Have I been hacked?

Have I been hacked?
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 Microsoft Applications Security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
Have I been hacked? Hoof Hearted 07-04-2005
Posted by =?Utf-8?B?SG9vZiBIZWFydGVk?= on July 4, 2005, 5:37 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
SBS 2003: When I came to sign into the newsgroup today from my server, there
was a suspicious email address in the passport login dialog. I won't disclose
the address here, but it contained the word 'kracker'. Someone has obviousy
gained access to my server. They must have been logged in under the
Administor account in order for the email address to be saved in this way.
No internal user knows my credentials, I use a strong password anyway. I am
surprised that the intruder seems to have done nothing more sinister than
check his email.

Is Terminal Services regarded as secure? My server is up to date with
updates. Is there something I should know? Is there any other way the hacker
could have got in?

Posted by Steven L Umbach on July 4, 2005, 6:21 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
If the server is not physically secured and others have access to it then
somebody could have possibly gained access as local administrator. One thing
to check is your security logs on that server for logon, account logon
events, and computer management events. By default Windows 2003 Server has
auditing of such enabled and should show who has logged onto that server and
when and also show failed logon events. Assuming auditing of computer
management was also enabled you would be able to see if user group
memberships have been changed unless an attacker cleared the security logs.
Terminal Services is secure in that by default TS traffic is encrypted but
it can allow others to logon depending on how you have security setup for
Remote Desktop. If there are other administrator accounts on the server and
those users do not use strong passwords then possibly one of those accounts
was compromised. Also keep in mind that you should NEVER user any account in
any administrator group in the domain to logon to a domain computer that is
not known to be secured. It is trivial for a user who has local
administrator access to a domain computer to configure scripts to take over
the domain if you do such or install a keyboard logger or screen scraper to
capture logon credentials. Hidden cameras can also do capture credentials
and any administrator in the domain that is logged in with their admin
account and leaves their computer unattended can also cause compromise of
the whole domain if a malicious user is able to access their computer
keyboard.

I would be sure to run a full malware scan on the server and check for the
existence of unexplained processes and port usage as possibly a
trojan/backdoor was installed while you were logged on. I like the free
tools Process Explorer, TCPView, and Autoruns from SysInternals for that.
At minimum I would also suggest that you verify that the membership in all
the administrator groups - administrators, domain admins, enterprise admins,
schema admins [I don't know what all exists on SBS] is what you expect and
change the passwords on all those accounts. If the server is badly
compromised the only solution is a rebuild and taking steps to prevent it
from happening again knowing what to do before the rebuild. FYI you should
NOT be browsing the internet, doing newsgroups, or reading email from your
server! Use a regular computer to do such while NOT logged on with an
account that has admin powers in the domain and ideally an account that is
not an administrator on that computer.--- Steve

http://www.microsoft.com/technet/security/default.mspx -- TechNet Security
Center
http://www.sysinternals.com/ --- SysInternals


> SBS 2003: When I came to sign into the newsgroup today from my server,
> there
> was a suspicious email address in the passport login dialog. I won't
> disclose
> the address here, but it contained the word 'kracker'. Someone has
> obviousy
> gained access to my server. They must have been logged in under the
> Administor account in order for the email address to be saved in this
> way.
> No internal user knows my credentials, I use a strong password anyway. I
> am
> surprised that the intruder seems to have done nothing more sinister than
> check his email.
>
> Is Terminal Services regarded as secure? My server is up to date with
> updates. Is there something I should know? Is there any other way the
> hacker
> could have got in?



Posted by =?Utf-8?B?V29uZyBUdWNrIFdhaA== on July 5, 2005, 1:12 am
If you were  Registered and logged in, you could reply and use other advanced thread options
To add on to Steven list, tools such as kerbsniff can be used to capture the
credential send from the client to DC during a kerboeros login. The frames
captured can then be crack using an automated dictionary attack such as
kerbcrack.

These tools are freely and easrily downloadable from the net.

There are basically no way to stop entirely for being sniffed. Use of
complex password or multi-factors authentication are the valid solution, so
far, to overcome these.


"Hoof Hearted" wrote:

> SBS 2003: When I came to sign into the newsgroup today from my server, there
> was a suspicious email address in the passport login dialog. I won't disclose
> the address here, but it contained the word 'kracker'. Someone has obviousy
> gained access to my server. They must have been logged in under the
> Administor account in order for the email address to be saved in this way.
> No internal user knows my credentials, I use a strong password anyway. I am
> surprised that the intruder seems to have done nothing more sinister than
> check his email.
>
> Is Terminal Services regarded as secure? My server is up to date with
> updates. Is there something I should know? Is there any other way the hacker
> could have got in?

Similar ThreadsPosted
Was I hacked? October 20, 2005, 9:18 am
HELP! i've been hacked! March 28, 2006, 12:52 pm
Can You Tell By This Log If We Were Hacked? October 23, 2006, 12:27 pm
Have I been Hacked? November 5, 2006, 10:59 am
I've been hacked July 11, 2007, 9:22 pm
Hacked September 10, 2007, 6:14 am
i think ive been hacked maybe ???? February 7, 2008, 11:01 am
got hacked this weekend July 25, 2005, 7:08 pm
Hacked/invaded/etc. etc. November 28, 2005, 2:56 pm
Hacked or.....Would appreciate expert help January 23, 2006, 3:26 pm

The site map in XML format XML site map

Contact Us | Privacy Policy