We have a dedicated server with a well known company here in the UK, its running Windows 2003 server std. This runs an application that was developed by our company and accessed by around a max number of users per day of around 50 - max.
Over the last few months the server has got slower and slower, although we do have periods when its really fast, there seems to be nothing we can point our finger at as to why it speeds up and slows down, we checked number of users accessing etc and it does not seem to effect speed (users access by a secure logon)
This week server was nearly at a stand still, I rang hosting company who informed me that they thought our server had been hacked. They said they could see exe files running that they had not installed, mentioned the following -
They said these exe files were listening to a TCP port (excuse my ignorance, not that techically minded)
They also said two users were accessing our server from Canada and California.
They also said because we had loaded our own software on the server it was not their responsibility if our server was hacked, that we were also running PCAnywhere and this was notorious for allowing a server to be hacked.
I pointed out that we paid them to host the server, it was behind their firewall, would that not stop unauthorised access, the response was no.
I have a few questions I wonder somebody might help me with the answers to,
1, Does it appear our server was hacked? - do the exe files look suspicious?
2, What is our hosting companys responsibility?
3, Is PCA secure
4, How can we stop this in future?
I am also told by our guys there is evidence of someone using our server to surf the web, could this be internal, i.e our hosting company, or maybe a hacker?
We can see when users are logged into our application, but nothing else, is there some reporting software we can install to let us view who is accessing our server?
What can we do to make the server more secure?
We are currently scanning it with spyware software and although we have anti virus we are scanning again, this new scan picked up 7 virus, I'm not sure yet what these were.
Any comments / feedback would be much appreciated.
1. Does it appear our server was hacked? - do the exe files look suspicious?
Might be, but i cannot say until the real situation is viewed. Mainly it is has passed through in your server without your attention by yourself or team members ( through any uploads ). This is one of the possiblity.
A Hacker might have accessed your server through the software itself ( there are also chances for it ).
2. What is our hosting companys responsibility?
They cannot do much on this , as they stated it clearly. if your server has been hacked through your ingnorance in using it( then they are not responsible for it).
First of all Nothing is secure in this world, what ever you try to do there are ways to get in easily and there are many softwares which produces you reports ( logs ) on access , have a search on google or try a freelancer to develop it according to your needs ( this might be good , as it depends upon what your request may be).
By going to Start -> Control Panel -> Adminstrative Tools -> Event Viewer you can see all the logs that your copy of Windows has been set up to record (to see security logs you will need to be logged in as an administrator). To change what your system logs you need to use the Group Policy Object Editor, however, you should ask a sysadmin to explain this to you properly.
http://www.hping.org/visitors/ offers a digested version of your server logs, and can even display it in real time - I have not used it but if all your authorised users are in the UK it should help you track down who the unauthorised users are.
In regards to server security, you really need to get a experienced sysadmin to secure your server, as it's not the kind of job you can do without experience. Any software such as PCAnywhere which allows remote, priveleged access to your server clearly presents an opportunity for hackers and can never be 100% secure, however, a good guide to putting in some safeguards can be found here: http://www.nyu.edu/its/security/pcanywhere.html (obviously change nyu.edu to your own ISP).