Server hacked, phishing and other horrible issues ensue

Viruses, hackers and crackers
Post Reply
Jonboy
Registered User
Posts: 1606
Joined: 20 Apr 2005, 02:00
Location: The Powerhouse!

Server hacked, phishing and other horrible issues ensue

Post by Jonboy »

Help me asseblief,

Got a call this morning from MWeb to say that our server has been hacked and is being used for phishing etc. They've gotten through the firewall and NOD, when I logged on after seeing this, I noticed a bunch of suspect services running that weren't there before and a 216Mb "williams poker" entry in the add / delete programmes, but the uninstall file is suspect.

Busy running a full scan with NOD, but what should I do to eradicate this system, this is a bit beyond what I've done before but I'm at a loss.

We have a fixed IP if that's any help.

Any software you suggest to clear this?

Thanks,
J
[Intel Core i3 2100 {Sandybridge}]
[Asus P8P67 Pro LE Socket 155 Mobo]
[HIS AMD Radeon 6850 1GB Gfx]
[4Gb Mushkin Silverline DDR3 1333 RAM]
[500Gb Seagate SATAII 6G HDD]
[Coolermaster Elite 430 Chasis]
[Windows 7 Home Premium 64 Bit]
[LG W2234S 22" Display]
User avatar
Tribble
Registered User
Posts: 88465
Joined: 08 Feb 2007, 02:00
Processor: Intel Core i7-4770K CPU@3.50GHz
Motherboard: ACPI x64-based PC
Graphics card: GeForce GTX 780 Ti
Memory: 16GB
Location: Not here
Contact:

Re: Server hacked, phishing and other horrible issues ensue

Post by Tribble »

Find the application and remove it manually.

As for the services - google them to see if they are actual services. Symantec's site generally has very good removal tools if a virus or suspect code is involved. You may just find that some person installed a poker program without permission (they do stupid things on servers). Also check your ports and see how they are getting in. The guys who work with networks will be able to tell you which tools to use to find this out.

Otherwise - good luck. Glad I am not you.
Image
JollyJamma
Registered User
Posts: 446
Joined: 21 Dec 2010, 09:02

Re: Server hacked, phishing and other horrible issues ensue

Post by JollyJamma »

Take out LAN cable,Shut down, reboot in safe mode, delete software. If you can't fix it reinstall. Backup data to online storage first tho.
I no longer think of myself as Atheist however I reject religion as a concept where you must do x because someone says so. May contain nuts.
Jonboy
Registered User
Posts: 1606
Joined: 20 Apr 2005, 02:00
Location: The Powerhouse!

Re: Server hacked, phishing and other horrible issues ensue

Post by Jonboy »

JollyJamma wrote:Take out LAN cable,Shut down, reboot in safe mode, delete software. If you can't fix it reinstall. Backup data to online storage first tho.
Thanks for the help guys, I shut the router down, ran a full anti-rootkit, NOD antivirus / anti-spyware, bot search, all turned up empty? Did find bulk mailer (with no uninstall), phpnuke, poker bots and similar nasties. Have taken off what I can and have changed all the passwords. Mweb have shut down our smtp for now, allowing regular web use.

After chatting with the guy, seems we had a vulnerable STTP port on the router / IP even though our website is hosted externally, probably gained access and cracked the password (which weren't any great shakes to start with).

Now trying to eliminate any and all traces of any malware installed.

What a pain
[Intel Core i3 2100 {Sandybridge}]
[Asus P8P67 Pro LE Socket 155 Mobo]
[HIS AMD Radeon 6850 1GB Gfx]
[4Gb Mushkin Silverline DDR3 1333 RAM]
[500Gb Seagate SATAII 6G HDD]
[Coolermaster Elite 430 Chasis]
[Windows 7 Home Premium 64 Bit]
[LG W2234S 22" Display]
JollyJamma
Registered User
Posts: 446
Joined: 21 Dec 2010, 09:02

Re: Server hacked, phishing and other horrible issues ensue

Post by JollyJamma »

Everyone seems to be getting hacked now.

Word of advice. Implement strict and complicated security measures and document it all.

Passwords should be 50 characters long, encryption of the hard drive, SSL, certificates, etc. It's a biatch but it's not hard or expensive to implement and can save you a ton of trouble.
I no longer think of myself as Atheist however I reject religion as a concept where you must do x because someone says so. May contain nuts.
Jonboy
Registered User
Posts: 1606
Joined: 20 Apr 2005, 02:00
Location: The Powerhouse!

Re: Server hacked, phishing and other horrible issues ensue

Post by Jonboy »

Thanks to all for the advice. These guys have totally borked things, thought we eradicated most of the problem last week, came in on Monday and server was stuck in a loop because they nuked active directory. Booted in Directory Services repair mode and reinstated the last system state backup and wham, endless reboot loop because of a Winlogon error, can only assume they associated a process / service with Winlogon.exe that caused hassles, so the end result is that we're sitting re-installing SBS and setting up the domain from scratch, what a pain
[Intel Core i3 2100 {Sandybridge}]
[Asus P8P67 Pro LE Socket 155 Mobo]
[HIS AMD Radeon 6850 1GB Gfx]
[4Gb Mushkin Silverline DDR3 1333 RAM]
[500Gb Seagate SATAII 6G HDD]
[Coolermaster Elite 430 Chasis]
[Windows 7 Home Premium 64 Bit]
[LG W2234S 22" Display]
Post Reply