lvadavid

We run our servers on Windows NT 4.0 (yes I know, it's time to upgrade or leave Windows).

Recently it appears someone from Europe has hacked into our servers and uploaded movie and games files to share with others. ALso, they deleted a number of our Weblogs.

Anyone else experience this? Any tips for preventing it? Can they do serious harm to our servers if they want to?

Thanks.

David

XxXotic

i think you answered your own question when you said they "deleted weblogs" if they can delete shit, obviously they can fuck things up.

recommendation - leave windows, though that won't be 100% effective, it'll be a hell of a lot more secure not running NT

__________________

Sponsors.. Tired of people not using your shitty RSS Feeds? Let Us Help You!

- Jesus Christ -

They can do anything they want on your servers. They have full control.

Change all your passwords after you patch windows.
Still might not get rid of them.

__________________

Amen

BoNgHiTtA

Tip #1

Hire someone who knows that the fuck there doing on your systems.
Sounds like some script kiddie just ownd ur box and is using it to distro Warez from.

Tip #2

Move to another OS. Enough said

__________________

Wanna see how Adult Site Traffic Scammed me? Click Here:

lvadavid

Does installing ZoneAlarm help so I can monitor outbound data, and programs requesting Internet access?

I just began at a new company that has been running these servers and uses Cold Fusion for most web pages.

I am trying to switch to a FreeBSD, MySQL, PHP, Apache solution, but it looks like it'll takes a few months rather than a few weeks. We have nearly 1000 pages.

In the meantime, I'd like to be as secure as possible and not lose everything.

(As you can see, I do marketing and sales, and am not an expert on the technical side of things, but I do understand most of what I'm told when it comes to this stuff.)

David

Fuckin Bill

If you've already got people in your box, installing security software now isn't going to do shit.

You need to hire a good server admin and get microsoft off that system as soon as possible.

buddyjuf

I used to be a hacker and as a hacker I had ways to secure the exploits so other ppl couldnt hack it no more

my advice is to get patched up against IIS, SQL, Netbios and NTPass. I remember those to be the most used methods back in the day

hope this helps!

cluck

You have no idea how they got in? You could probably just install a patch for the time being. It was probably just some stupid unicode bug, I used to scan for those all the time and we'd packet people from about 10,000 compromised IIS servers. It wouldn't be hard for them to start an FTP service from their browser with one of these.

__________________
icq 279990726
www.mcdonalds.com <- great money making opportunity

lvadavid

This sounds exactly like what one of my IT people said. He did say something about "unicode." He also said something about using "TFTP" or something like that.

We did try to install a patch, but the computer will not allow us to install the patch now. It appears whatever they did to our machine, they made it so that we can not install the patch from MS.

Time to format?

You all are being super-helpful. Thanks!

David

pat

Turn off "Allow anonymous connections" in the Security Accounts tab of your FTP site in IIS. The same thing happened to me - they left music/porn/games in directories which are hard to delete (i.e. system names and special characters). It's a stupid thing but with the wrong permissions and the fact IIS has this option set by default, it's easy for people to gain access and create these things. Found this URL which may help if you have loads of 'tagged' dirs on your root folder...

HTH.

Fuckin Bill

If you don't know how they got in, the safest thing to do is format the drive and re-install everything, and install all patches before you put it back online. Once someone has been in the box they could have installed anything. You can run any patch you want now and they could have backdoors already installed that will let them back in.

You're playing with fire. If they've gotten into that machine, every other machine it's connected to on your network is also at risk. The longer you leave it online, with nobody knowing who's in there or how they got in there, the more chance you have of something going horribly wrong.

If they're only running warez through it, you're lucky. Have you ever seen how fast compromised systems spread on IRC? You've already said they have the power to delete system files. If they have access to that, they most likely have access to everything on the system.

lvadavid

Thanks for all the responses.

After searching, I found a link that describes an exact description of what has happened... including the exact reference to "Inetpub" which was a folder created on our drive.

http://www.sans.org/y2k/unicode.htm

Anyone else seen this one?

David