File server's been hacked.

boomerang · Aug 12, 2005

I know what I need to do to reset the password. What I'm wondering is what else I should do and/or look for.

Format and reinstall? If a backdoor or whatever has been placed in the machine, how would I find it or eliminate it? AV software was running, but no software firewall.

This is a small business. Three workstations and the file server. I'm going to have to spring for a newer router as this one is incapable of emailing logs. It has provisions for it, but I have never been able to get it to work. I had not gotten around to locking down the router either. Feel like a real dipsh!t right now.

It's my fault because I had the file server running on an admin account to simplify my life. Big mistake. I'm really quite upset and am probably not thinking clearly.

Any knowlegeable advice appreciated.

dphantom · Aug 12, 2005

Run a hijack log and post results here. Someone should be able to look it over and see if anything is running that shouldn't be there.

Update the server with latest OS patches (MS??) Get spyware removal, MS anti malicious software tool, etc.. to clean up before you go the format stage. At least that is what I'd do first.

boomerang · Aug 12, 2005

Alright. I'm familiar with all of those. I can probably catch obvious things in Hijack This. I had MS antispyware running and uninstalled it last week. The server runs basically unattended and it wasn't updateing the software itself as it should. Another mistake.

I'm going to spend the day over there tomorrow. I don't work there and it's too disruptive to be there during business hours. I've got them disconnected from the net for now and they're unhappy about it.

Patches are, and have been updated all along.

Never did say it's running XP Pro.

No logs until tomorrow.

Thanks for the advice.

ValuedCustomer · Aug 12, 2005

Originally posted by: boomerang
AV software was running, but no software firewall..

I had the file server running on an admin account

d'Ang.. don't 'cha hate the problems that can't be blamed on anyone else? :frown: -
first off, don't be too hard on yourself; even monkeys fall out of trees sometimes. That said, I'd reformat the drive(s) at least a couple times and rebuild. And, of course, avoid at all costs your previous brain-fart configuration.

dphantom · Aug 12, 2005

Originally posted by: boomerang
Alright. I'm familiar with all of those. I can probably catch obvious things in Hijack This. I had MS antispyware running and uninstalled it last week. The server runs basically unattended and it wasn't updateing the software itself as it should. Another mistake.

I'm going to spend the day over there tomorrow. I don't work there and it's too disruptive to be there during business hours. I've got them disconnected from the net for now and they're unhappy about it.

Patches are, and have been updated all along.

Never did say it's running XP Pro.

No logs until tomorrow.

Thanks for the advice.

Good luck and like VC said, don't beat yourself up. Happens eventually to all of us.

nweaver · Aug 12, 2005

I would backup, reformat, replace backup and compare to a previous backup to make sure there isn't a backdoor in the backup files.

When you say "I had the fileserver running as admin" I am not understanding. You had the services running as admin? You had the box logged in as admin? Remote access to admin?

I would suggest a samba box with lots of security applied to the filesystem as an alternative. You can use iptables, (which is a good s/w firewall) and you can really lock down security easy. If you keep it as XP, then I would make sure and disable ALL services and get an outbound/inbound S/W firewall on the machine, to ensure that only local traffic is hitting the machine.

boomerang · Aug 12, 2005

I had thought of something hiding in the backup. All shared files are on a separate partition and that all has to be restored. Great place for someone savvy to hide the nasties.

I had the box set up to automatically login as admin. No login screen and no password entry. So it was sitting there wide open.

I'd really like to find someone local to hire and let me help them set this up securely. I built all the boxes, setup the network, installed all the software, etc, etc. But I am overwhelmed by all the security aspects. I don't know my way around all the setup, and options, etc.

It's going to have to be XP as I don't have time to learn to set up a samba box. I have a full time job. This is at my wife's office.

Thanks for the advice.

nweaver · Aug 12, 2005

the logged in user shouldn't be a problem, unless it was a local person, in which case you need to find/fire that person. As long as I have physical access to a machine, it's never really secure. Secure access to the machine, and don't autologin, although I doubt that someone did this remotely because it was locally logged in as admin.

One important thing is to use NTFS permissions. The biggest problem with a workgroup type setup is syncing of passwords for network security. You have to either open stuff wide open, or have each user's login on the local machine. This leads passwords getting fubared/out of sync.

boomerang · Aug 12, 2005

Their accountant gets in remotely through Ultr@VNC. I can also. The box is left on those evening or weekends when she wants access. I took a look at the computer she was using (I've built her a new one) and their surfing habits, although not extreme, were not what I wanted to see. I informed my wife, but she felt this was necessary. I counseled the accountant and her husband, but who knows what good it did.

There's only my wife and a co-worker there and one part time person. None of them are even close to being computer literate. I field lot's of dumb questions very regularly. I can't believe they would have done it.

So, you're saying that the password could not have been changed except from within the office? Physically sitting in front of it?

As far as password syncing I believe I understand what you're saying. I considered going with a true server OS, but the cost I felt was prohibitive. I can see where a domain would have made all of this much easier to accomplish.

The workstations all have a login with password and they're running as limited accounts. If I start forcing them to change the password on a regular basis, they will be locked out from the shared drive on the server. If I'm thinking correctly.

I've deviated from what I'm most concerned about. Whether the password could have been changed remotely.

nweaver · Aug 12, 2005

you didn't mention it was running ultraVNC. Were you using an encryption plugin? Why not use Remote Desktop, and make her (limited) account a remote user?

Is someone got on via ultravnc then they could change the P/W, upload files, execute code, etc.

Linux can be used as a domain controller, but it's somewhat difficult, and you already said no linux due to experience (understood).

I WOULD enforce secure passwords, and I would stop using ultravnc. If this is XP home (no remote) then pay the money for an upgrade to Pro so you get the features. XP Pro also allows normal filesharing (instead of simple).

boomerang · Aug 12, 2005

Yes, with the encryption plugin. And that's why I used it. I could never find anything definitive stating that Remote Desktop was secure. If it is, well, that would be the way to go.

However, with the purchase of a new router, I was thinking of going VPN. I will give the accountant the current router and will have one on each end that is VPN capable. Ours here at home is capable also.

VPN will be a new experience for me. It was my original plan, but the setup and implementation scared me off. Honestly, I'm ashamed to admit that I've reached an age where learning new things on a grand scale is not as appealing as it used to be. About two years ago, I took on a new job at my work and drastically changed what I did for a living. I have to deal with complex problems every day and I'm just tired of having to think so hard. I've throttled down the learning curve in my non-work hours. But I'll get it done.

The OS is XP Pro. All of them are running Pro.

I've messed with Linux here at home several times over the years. The latest distro's are an enormous improvement over the old for a newb. I've even got a post here in the archives somewhere of me posting using Linux. But, I don't want to take that on and I appreciate your understanding that, I really do.

And I appreciate your patience and suggestions. I'm totally self taught and there's lots I don't know.

IEC · Aug 13, 2005

Originally posted by: boomerang
None of them are even close to being computer literate. I field lot's of dumb questions very regularly.

Ouch, I feel for ya man.... I had a file server get hacked... damn SSH wasn't secure enough

The advice to run anti-virus/anti-spyware first is good, to make sure you don't get an infested share...

ND40oz · Aug 13, 2005

If I were you, I'd get on ebay and buy a copy of Win 2k or 2k3 server with five cals and install it. You can bring up AD and a File server on the same box and not have this problem again for a few hundred bucks. Once you have it up and running, rename the admin account, so you don't even have an account called administrator.

nweaver · Aug 13, 2005

RDP is encrypted. You don't need a VPN router at each end (unless you are making a pptp tunnel for everyone on both sides) to setup VPN. The server side has a VPN capable router, client has S/W to connect/Encrypt/setup the VPN connection.

I would think VPN+RDP would work fine for this. I would also use either A) port translation for RDP or B) don't forward RDP (require VPN to access).

Port translation means you change the port your router uses to forward the traffic. Instead of connecting to IP.Address.X.X you would add a port statement, such as 338900 (adding 2 zeros, just an example). If someone scans ports, they are less likely to find an open port ,and if it's a random port, they don't always know what service is on the other end. If I am a script kiddie, I wil scan your router for 3389 and start an authomated script to try and login via that port.

Restrict the user you connect as, and don't allow admin access via RDP. You can still right click and "run as" to do some admin stuff.

boomerang · Aug 13, 2005

Originally posted by: nweaver
RDP is encrypted. You don't need a VPN router at each end (unless you are making a pptp tunnel for everyone on both sides) to setup VPN. The server side has a VPN capable router, client has S/W to connect/Encrypt/setup the VPN connection.

I would think VPN+RDP would work fine for this. I would also use either A) port translation for RDP or B) don't forward RDP (require VPN to access).

Port translation means you change the port your router uses to forward the traffic. Instead of connecting to IP.Address.X.X you would add a port statement, such as 338900 (adding 2 zeros, just an example). If someone scans ports, they are less likely to find an open port ,and if it's a random port, they don't always know what service is on the other end. If I am a script kiddie, I wil scan your router for 3389 and start an authomated script to try and login via that port.

Restrict the user you connect as, and don't allow admin access via RDP. You can still right click and "run as" to do some admin stuff.

Great information. You answered questions I didn't know I even had! Thanks!

dclive · Aug 13, 2005

Originally posted by: boomerang
I know what I need to do to reset the password. What I'm wondering is what else I should do and/or look for.

Format and reinstall? If a backdoor or whatever has been placed in the machine, how would I find it or eliminate it? AV software was running, but no software firewall.

This is a small business. Three workstations and the file server. I'm going to have to spring for a newer router as this one is incapable of emailing logs. It has provisions for it, but I have never been able to get it to work. I had not gotten around to locking down the router either. Feel like a real dipsh!t right now.

It's my fault because I had the file server running on an admin account to simplify my life. Big mistake. I'm really quite upset and am probably not thinking clearly.

Any knowlegeable advice appreciated.

Lock down the router that's on the public internet so that it cannot be remotely administered. That will stop anyone from coming in as router admin, remotely. Forward only port (pick an random port) to (your.server.ip.address:3389), and drop all other unknown incoming packets. If you then need to administer the router, you'll need to connect via RDP to the server, then open MSIE, key in the router's local IP address, and administer it from there.

Always use a password on all machines.

Don't use VNC - it's considerably slower, and now that MS's RDP is here, there's less need for it. Learn RDP and see how it is used; it's far faster and easier than VNC, IMHO. As previously noted by another poster, change the default port on the router to something besides 3389.

You don't really mention what you do with this machine, so I'll assume it's just a simple file and print server that anyone can get to. Always use a password.

Always have all user accounts require a password.

That will solve most of these issues right away.

In my eyes the basic issue was that you didn't lock down the router, so someone could then watch it, find out where the traffic was coming from and over what ports, and then turn on port redirection on the router, and go fishing. This assumes remote access was on. Otherwise, I'd guess they just tried VNC, and perhaps the router was forwarding VNC using the default ports, so the computer would be wide open at that point, given the open XP machine.

A really savvy exploit to do is to update the BIOS on the routers to a more open Linux OS, and then you can install whatever stuff you want onto the compromised router. Very slick stuff is possible nowadays with even simple consumer-level routers...and most people that were compromised would never know the difference.

boomerang · Aug 13, 2005

Otherwise, I'd guess they just tried VNC, and perhaps the router was forwarding VNC using the default ports, so the computer would be wide open at that point, given the open XP machine.

Remote access was disabled, so the quote above from your post was probably the culprit. But I have a very secure password on Ultr@VNC and a very secure password on the router. If the accountant has some nasty stuff on her computer I imagine that Ultr@VNC could be a conduit to the file server in question. Does this sound feasible?

A little confused on the ports. I understand I can change the port that RDP uses. So are you saying to change the port and RDP in using the changed port? It was said in an earlier post to log in using an essentially "bogus" port number, but set up port forwarding to the true port. But I should change the default to something different.

That's confusing for even me to read. Do I understand this properly? Assuming you can interpret the above paragraph.

I was in the router configs today, and all appeared as it had been. I guess they could have covered their tracks on the way out.

Basically a file server but I had to install a few apps for the accountant to view reports. One laser printer that is networked.

dclive · Aug 13, 2005

Your question all depends on how VNC and the router are set up. Could she, from the public internet, VNC into the router and to her computer? To the server? How was it set up? What could someone from the public internet side do?

If someone can VNC to her computer, then they have all rights she does until she puts a screensaver up / locks the keyboard. If she has that turned off, her PC is wide open.

You don't need to change anything on the WinXP/'server' side of RDP. On your client, RDP to, say, port 5001, and tell your router to forward all incoming requests over port 5001 to your.server.ip.address, port 3389. Your router then says to the incoming RDP requests that are on port 3389: "I don't know you" and discards them (thus foiling script kiddies) and for all requests on port 5001, they're forwarded to your XP server, port 3389, where RDP-Server flawlessly picks it up and opens an RDP session.

eigen · Aug 13, 2005

Originally posted by: ariafrost

Originally posted by: boomerang
None of them are even close to being computer literate. I field lot's of dumb questions very regularly.

Click to expand...

Ouch, I feel for ya man.... I had a file server get hacked... damn SSH wasn't secure enough

The advice to run anti-virus/anti-spyware first is good, to make sure you don't get an infested share...

Woah Woah Woah....What do you mean SSH wasnt secure enough...assuming it wasnt version1

nweaver · Aug 14, 2005

Originally posted by: eigen

Originally posted by: ariafrost

Originally posted by: boomerang
None of them are even close to being computer literate. I field lot's of dumb questions very regularly.

Click to expand...

Ouch, I feel for ya man.... I had a file server get hacked... damn SSH wasn't secure enough

The advice to run anti-virus/anti-spyware first is good, to make sure you don't get an infested share...

Click to expand...

Woah Woah Woah....What do you mean SSH wasnt secure enough...assuming it wasnt version1

usually it's not SSH that's not secure, but passwords and ssh access

We had a machine at work, and they THOUGHT they had secured it, but they forgot they left a username on it that matched it's DNS name. So if you hit name.domain.com and used username name you could get in, and that password was test. No problem with SSH there, it's an admin problem

boomerang · Aug 14, 2005

Originally posted by: dclive
Your question all depends on how VNC and the router are set up. Could she, from the public internet, VNC into the router and to her computer? To the server? How was it set up? What could someone from the public internet side do?

Someone from the public internet would have to have the VNC Viewer, know the WAN IP of the router the server is connected to (it's dynamic) have the same DSM key and know the password which is very secure by most, if not all definitions.

For what it's worth, she's behind a router also.

File server's been hacked.

Lifer

Diamond Member

Lifer

Senior member

Diamond Member

Diamond Member

Lifer

Diamond Member

Lifer

Diamond Member

Lifer

Elite Member

Golden Member

Diamond Member

Lifer

Elite Member

Lifer

Elite Member

Diamond Member

Diamond Member

Lifer