Results 1 to 9 of 9
  1. #1

    Angry Dedicated Server Compromised Before its Even Set Up??

    After a fresh OS install on my dedicated server - and before I had even logged onto the server and reset it up - I noticed extremely high bandwidth consumption.

    The first two techs I spoke with at the hosting company (which for now, will remain nameless), didn't know how such activity could be occurring, and bumped me up to their level 2 guys.

    Level 2 says that the server was compromised immediatly after the fresh OS install, and recommended another OS install, OS hardening, and a firewall.

    My question: Is it likely that the server could be compromised, immediately after a fresh OS install; compromised, in fact, even before I had logged into it? Or is there an alternative explanation for what's happening?

  2. #2
    Join Date
    Jul 2002
    Posts
    3,734
    If they are throwing vulnerable machines online in a predictable manner, then yes, it is more than likely.

    Servers need to be hardened, yes. But if they're getting root compromised minutes after the server company puts them online, then the server company is doing something wrong, not you. They should be using the latest kernel, as well as patching their images for the latest vulnerabilities.

  3. #3
    Join Date
    Mar 2004
    Location
    Odessa, Ukraine
    Posts
    610
    What is OS you install on? Windows?

  4. #4
    Originally posted by andreyka
    What is OS you install on? Windows?
    Yep, Windows Server 2003.

  5. #5
    Join Date
    Mar 2004
    Location
    Odessa, Ukraine
    Posts
    610
    I reccomed after setup OS immediately setup Antivirus and Firewall.
    Don't use builtin firewall - it is too poor.

    I prefer Symantec Antivirus and Personal Firewall.

  6. #6
    Join Date
    Apr 2003
    Location
    UK
    Posts
    2,569
    there was a report that said a new unpatched windows (i think 2k) machine could/would be hacked in 15 minutes (on average) after being put online..

  7. #7
    Greetings:

    We've seen this happen over the past nine years a number of times.

    http://www.dshield.org/ keeps track of the "average" survival time of an unprotected computer on the Internet.

    It typically varies from 13 to 17 minutes.

    Thank you.
    ---
    Peter M. Abraham
    LinkedIn Profile

  8. #8
    Join Date
    Mar 2004
    Location
    Nottingham UK
    Posts
    176
    As soon as I read the first line of this post I knew this could only be a Windows machine.

    I once accidentally left the net connection in a windows server I was reinstalling and by the time it had booted and I installed AV, no longer than 2 mins, it already had 16 viruses and more coming in.

    Had to start all over again.. will never make that mistake again.

    They should at least be installing the latest version of any OS on a server nit just throwing up base installs you do need to ask yourself if you have chosen the right company as i bet they will want to charge you extra for the upgrades.

    In the case of a windows install the server will not be attached to the Internet until it has been installed, updated, firewall and AV installed all latest builds installed off a CD thats actually burnt on a Linux box
    HostedUK - All servers owned by us and based in the UK.
    Hosting since June 2002

  9. #9
    Join Date
    Dec 2004
    Location
    Cedar Rapids, IA
    Posts
    17
    Yes, I totally agree in that it should have been patched before being allowed online alone. On my home machine I put it behind a router, DMZ the router to a non-used IP on my subnet then get the updates/sp's before tossing the box online. DCOM can be exploited by a cablemodem within 5 minutes of finding the ports(139,1024,1025) open. Definately bad operating practices by your host.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •