My webserver just got Hacked! Saw it with my own eyes!

[ShawnReeves]

Ok so my computer and webserver have been acting wierd so DL and install Norton Antivirus. Bam! 950 infected files on my main computer and 39 on my webserver with a bunch of back door trojans. Anyway while im sitting there watch the screen on my webserver I see the mouse moving....I grab the mouse and its fighting me...its starts clicking into directories......good lord some a@@hole is remote into my computer! I hit the power button. Ok so what Software do I need to run to protect my webserver. Any help PLEASE! :Q

EDIT: Im running a Linksys Router. Have Zone Alarm on my main computer but Zone Alarm wont seem to work on my Win2k pro machine.

 

[amdskip]

How is the thing all hooked up to the net? What do you have protecting it right now?

 

[ShawnReeves]

update

 

[Mucman]

uninstall... it's the only way to be 100% certain.

What webserver are you using? I'm assuming it was not patched?

 

[ShawnReeves]

Im using a program called Simple Server.

And whatya mean uninstall??? uninstall what?

 

[Mucman]

SimpleServer? Hmm... I've never heard of it; sounds interesting.

Format the drive and re-install the OS. It's the only fail-safe way of removing worm/trojan damage. Do you know how they got in? If you
remove them, do you think you are still safe from further attacks? There's not point in risking it.

 

[ShawnReeves]

Would installing Norton Internet Security or Zone alarm help keep people from hacking into the webserver??
Im wondering because im basiclly letting people type in my domain name and access my PC via HTTP. There has to be some software thats cheap or even free that can protect me?? Do you run a server....and if so what do you protect it with??

Thanks,
Shawn

 

[skyking]

Originally posted by: Mucman
SimpleServer? Hmm... I've never heard of it; sounds interesting.

Format the drive and re-install the OS. It's the only fail-safe way of removing worm/trojan damage. Do you know how they got in? If you
remove them, do you think you are still safe from further attacks? There's not point in risking it.

Still does not mean they won't be right back in there, if the hole does not get patched.
It is a hole in either the server software, or a hole in the OS.
Consider running apache, it is free, and 65% of the servers online use it. That means that there is a ton of online documentation, how-to's, support.
If there is an exploit, it is discovered and patched quickly.

 

[ShawnReeves]

a guy a work runs Xitami server...anyone else used this? I may try that.

Apache is good but im too stupid too set it up LOL.

 

[Iron Woode]

Just disconnect your webserver from the internet and run your AV and remove the viruses and trojans.

Then connect it back to the internet.

 

[Soybomb]

Originally posted by: Iron Woode
Just disconnect your webserver from the internet and run your AV and remove the viruses and trojans.

Then connect it back to the internet.

I'd never do that because you just can't trust the box now. Formatting is good in this instance.


I'd vote for trying apache and coming here if you need help, someone can help you get it setup.

 

[eliteorange]

sounds like u need to run FREEBSD

 

[skyking]

Originally posted by: EliteOrange
sounds like u need to run FREEBSD

Notice that I did not suggest that, there is a version of apache for windows........
Good idea though

 

[ShawnReeves]

Well after some looking at my settings we figured out its most likely because the DMZ on my router was enabled with the IP open. He (friend from work)never told me NOT to keep it open...I somehow thought it had to be open to reach the server, but only port 80 needs to be open.
What sucks is this morning before going to work I started up Xitami on my other rig to run my website till I get the other machine formatted, I disbaled remote management to the router just in case to keep the hacker out....and just remembed I have the DMZ enabled to my other machine....and now cant even change it from work! :disgust:

btw I was attacked by the Lovgate virus(950 infected files)...im sure most of you remember that from about a year ago??

 

[groovin]

i have a "kill on site" rule with trojan infected comps... if theres a trojan on it, that machine gets cleaned and reinstalled. your friend had it set on DMZ?? doh! any high school kid with a win2k/NT lockpicker can gain access to your system. actually i dont have much confidence in using those SOHO routers either, definitly go to apache for windows as well. its not that hard to use and therell be plenty of documentation on how to secure it around on the net.

 

[LuckyTaxi]

Originally posted by: EliteOrange
sounds like u need to run FREEBSD

yippeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee .. apache rocks