Sever 2003- Remote Hacker

[you2wire]

I need your assistance.

Server setup with windows 2003 SBS in a remote location. i connect to the server daily and i have a problem with a hacker. it seems that the person login on the server and changes things around the my ADmin password and i can't get to it. i know this because i am the only one that should be remoting into this server. and i the a guest folder is created once they enter via remote connection

Its the 3rd time this week i have had to go the the remote location and reinstall windows 2003 . i wish a could turn of the remote connection but i can't .

Please can you tell me what are my option . yes the admin password has been changed..

Marvin

[cluberti]

1st, enable auditing for logon / logoff events, so they'll show up in the security event log

2nd, RENAME AND DISABLE the built-in administrator account - no one should be using this, as this is the most common account for a remote hacker to try and 0wn

3rd, create two new administrative accounts (do not call either account "administrator", and set VERY complex passwords on them so that a dictionary attack takes awhile) - this way you'll not get locked out if one admin account is 0wned, you'll still have a second to use

4th, put a GOOD hardware firewall on the SBS box, or use the ISA server that comes with SBS, and limit remote access to just whatever ports need to be enabled for networked services and VPN

Lastly, check those event logs regularly - if you're lucky enough to see it, you will probably see your attacker trying to use the administrator account (which you've disabled), which will generate audit logs in the event logs. This gives you two things - one, it will probably give you his IP address and the time/date he failed to use the account, and two, it buys you time to get the authorities involved whilst he tries to figure out what other admin accounts are on the box. Unfortunately for him/her, it's already too late. You know what IP s/he was using at the time of the attack, and you can find out what ISP the IP address belongs to.

As to keeping it from happening, make sure you are FULLY patched before you plug that thing into the 'net, and having a separate firewall (hardware, or a separate ISA server) and router in front of the SBS (rather than using ISA that shipped with it) is usually a much better way to deter things like this. Oh, and once you know what IP address(es) s/he is using, block those on connect at the firewall immediately.

[nmX.Memnoch]

It probably wouldn't hurt to change the RDP port either.

http://support.microsoft.com/kb/306759

[eyeball]

what means do you currently have in place for remotely controlling this SBS box? I wonder if the security flaw lies in this software/connection as opposed to your admin accountname/password

[adamt]

Even better - if you have a static IP address, you can open the remote desktop (or sshd, or whatever) port ONLY for connections from your IP address.

If you don't have a static IP address, you could possibly have a guess at which networks you're likely to be coming from. Find out what your external IP address is and look it up at arin.net or ripe.net or apnic.net or... depending on which part of the globe you're in. That will give you the network range for that netblock. You could open up the port to that network. It's still a risk, but the hacker would need to be using the same ISP as you in order to stand a chance.

Once you figure out the IP that the hacking attempts are coming from, you might want to explicitly ban that netblock from accessing your server at all.

Personally, I don't think it's the remote desktop that's the problem. It's more likely to be SMB, SQL or HTTP unless it's a dictionary or brute force attack.

[you2wire]

thanks for all the information.

I was hacked again last night, go to http://www.you2wire.com and you will see what the person did.

HELP

Marin

Edited May 11, 2008 by you2wire

[ravashaak]

Before I did anything else, I would make sure that my install CD is not infected with any trojans, malware, etc. I would next install the OS and patch it completely without putting the system on the network. Rename the built-in administrator account and give it a strong complex password that you have never used previously anywhere! Set a policy to use only complex passwords and a decent minimum character length (at least 8 characters IMHO). Set a policy to lock accounts for 5 minutes after 3 unsuccessful logon attempts. Disable the guest account and any other unnecessary accounts. Change the RDP port and only allow admins to logon via RDP. Be careful about any other third-party apps you install. Make 100% certain they are not infected. I would also consider a properly-configured hardware firewall.

- Ravashaak

Edited May 11, 2008 by ravashaak

[you2wire]

Ok, I made some changes to the RDP port and also change the admin user name and password and created 2 login. I hope this will stop these hackers.

Marvin

[cluberti]

It may not stop them, but it'll give you time to deal with the problem before you actually get hacked (you now have an early-warning system in place).