Server Hacked, What is Bitcoin?

By Bryan R.
in Smart Home, Network & Security

 Share

Recommended Posts

Grand Master

Bryan R.

Posted
Posted

An exciting Monday morning:

I got into work today and logged into one of our client servers to check on it proactively, and found that I could not open another RDP connection to it; already three created and it's just a SBS box. Went to the console and logged in (very slow). Found a "test" account logged in twice, disconnected, and one administrator (probably mine). Went to make a few calls to some people to make sure no one is doing any work on it. Come back and one test account is logged in... Changed the password to it, logged one off so I could log on remotely and try to shadow, but without success. Disconnected user, now they can't log in again. I see many processes I had never seen before: rpcminer-cpu.exe, VxTaskMgr.exe, guiminer.exe, uiSeAgent.exe, safesurf.exe, surfguard.exe, etc.

Where I am at now is some mining of my own... Both on the internet for anything related and on the server for anything on how this was done and get rid of everything. That means you Neowin! Anyone encounter such malicious offenses on their server?

One thing I have found is a website listed in a utility. I won't post it here, but it talks about Bitcoin, and CPU/GPU mining (to make money ?). I 'd like to know what kind of "mining" is going on though!

Any insight at all is appreciated!

Link to comment
Share on other sites
Grand Master

fhpuqrgrpgvirzhpujbj

Posted
Posted

Bitcoin 'mining' is basically computing various mathematical problems in order to generate bitcoins, which can be used as currency in certain places.

Link to comment
Share on other sites
Grand Master

+BudMan MVC

Posted
  • MVC
Posted

So this server is open to the internet via RDP? There is currently a worm going around via RDP sessions. But from my understanding its not doing any sort of exploit only bruteforce password access. So your server was open to internet for remote desktop, and had a crappy password on it?

For starters RDP should not really be open to the public net, you should have to vpn into the network to access services like that. At a very min if you have no vpn setup, you should only be allowed rdp from known IPs, etc. Or otherwise secure the connection other than just username and password.

Or maybe that is the case and some box either on your local network or via vpn is infected?

here is some info on the morto worm

http://www.theregister.co.uk/2011/08/28/morto_worm_spreading/

http://blogs.computerworld.com/18870/morto_worm_spreading_fast_via_rdp?af

Link to comment
Share on other sites
Grand Master

Vice

Posted
Posted

I said this would happen eventually on a post about Bitcoin on the main page of Neowin. I predicted back then that hackers would eventually install it on compromised servers as a way to make money alongside turning servers in to email-based spam bots.

Find out how they compromised your server, hopefully not an unknown exploit.

Link to comment
Share on other sites
Grand Master

Bryan R.

Posted
  • Author
Posted

So this server is open to the internet via RDP? There is currently a worm going around via RDP sessions. But from my understanding its not doing any sort of exploit only bruteforce password access. So your server was open to internet for remote desktop, and had a crappy password on it?

For starters RDP should not really be open to the public net, you should have to vpn into the network to access services like that. At a very min if you have no vpn setup, you should only be allowed rdp from known IPs, etc. Or otherwise secure the connection other than just username and password.

Or maybe that is the case and some box either on your local network or via vpn is infected?

The server sits in our offices alone and merely hosts Exchange and VPN tunnels for the clients around the world. The password wasn't the strongest but it was what the client had setup... I knew having RDP open is conceptually a bad idea but I never had or heard of it be the cause of a hack...

Thanks for the worm info.

Link to comment
Share on other sites
Grand Master

+BudMan MVC

Posted
  • MVC
Posted

Common services secured only by username/password are always a target, turn on a ssh server see how many attempts you get ;) Same goes with FTP..

My ssh server is locked to only public key auth, and it blocks atleast an IP a day because of attempted logins even though they could bang their heads against forever -- I ban the ips to keep the logs readable -- if not they would just be full of attempts.

If for some crazy reason you have to allow such servers open to the public net, the usernames and passwords need to be SECURE!! Ie don't be using standard usernames like admin or administrator and should be a VERY secure password!!

Link to comment
Share on other sites
Experienced

thejohnnyq

Posted
Posted

There is nothing wrong with opening a server to the internet that is running RDP, proper security is needed. Change the Admin ID, Strong password, Lockout Policies, Separate accounts for services with strong passwords. I have had servers on the internet and running with any issues from my home network. Never had an issues.

I've built several dozen servers for various corporationincludede a StatGovernmentnt (local). Good firewall and good configuration with a strong security base handles the issues.

Link to comment
Share on other sites
Grand Master

+BudMan MVC

Posted
  • MVC
Posted

With opening RDP to the public internet I agree "proper security is needed" - problem is quite often this is not the case.

Which clearly since hacked the security procedure(s) in place failed. Generally speaking services that provide for remote admin access to any of your servers is not a good idea to open to the public, unless you are damn sure your security practices are SECURE and above reproach.

There are plenty of ways to allow for your admins and even users to remotely access your services -- generally speaking services that are only secured by a password, not a good idea. Unless the service is minor and isolated from possible increased access due to exploitation.

As to remote desktop should it or shouldn't it

http://csrc.nist.gov/publications/nistpubs/800-46-rev1/sp800-46r1.pdf

Guide to Enterprise Telework and Remote Access Security

Generally, remote desktop access solutions should only be used for exceptional cases after a careful analysis of the security risks. The other types of remote access solutions described in this section offer superior security capabilities.

I stand by my statement, generally speaking I would not suggest you directly allow access via remote desktop from the internet. I would suggest that remote access be secured with the use of other methods, be it vpn, be it other verification methods to allow access, be it cert or other multi factor auth methods, locked to specific know IPs, etc.

Link to comment
Share on other sites
Grand Master

articuno1au

Posted
Posted

Common services secured only by username/password are always a target, turn on a ssh server see how many attempts you get ;) Same goes with FTP..

My ssh server is locked to only public key auth, and it blocks atleast an IP a day because of attempted logins even though they could bang their heads against forever -- I ban the ips to keep the logs readable -- if not they would just be full of attempts.

If for some crazy reason you have to allow such servers open to the public net, the usernames and passwords need to be SECURE!! Ie don't be using standard usernames like admin or administrator and should be a VERY secure password!!

A million times this.

I get a ton of login attempts on all my FTP servers across all my servers :\

My SSH doesn't get hit as often (perhaps once a month, sometimes not even that), but I wonder how much that has to do with living in Australia as opposed to the US. 98% of the time the connection attempts are from China (for me).

Regarding passwords, you should have a schema set out for generating passwords, even if just for home stuff. Make it as complex as necessary then learn how to memorise strings of random digits >.<

The Admin/Administrator thing is pretty huge also..

Server was also sending out 400,000 emails as the FBI. *sigh*

Joy. Looking forward to seeing your server on the blacklists for a week or two :p

That NIST document is a little full on, but it does set out best practices.

As much as I am sure Budman is going to hate me saying this, pick what you feel you need from the document and apply it. A lot of the time those measures are overkill (not sure about this specific document, I mean with NIST things in general).

Inb4budmanmurderingmewithasharpenedfloppydisk.

Link to comment
Share on other sites
Grand Master

Reacon

Posted
Posted

http://www.weusecoins.com/

That should give you a brief overview of Bitcoin. Miners exchange CPU and GPU cycles for coins. The profit between the power bill and amount of coin generated is negligible, so I guess most miners resort to using "free" energy

http://www.bitcoin.it/

This is the wiki for bitcoin. You can find information on how the miners support the framework of the currency through mining for hashes. Bitcoins are just a reward for finding a hash with the distributed computing power. The network awards the worker that finds the hash with 50 Bitcoins to keep the incentive high. Block hashes are found at an average 4 blocks an hour.

But of course, your main concern is security. Excuse me please, I'm just an enthusiast :)

Link to comment
Share on other sites
Grand Master

goretsky Supervisor

Posted
  • Supervisor
Posted

Hello,

A nice write-up here in ESET's Threat Blog on the trojan. What it does, files dropped, ports it operates on, and so forth (the author is a friend of mine).

Regards,

Aryeh Goretsky

Link to comment
Share on other sites
Grand Master

+BudMan MVC

Posted
  • MVC
Posted

"pick what you feel you need from the document and apply it. "

I agree with this completely to be honest -- most of the document would be overkill for many setups. Take the best of it and apply it as best you can!! This is all you can ask. You need to weigh the risks vs the costs, not every setup requires a DOD type security setup ;)

But please please take some common low cost sense things in mind when allowing connections from the public net -- its crazy out there ;)

It cost NOTHING to use a SECURE password ;) It cost nothing to use a non common unique username as your admin account. This serves little purpose if users have local access to the machine, you can always tell what the admin accounts are from the RID in windows for example. Security for local access and network access are two completely different things.

If you feel your best option is allowing direct access to your remote desktop from the public net -- take as many precautions you can.. I personally would not do it, just don't like the risk. I would get them in via VPN. For soho there are plenty of options of FREE or very low cost vpn solutions. **** your fav linux box, or even router running dd-wrt can run openvpn or even less complicated is ssh server which both of them have out of the box, and putty and you have yourself a poor mans vpn ;) Tunnel your RDP traffic through your secure public key auth only ssh connection.

As to the logmein question - I don't have a problem with it, its not a direct connection into your box from the public net.. There is a go between there -- if you trust the go between, I don't see an issue with it in general. Not sure I would open it up so every user could set it up on their own workstation sort of thing. But sure if you want to use it as your admins way into a box on your network so they can remote to the rest of your network from that box I don't see a real problem with it. Not sure I would allow it access to every server on your network with 1 single login or anything like that ;) But as a method into your network, sure it can be secure.

Link to comment
Share on other sites
Grand Master

Bryan R.

Posted
  • Author
Posted

Hello,

A nice write-up here in ESET's Threat Blog on the trojan. What it does, files dropped, ports it operates on, and so forth (the author is a friend of mine).

Regards,

Aryeh Goretsky

I'm not sure how you come to the conclusion that what you posted is at all related.

Link to comment
Share on other sites
Grand Master

i11usive

Posted
Posted

So this server is open to the internet via RDP? There is currently a worm going around via RDP sessions. But from my understanding its not doing any sort of exploit only bruteforce password access. So your server was open to internet for remote desktop, and had a crappy password on it?

For starters RDP should not really be open to the public net, you should have to vpn into the network to access services like that. At a very min if you have no vpn setup, you should only be allowed rdp from known IPs, etc. Or otherwise secure the connection other than just username and password.

Or maybe that is the case and some box either on your local network or via vpn is infected?

here is some info on the morto worm

http://www.theregist...worm_spreading/

http://blogs.compute...fast_via_rdp?af

The worm only affects machines with weak passwords. So, unless your admin account was something like Login: Administrator, Password: password - you don't have to worry.

See here for more information.

Link to comment
Share on other sites
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.