Server 2003 rdp/iis hacked

R

ring.of.steel

Guest
hi, one of my test file servers seems to have been hacked into and the password for the administrator account changed, i dont have any access to the server atall and it contains all my data, what would be the best thing to do?
 
Disconnect from internet, reset local admin password, copy data to USB/Firewire drive and then format/reinstall.

You can't ever trust that server again, it's the only thing you can do at this point.
 
Yes, the disk will let you reset the admin password locally.

After that, I second what pigster suggested. You have no idea what has been laoded on the box if it has been compromised.
 
if your using RDP witought any sort of VPN etc then use strong passwords, disable the guest account and don't use "administrator" as an account login name.
 
cheers jay_oasis, i guess my problem was having the login name as administrator.
 
seriously why do people try to login to someones machine via rdp, they arnt gaining anything :confused:
moved this server over to bsd i dont have time to mess about with all this.
 
ring.of.steel said:
seriously why do people try to login to someones machine via rdp, they arnt gaining anything :confused:
moved this server over to bsd i dont have time to mess about with all this.
Click to expand...

What do you mean they aren't gaining anything? If they are sucessfull, they gain controll of your server.
 
How come you dont have GP lock that account after X times of logging in wrong for say 30 minutes?

Thats helps stop a brute force
 
smizack said:
What do you mean they aren't gaining anything? If they are sucessfull, they gain controll of your server.
Click to expand...

I meen gaining anything usefull, its a server on a residential ip address that contains nothing usefull, some people must amuse themself by this.

shade_star what would be the best way to say lock out the account for 30 mins after 5 unsucsessful logins?
 
Dr.Evil said:
both and I would ditch RDP and use logmein if it has access to the web, assuming it was not an internal attack
Click to expand...

It was a external attack, i cannot ditch rdp alltogether as this is how i administer my machines, is there any was to block rdp access within windows by ip address, so say no machines could use the rdp protocol except a certian ip range?
 
you can use the windows firewall to only allow certain ip ranges for the RDP port
 
Thanks for all the help! Will edit the policy when i get in.
 
ring.of.steel said:
From the man himself robo :p
Click to expand...

I may not be downloading....

bittornetsj6.jpg
 
What kind of router configuration are you using?

I personally make use of port forwarding to use different ports for RDP, and then secure by IP address on top of that in the router.

Even a low-end Sonicwall that can perform these tasks, such as a TZ170, is affordable to even the smallest business I feel. It's a very small investment for safety if you know how to use it.

P.S. Not downloading porn is hazardous to your health. Increased stress is bad. :p
 
Robo stfu we all know you are the biggest media pirate out of all of us, i better keep my mouth shut before i get banned again :p

My config is like this, *includes nice shiny diagram*



victim.png





basicly the router doesnt do anything at the moment, all is done via the isa box in regards to the servers.
I am planning to replace all the isa crap with a ipcop box soon.
 
Robo what hardware are you running this on? my dlink seems to shit itself and the web ui crash :mad:
 
RoBo said:
Pentium 3
256mb RAM.
20gb Drive
2 NICS (will be 3 soon). :)
Click to expand...

Got a poweredge 2400 im going to bring back into service, it contains 3 Intel PCI-X gbit nics, should do the trick.
 
ring.of.steel said:
I guess your right, its irratating having to mess around with these kids that think its funny to piss people off.
Click to expand...

I get our firewall logs emailed to me every hour from 7 (I think) different networks, and it's actually shocking looking at how many people try to get in. I get about 150 emails every day just from firewall logs.
 
You must log in or register to reply here.
Back
Top