Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

How Was My Win7 Server Compromised and How to Prevent?


  • Please log in to reply
1 reply to this topic

#1 cbrokaw

cbrokaw

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:02:55 AM

Posted 29 August 2013 - 05:27 PM

So, I have a Win7 box that is used to record video surveillance that was compromised about a week ago at 3am. Running combofix showed that someone or some script repeatedly try to log into my server. I assume that it was done remote desktop...but really don't know other than it was not done in the same location as the server.

 

I'm wondering how this happened and how to prevent it.

 

Here's the background on this:

 

  • To allow remote access to the remote viewing app, I have to open up some ports on my router. Firewall was disabled and there was no antivirus running. The security installer said it would not be necessary. In hindsight this was a bad idea and they should have done the work to turn on the firewall and only allow the connections that needed to get through to enable remote viewing
  • Remote desktop was turned on so that the security installer could remotely troubleshoot any issues
  • Strong passwords were not setup by security installers
  • DDNS was used
  • Only security installer and I have the password. No one except for myself has had physical access to the server
  • Only use the browser to access reputable sites

How I discovered the problem:

  • Tried to remote desktop into the server from work to adjust some settings and discovered the admin password did not work
  • Got home and saw that a new account that I did not recognize was added
  • Had to reset the password using Win7 disk to get back into the system

My questions:

  • How did this happen to me?
  • Why would I have been a target?
  • What were the hackers trying to do other than break in and let me know that they had done so. They could have just conducted any malicious activity with the Admin account
  • How can I prevent this from happening in the future?
  • How can I be made aware whenever remote connections are made to my server and know where it is coming from?

Thanks!



BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,111 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:55 AM

Posted 29 August 2013 - 08:20 PM

These articles should cover most of your questions and concerns. They explain how/what was exploited and include steps for prevention.

How can my service be exploited?

There are two primary ways a server may be compromised:
1. The hacker has guessed a password of a user on the server. This may be a email, ftp, or ssh user.
2. The hacker has gained access through a security hole in a web application (or its addons/plugins) such as WordPress, Joomla, Drupal, etc.

Working with a hacked or compromised server

How Did My Server Get Exploited?
The bulk of the time we see an exploited server it has been exploited in one of two ways. Either someone has guessed a password and logged in as a user via ssh, or a web application has some security hole that has been exploited.

My server was exploited: How Do I Know I Was Exploited? - Finding Out More About What Was Done

Are Your Servers Exploit-Proof? - Trend Micro
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users