Web Hosting Talk : Web Hosting Main Forums : Hosting Security and Technology : My server has been hacked, desperately need help

[jerry2]

Hi there all...

I don't think I am a web administrator professional, but I do have a dedicated server with web site for a year. Until the attacker got in... Let me explain.

I have Windows 2003, all security patches, I run Plesk 8.2 and nothing much else. I use MySQL as a database with port 3306 open so I can connect from the outside (password protected also). I do use strong passwords on my Plesk, administrator etc. I use standard microsoft FTP, Windows 2003 Firewall and connect through Plesk or remote connection.

Somebody has been able to penetrate to my Admin remote desktop :-( I found strange windows open when I connected and in the log there was an indication of the printer driver load. The printer name was one I don't have and my Remote connection has Printers off. The attacker although smart did connect with his printer and that was visable in log. When he terminated the session I found his IP.

I have since changed my administrator password but it doesn't help, he was in again today. He didn't do any harm up to now I think, I checked for viruses and Spyware.

I don't know what to do any more. He can do whatever he wants and if I don't know how he is getting access to my admin account I can not stop him. I blocked today with IPSec the whole IP range of his provider, but as he is smart he can hack another computer and connect to me from him (maybe he has already done that and the IP was from a hacked server). This is no solution. I need to patch the hole.

I use ASP scripts but I don't think one can gain access to the whole admin by them, maybe only get access to my database (if I would make a mistake and wouldn't protect for the injections or some other things).

I am desperate. Plese, if anybody has some ideas what can I do, how do I "catch" him, I mean patch the hole, please let me know.

Thank you

Jerry

PS - I had an idea to block all IP's to port 3389 (Remote desktop) except my IP. But I am a little scared to do that not to lock myself out. And even in that case, if he knows admin password he can get in some other way than using remote desktop, can't he?

[jerry2]

Ok, I found out hacker planted a NetMonInstaller service and WinPcap. Can anybody tell me what info can he get with this sniffer?

But how did he get in in the first place?

Jerry

[ximi]

With the sniffer, he can log all of your traffic, so he has access to quite a lot with it.

Make an image of the OS and analyze it later. Do a full reinstall now.

[jerry2]

It won't help as I don't know how he got in the first place. He used Abel & Cain.

[Tom P]

Your best option, as what ximi said to do.

Create a backup of everything and then get the datacenter to format and reinstall (or do it over KVM if the DC has it). When its re-installed I would then consider paying a company to secure down the system for you, if this is for business use then I would definately recommened getting a consultant to run things by (such as leaving MySQL open, although needed you need to lock it down).

Consider getting them to install an intrusion detection system and monitor failed logins on everything, it could have been that he is brute forcing (you've said you have strong passwords, but you never know).

Also ensure that there is nothing on the PC you are connecting from, as if you have a keylogger on your system then you are always going to have the same problem

> Backup
> Format
> Consult

Good luck!

[jerry2]

Thanx for the tips. I do have some knowledges of how things work but I guess something was still open.

[Fernis]

You might want to consider scanning your system for rootkits using Rootkit Revealer.

Here is a link to download a copy of the utility.

http://filehippo.com/download_rootkit_revealer/

[oneavenue]

1. Backup all your files
2. Format the server drive(s)
3. Re-install Windows server
4. Install Anti-Virus
5. Secure the server ( Hire a specialist if you have to )
6. Patch/Update the Server
7. Scan your backup files carefully
8. Restore your files to new server install
9. Be very careful of what FREE scripts you install on your server ( FREE scripts can cost allot of money sometimes! )
10. Ask yur provider if they provided Managed firewall service or get a hardware firewall.

Good luck