Help me asseblief,
Got a call this morning from MWeb to say that our server has been hacked and is being used for phishing etc. They've gotten through the firewall and NOD, when I logged on after seeing this, I noticed a bunch of suspect services running that weren't there before and a 216Mb "williams poker" entry in the add / delete programmes, but the uninstall file is suspect.
Busy running a full scan with NOD, but what should I do to eradicate this system, this is a bit beyond what I've done before but I'm at a loss.
We have a fixed IP if that's any help.
Any software you suggest to clear this?
Thanks,
J
Server hacked, phishing and other horrible issues ensue
Server hacked, phishing and other horrible issues ensue
[Intel Core i3 2100 {Sandybridge}]
[Asus P8P67 Pro LE Socket 155 Mobo]
[HIS AMD Radeon 6850 1GB Gfx]
[4Gb Mushkin Silverline DDR3 1333 RAM]
[500Gb Seagate SATAII 6G HDD]
[Coolermaster Elite 430 Chasis]
[Windows 7 Home Premium 64 Bit]
[LG W2234S 22" Display]
[Asus P8P67 Pro LE Socket 155 Mobo]
[HIS AMD Radeon 6850 1GB Gfx]
[4Gb Mushkin Silverline DDR3 1333 RAM]
[500Gb Seagate SATAII 6G HDD]
[Coolermaster Elite 430 Chasis]
[Windows 7 Home Premium 64 Bit]
[LG W2234S 22" Display]
- Tribble
- Registered User
- Posts: 88471
- Joined: 08 Feb 2007, 02:00
- Processor: Intel Core i7-4770K CPU@3.50GHz
- Motherboard: ACPI x64-based PC
- Graphics card: GeForce GTX 780 Ti
- Memory: 16GB
- Location: Not here
- Contact:
Re: Server hacked, phishing and other horrible issues ensue
Find the application and remove it manually.
As for the services - google them to see if they are actual services. Symantec's site generally has very good removal tools if a virus or suspect code is involved. You may just find that some person installed a poker program without permission (they do stupid things on servers). Also check your ports and see how they are getting in. The guys who work with networks will be able to tell you which tools to use to find this out.
Otherwise - good luck. Glad I am not you.
As for the services - google them to see if they are actual services. Symantec's site generally has very good removal tools if a virus or suspect code is involved. You may just find that some person installed a poker program without permission (they do stupid things on servers). Also check your ports and see how they are getting in. The guys who work with networks will be able to tell you which tools to use to find this out.
Otherwise - good luck. Glad I am not you.
-
- Registered User
- Posts: 446
- Joined: 21 Dec 2010, 09:02
Re: Server hacked, phishing and other horrible issues ensue
Take out LAN cable,Shut down, reboot in safe mode, delete software. If you can't fix it reinstall. Backup data to online storage first tho.
I no longer think of myself as Atheist however I reject religion as a concept where you must do x because someone says so. May contain nuts.
Re: Server hacked, phishing and other horrible issues ensue
Thanks for the help guys, I shut the router down, ran a full anti-rootkit, NOD antivirus / anti-spyware, bot search, all turned up empty? Did find bulk mailer (with no uninstall), phpnuke, poker bots and similar nasties. Have taken off what I can and have changed all the passwords. Mweb have shut down our smtp for now, allowing regular web use.JollyJamma wrote:Take out LAN cable,Shut down, reboot in safe mode, delete software. If you can't fix it reinstall. Backup data to online storage first tho.
After chatting with the guy, seems we had a vulnerable STTP port on the router / IP even though our website is hosted externally, probably gained access and cracked the password (which weren't any great shakes to start with).
Now trying to eliminate any and all traces of any malware installed.
What a pain
[Intel Core i3 2100 {Sandybridge}]
[Asus P8P67 Pro LE Socket 155 Mobo]
[HIS AMD Radeon 6850 1GB Gfx]
[4Gb Mushkin Silverline DDR3 1333 RAM]
[500Gb Seagate SATAII 6G HDD]
[Coolermaster Elite 430 Chasis]
[Windows 7 Home Premium 64 Bit]
[LG W2234S 22" Display]
[Asus P8P67 Pro LE Socket 155 Mobo]
[HIS AMD Radeon 6850 1GB Gfx]
[4Gb Mushkin Silverline DDR3 1333 RAM]
[500Gb Seagate SATAII 6G HDD]
[Coolermaster Elite 430 Chasis]
[Windows 7 Home Premium 64 Bit]
[LG W2234S 22" Display]
-
- Registered User
- Posts: 446
- Joined: 21 Dec 2010, 09:02
Re: Server hacked, phishing and other horrible issues ensue
Everyone seems to be getting hacked now.
Word of advice. Implement strict and complicated security measures and document it all.
Passwords should be 50 characters long, encryption of the hard drive, SSL, certificates, etc. It's a biatch but it's not hard or expensive to implement and can save you a ton of trouble.
Word of advice. Implement strict and complicated security measures and document it all.
Passwords should be 50 characters long, encryption of the hard drive, SSL, certificates, etc. It's a biatch but it's not hard or expensive to implement and can save you a ton of trouble.
I no longer think of myself as Atheist however I reject religion as a concept where you must do x because someone says so. May contain nuts.
Re: Server hacked, phishing and other horrible issues ensue
Thanks to all for the advice. These guys have totally borked things, thought we eradicated most of the problem last week, came in on Monday and server was stuck in a loop because they nuked active directory. Booted in Directory Services repair mode and reinstated the last system state backup and wham, endless reboot loop because of a Winlogon error, can only assume they associated a process / service with Winlogon.exe that caused hassles, so the end result is that we're sitting re-installing SBS and setting up the domain from scratch, what a pain
[Intel Core i3 2100 {Sandybridge}]
[Asus P8P67 Pro LE Socket 155 Mobo]
[HIS AMD Radeon 6850 1GB Gfx]
[4Gb Mushkin Silverline DDR3 1333 RAM]
[500Gb Seagate SATAII 6G HDD]
[Coolermaster Elite 430 Chasis]
[Windows 7 Home Premium 64 Bit]
[LG W2234S 22" Display]
[Asus P8P67 Pro LE Socket 155 Mobo]
[HIS AMD Radeon 6850 1GB Gfx]
[4Gb Mushkin Silverline DDR3 1333 RAM]
[500Gb Seagate SATAII 6G HDD]
[Coolermaster Elite 430 Chasis]
[Windows 7 Home Premium 64 Bit]
[LG W2234S 22" Display]