AdministratorCommented:
I have also closed RDP and applied geo-IP solution for FTP access

why are you not just blocking everything in and opening the ports you absolutely need?
i can only see port 21 for ftp and 25 for smtp...what else do you really need to allow in?
Yasir ArfatJunior System AdministratorAuthor Commented:
Thanks everyone have contributed their valued time and expertise.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.