• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

server hacked -- need some advice

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Computer Forensics and Incident Response

View previous topic :: View next topic  
Author Message
moondoggie
Lurker
Lurker


Joined: 27 May 2005
Posts: 19


Offline

PostPosted: Thu Apr 07, 2011 7:15 am    Post subject: server hacked -- need some advice Reply with quote

one of my clients noticed that their bandwidth was extremely slow and in the process of investigating this, i found a rogue svchost.exe process. when i traced it back to its source, it was running from the desktop of a user whose account i don't recall creating, but i'm not the only one with admin rights to the server, so it could have been done by anyone. as a precautionary measure, i disabled the account, changed the admin password and renamed the offending profile. i looked into a couple of the text files from the rogue account and found what looks like a brute force dictionary attack against the admin password. the file had a structure like this:

Code:

[login]
Administrator
[password]
apple
aardvark
barney
...
...


my questions are:
1. is there any benefit in having a forensic image taken of the server hard drive and having it analyzed?
2. if so, how would i accomplish this?
3. what can i do to detect if another rogue account gets created?
4. is there a way to audit if/when files are accessed and by what account in SBS2003?
5. is there any way of determining who created the account, or what date the account became active? i have a set of dates where it was obvious the account logged into the server, and a set of dates when the rogue svchost.exe was installed, but i'm not sure who gave this account domain admin rights or when.
Back to top
View user's profile Send private message
ryansutton
Trusted SF Member
Trusted SF Member


Joined: 25 Aug 2004
Posts: 67
Location: San Francisco, California

Offline

PostPosted: Thu Apr 07, 2011 8:37 am    Post subject: Reply with quote

I would treat it the same as if a fellow IT admin was fired. Change *all* privileged account passwords. Audit your network for security holes, or hire someone to do this for you. That last sentence is short, but encompasses a lot of things. The only thing worse than getting hacked, is getting hacked twice.

In response to your questions:
1) I do not see any benefit justifying the cost
2) n/a
3) Setup account auditing in AD. It also wouldn't hurt to setup auditing of sensitive files/directories/shares.
4) You need to setup an auditing policy and then specify what you want audited. Make sure you audit both directory objects as well as files. This is well documented, take a look at Tech Center for info.
5) Unlikely, unless you already had auditing enabled.
Back to top
View user's profile Send private message
moondoggie
Lurker
Lurker


Joined: 27 May 2005
Posts: 19


Offline

PostPosted: Thu Apr 07, 2011 8:01 pm    Post subject: Reply with quote

i'll be heading back onsite there later today to set up the auditing. is there a good intrusion detection program i can also use to make sure this is not going to be a repeat offense?
Back to top
View user's profile Send private message
moondoggie
Lurker
Lurker


Joined: 27 May 2005
Posts: 19


Offline

PostPosted: Fri Apr 08, 2011 6:16 pm    Post subject: Reply with quote

ok, i turned on the auditing as shown via group policy, but when i went to create a test account it only showed that i had used mmc and not which module, and not for what purpose. how do i set up an auditing scheme to tell me if/when an account is created?
Back to top
View user's profile Send private message
ryansutton
Trusted SF Member
Trusted SF Member


Joined: 25 Aug 2004
Posts: 67
Location: San Francisco, California

Offline

PostPosted: Fri Apr 08, 2011 8:35 pm    Post subject: Reply with quote

To setup auditing, it's a multi-step process:
1.Enable the auditing policy VIA the local DC policy
2.Enable auditing of specific OU's that you want audited
3.Test by creating a new account
4.Check the security event log to see if you are getting events. I recommend filtering by event ID as the security log is huge. For example, you should be able to filter by event 624 to show account creation events.

Did you complete all 4 steps?
Back to top
View user's profile Send private message
moondoggie
Lurker
Lurker


Joined: 27 May 2005
Posts: 19


Offline

PostPosted: Fri Apr 08, 2011 9:02 pm    Post subject: Reply with quote

apparently i had the wrong permissions set for auditing and it was only auditing permissions changes instead of creation/deletion of objects. all fixed now. thanks for the help!
Back to top
View user's profile Send private message
jemesright
Link Spammer
Link Spammer


Joined: 28 Apr 2011
Posts: 0


Offline

PostPosted: Thu Apr 28, 2011 7:07 am    Post subject: Reply with quote

I wholeheartedly agree with what Datacenter1.com said about finding a new provider as you definitely need 24 hours around the clock support for issues such as hardware failures or other matters where you need critical support right away and if they are not providing that then I would definitely be looking elsewhere.

Now regard to the matter of your security, if your data center did not say what they did or what the problem was, I would serious be concerned with their handling of the matter or competence particularly given that you now say that you have been "hacked again".

Did they run scans for exploits? Rootkits? Etc?

What exactly was done after the first attack?

Now granted that most data center technicians are not security experts but they should have at least told you what they did do towards trying to resolve your situation or what they found out about your server.

Fortunately, you do not have to wait for them to open and I am sorry I did not see your post 2 hours ago because I certainly would have responded then as I can get to the bottom of how you server was hacked, what problems you have, and help you take necessary steps to help you make sure you don't go do this all over again a third time.

At this point, you need a detailed intensive assessment of your server because if it's been compromised twice now, there is a very high probability that your server has already been rooted and that is something that you most certainly need to know ASAP and depending on your server's current situation you may or may not look at reloading things and definitely want to do a full security review and closely examine all your activity logs everywhere.
Back to top
View user's profile Send private message
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Computer Forensics and Incident Response All times are GMT + 2 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register