dabossuk Posted October 4, 2004 Share Posted October 4, 2004 Hi Well it had to happen, finally been hacked. I have a couple of Win2003 servers in a server farm - the little sh*t installed Cain / Able a password cracking program. He somehow managed to create a user account, with admin rights - and then installed the app and has been grabbing passwords for the last 3 days. yeh I know, should have firewall etc - but only had the servers a few weeks and was on my todo list. So sorting that side out now - however ... do you know how I can do the following. - Log remote IP address in event log for failure / success logins ? I remember something in local policy but cannot find it anywhere. - a freeware / shareware tool for reading / monitoring / generating reports from Event logs. By the way it was totally patched, I had used IIS lockdown, and baseline security analyser - just no firewall - but have no idea how he managed to create the account in the first place with admin rights! If these are not the best forums for asking Win2003 stuff where should I be posting this stuff ? Dabossuk Link to comment Share on other sites More sharing options...
red8Rain Posted October 4, 2004 Share Posted October 4, 2004 ahh the shock of being hacked for the first time. People take security for granted these days and thus Microsoft now enables the Windows Firewall by default upon installation of XP Service Pack 2. First off, your firewall should of been the first thing that goes up ... unless you are using Windows Firewall, then it would be the first thing you install after install Windows 2003. - Remote IP loggin ... that isn't one of the options in Win03 GPO. You can log failed and successful login attempts. - I use 'eventCombMT.exe' to track all my event logs. I have an article by Roberta Bragg somewhere in my email that tells you what eventID to look out for. Can't seem to find it on my desktop ... might be on my laptop at home. Might the hack come internally? Some users with local admin rights can run a password crack against your local administrator account and tried that gain domain access ... thus my domain admin and local admin account password is different and contains 14 characters UNICODE. Link to comment Share on other sites More sharing options...
dabossuk Posted October 4, 2004 Author Share Posted October 4, 2004 Hi The reason I did not install the firewall is that my servers are in a farm, however they do not provide remote hands, and if you screw up the box at all they just reimage! ... I would sygate etc - however what ever firewall you install, you cut yourself off! ... and can not get into box - unless someone knows how to install sygate without locking yourself out ? Using PCDuo as my remote control utul - so need to make sure that still open! >Remote IP loggin ... that isn't one of the options in Win03 GPO. You can log failed and successful login attempts. Yeh i am logging successful and failed attempts - but cannot find the option to add IP address to the event log. >- I use 'eventCombMT.exe' to track all my event logs. I have an article by Roberta Bragg somewhere in my email >that tells you what eventID to look out for. Can't seem to find it on my desktop ... might be on my laptop at home. cool will Google, and have a look. >Might the hack come internally? Some users with local admin rights can run a password crack against your local >administrator account and tried that gain domain access ... thus my domain admin and local admin account >password is different and contains 14 characters UNICODE. I don't think so, the machines are locked down from each other - cannot even talk to my other box! - which is annoying at times. I assume its some MS bug, but scary that i am patched up and still got though. Need to work out this firewall issue or go and buy a dedicated on - have used gnatbox.com before which is v good. Thank god he did not delete anything, he could have done a lot more damage if he wanted to. Also he was very silly as lots of logs lying around and on one box was connected at the time, did a netstat and found his IP and port connection - so have reported to his ISP! Link to comment Share on other sites More sharing options...
Eversurf Posted October 4, 2004 Share Posted October 4, 2004 Dude there is nothing more important than a firewall. The Firewall should be where your internet connection comes in. you say "Thank god he did not delete anything". How much does your data worth? A linksys or any low level entry firewall are less than 75$. If you want to go crazy spend a 1000$ get a Sonicwall tz170. That will have an 30 eval for their IDS system and you will be able to block who ever is doing that. As far as your server not being able to communicate when the firewall is up....I think you are just having a port issue. find out from your Software vendor which port you need to open to the outside world for your apps to work Have fun!!! Link to comment Share on other sites More sharing options...
Sub Posted October 5, 2004 Share Posted October 5, 2004 First of all you're using Windows 2003. Server 2003 has a built in NAt firewall that will help you out a great deal. You probley have all your servers on Live Interent IP address ( WRONG!) and weak passwords. You probley also have NetBios enabled on the WAN card...Antoher Big no no....any brute force program can hack your server like that... I suggest Microsoft ISA 2004...Its a true Packet State Filter, not some Sonic NAT Firwall box... Link to comment Share on other sites More sharing options...
dabossuk Posted October 6, 2004 Author Share Posted October 6, 2004 Hi I now have a firewall installed - sygate - but after a lot of messing around. OK, please understand WHY there was no firewall solution. 1. I have 2 servers in a colocation centre where I have no access. 2. The company does not offer hands on support - all they will do is reimage, reboot. 3. If you install a firewall be it MS or any other - once its installed and you reboot - you are locked out of Terminal Services / PCDUo.com ... So how can you install a firewall when you can;t get back in!!! In sygate I installed a machine in the office with the same OS, apps etc as in the colocation centre. I then copied the configuration files form that machine. I install sygate on the remote server, but before reboot I copied the configuration files over the top of the default ones. I crossed my fingers and rebooted - and it worked!!! .... The moral of the story is ? in hind site I should never have picked the collocation company I did ? but it was cheap and they told me they offered a firewall service. I found out soon after that in fact they stopped offering it because too many customers were asking for changes and even they though were paying ? the company could not support the numbers of requests so they removed the firewall ? this came from the security officer of the company! ?crazy crazy crazy ? Link to comment Share on other sites More sharing options...
Mattimeo Posted October 6, 2004 Share Posted October 6, 2004 So why cant you tell the firewall to allow you access and not anyone else? I do it all the time with clients. And yes, disable NETBios on your WAN adapters...very important here. Link to comment Share on other sites More sharing options...
markwolfe Veteran Posted October 6, 2004 Veteran Share Posted October 6, 2004 Strange to be hacked on an up-to-date system (and, yes, Windows and Linux can be equally very secure - or insecure - depending on configuration). Did you have a strong password? It sounds like the problem could have been local access, 'social engineering', or brute force on a weak password. I suppose if they cracked a weaker box, and somehow harvested your password for the stronger box off of it, that could have been what happened, too. It sounds like you did most of the basics right, with the exception of lack of firewall. Could you also have had services running that you didn't need on that box? Link to comment Share on other sites More sharing options...
Marsden Posted October 7, 2004 Share Posted October 7, 2004 How could you not be able to telnet into a remote firewall? Insane! Get a hardware firewall. Any software firewall can be uninstalled just as easily as it is installed. Hell a cheap NAT firewall has kept my home Win2K3 servers hack proof for years back to NT4. My servers don't exist beyond the firewall. If I do connect from a remote location it is through SSL... I'll bet your passwords were very weak as well. Let a hacker crack this cdjfy5WR%1bz0U72$hyP61g That is a strong password! Don't fret... I've seen secure server rooms breached with 10 cent ballons.... Slipped under the door and blown up with air and let go to trip motion detectors to auto open the door... Link to comment Share on other sites More sharing options...
dabossuk Posted October 7, 2004 Author Share Posted October 7, 2004 Hi All logins were strong, only one admin user - as I mentioned baseline security had been run - anyway ... now found that sygate latest firewall does not support win2003 that well and cuases random stop errors! grrr. i tihnk its time to find a way to break my contract with colo and find a new host ... anyone recommend a good dedicated server host that offers loads of services and good support ? I hear serverbeach.com is good ? Thanks for everyones comments by the way .. Link to comment Share on other sites More sharing options...
astrokat Posted October 7, 2004 Share Posted October 7, 2004 Don't fret... I've seen secure server rooms breached with 10 cent ballons.... Slipped under the door and blown up with air and let go to trip motion detectors to auto open the door... That is Genuis! :laugh: Link to comment Share on other sites More sharing options...
Sub Posted October 7, 2004 Share Posted October 7, 2004 How strong is strong....Is it over 9 characters in length? My passwords are 15-20 characters, and have letters, numbers, and symbols... Link to comment Share on other sites More sharing options...
Ficman Posted October 7, 2004 Share Posted October 7, 2004 Been there, always a drag... :cry: Link to comment Share on other sites More sharing options...
Recommended Posts