Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

SBS Server has been hijacked


  • Please log in to reply
3 replies to this topic

#1 shawnbob

shawnbob

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:12 PM

Posted 15 September 2014 - 11:00 PM

We noticed our SBS server was sending out a ton of SPAM and was listed on SPAMhaus, etc.  

We used Malwarebytes and it found some items and deleted them the SPAMMing stopped.   Then a couple days later it started again.  Malwarebytes had caught a couple more items. 

After some more research we noticed a few new accounts (Symantec, Scaner, Staff and services) which were not there before. In fact the services account was logged in to the Remote Desktop.  We have deleted these accounts, examined the Domain Admin, Administrator and Enterprise Admin groups and changed passwords.  

We have deleted some suspicious folders.  There are some folders we cannot delete such as c:\Users\Temp\AppData\Local\Microsoft\Credentials and other folders inside the the Appdata for Temp.  We cannot take ownership and cannot delete. It says the file is in use.  I know we can use BartPE and such to boot up and delete these files, but are there any other better ideas so we don't have to take the server down?

What other items/tasks can we do? 

We have ran Malwarebytes using Chameleon mode a few times with nothing else found.  

 



BC AdBot (Login to Remove)

 


#2 Wand3r3r

Wand3r3r

  • Members
  • 2,027 posts
  • OFFLINE
  •  
  • Local time:02:12 PM

Posted 16 September 2014 - 01:27 PM

Your server has been hacked. 

 

This is not a case of just getting some malware.  Recommendation in this case is to reinstall SBS from scratch.  Only trust the backups that happened before you were hacked or you may end up restoring the hacked version with its back doors into your system.

 

You also need to review your security plan [if you have one].  Clearly your server was not secure or behind a firewall.



#3 shawnbob

shawnbob
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:12 PM

Posted 17 September 2014 - 08:39 AM

We inherited the server recently from another IT company.  It seems the intruder got in due to a weak password on a domain admin account.  Fun.  

Wand3r3r - we understand and appreciate your comments. We would like to start from scratch, but it's not possible right now.  

My question - are there any tools which can help identify processes or programs which are not native to the OS.  How about Data Execution Prevention?



#4 Wand3r3r

Wand3r3r

  • Members
  • 2,027 posts
  • OFFLINE
  •  
  • Local time:02:12 PM

Posted 17 September 2014 - 01:48 PM

When one of our accounting machines was hacked [and the two company bank accounts were compromised - thank goodness the banks stopped the payouts of $120K] we used some forensic tools and found nothing.  These folks were good and cleaned up after themselves.

 

Sorry but I don't know of any tools/services I can recommend.  We are beyond the days of removing files or registry entries to end spam/virus's.  Same is true for hackers.

 

What I can say is I wouldn't put that server on my lan with internet access.  And don't trust any backups.  They will also contain the back doors.


Edited by Wand3r3r, 17 September 2014 - 01:48 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users