A Hack attempt on our small business server.
Hello experts, One of my clients got hack attempt to their windows small business server 2008, the hacker created a folder on all PC's which includes bitcoin mining utility and some trojan's, looking at the firewall logs It appears that server is configured with two public IP's, so there is a main public IP 67.7.XXX.XXX and then another public IP 67.42.XXX.XXX, this is part of the DMZ vlan. All ports are exposed to the public on this, including 3389. The logs quite a bit of activity on port 3389 during the hack attempt time frame, can you please help me fix this issue to prevent further hacks.
Thanks,
Thanks,
Keelyn Henning
What PCs are in their DMZ? And why would they have all ports open?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
We have scanned the SBS server as well as all workstations with multiple Virus and Malware suites and cleaned up all suspicious applications, we have also deleted the folder which was created by the hackers, so hopefully, it will work out the way it did so far so good no issues again since then but the hacker made it through the second public ip which has most of the ports opened i am not sure why they were left open by previous network support guys, may they have configuered as DMZ to access Intranet site which is accessible via FTP port and it is password protected, I think the hacker made it through port 3389 as per firewall logs activity, but i just checked RDP port is closed, any suggestions please
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
what if I restore to the previous restore point would that help or restore the server from bare metal backup
They might have gotten into your restore point so I say bare metal
Agree. It sucks. But total wipe and reinstall is only sure fire way your good again. But I'd still follow other items I mentioned above.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Once a computer or network is compromised you cannot trust that machine ever again without a wipe and reload. Restoring from backup to prior your guess as when the hacker gained access is not guaranteed for success
Why do you call it a hack attempt? They were hacked.
In addition to the other comments, inform all users to change passwords that are similar to passwords used in this environment and to treat all documents as compromised.
In addition to the other comments, inform all users to change passwords that are similar to passwords used in this environment and to treat all documents as compromised.
Block 3389 port on firewall and if they want to use RDP from external then change the RDP listening port from HKEY_LOCAL_MACHINE\System\
Have scanning on systems in safe mode
Have scanning on systems in safe mode
Changing port won't help, unfortunately.
Apply firewall and only allow the appropriate IPs, users and/or computers
https://www.experts-exchange.com/articles/31687/Windows-Firewall-as-Code.html
Apply firewall and only allow the appropriate IPs, users and/or computers
https://www.experts-exchange.com/articles/31687/Windows-Firewall-as-Code.html
ASKER
Thanks, guys I am going to advise them bare-metal recovery I have also closed RDP and applied geo-IP solution for FTP access hope this would help i will keep you guys posted here.
I have also closed RDP and applied geo-IP solution for FTP access
why are you not just blocking everything in and opening the ports you absolutely need?
i can only see port 21 for ftp and 25 for smtp...what else do you really need to allow in?
ASKER
Thanks everyone have contributed their valued time and expertise.