|
Posted by =?Utf-8?B?R2Vvcmdl?= on November 10, 2005, 3:18 pm
If you were Registered and logged in, you could reply and use other advanced thread options
I have been looking into some issues that i have heard about from someone
running a windows 2003 server network. It seems that rootkits get installed
as quickly as they get removed. currently, they do not have an external
firewall but they are going to get one. Right now, i would like some advice
to stop the installation of these rootkits. The servers are up to date with
patches and antivirus. they keep getting turned into torrent servers. any
advice would be appreciated. as soon as the whatever thing that the hackers
install gets taken off the server, it comes back again usually within an
hour. It would appear that this is happening to all servers.
|
|
Posted by Miha Pihler [MVP] on November 10, 2005, 3:34 pm
If you were Registered and logged in, you could reply and use other advanced thread options
Hi George,
Few points:
- once the rootkit is on the server the only reliable way to remove it is to
format the server (you can't trust what operating system is telling you any
more)... Patching and updating and antiviruses currently won't help you
much...
- if rootkit is good at what it is doing -- you won't even know it is on the
server running... (for more information go to http://www.rootkit.com/)
- only administrators can install rootkits (the question here is how did
outsiders get this permissions)
- Windows 2003 has built in Firewall -- it is pretty 'damn good one -- they
should at least use this one :-) (Windows 2000 has IP Policies that you can
use to protect access to the server).
- when setting up the server -- don't plug it on the network (computer can
be infected before it is completely set up). Set it up offline and enable
built in firewall and only then connect it to the network. Now patch it and
only then disable personal firewall if you must...
- use strong hard to guess passwords (specially for administrators)
- don't run and surf from the server with administrator permissions (if you
must use tool and information from
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dncode/html/secure11152004.asp
(Browsing the Web and Reading E-mail Safely as an Administrator)) ...
--
Mike
Microsoft MVP - Windows Security
>I have been looking into some issues that i have heard about from someone
> running a windows 2003 server network. It seems that rootkits get
> installed
> as quickly as they get removed. currently, they do not have an external
> firewall but they are going to get one. Right now, i would like some
> advice
> to stop the installation of these rootkits. The servers are up to date
> with
> patches and antivirus. they keep getting turned into torrent servers.
> any
> advice would be appreciated. as soon as the whatever thing that the
> hackers
> install gets taken off the server, it comes back again usually within an
> hour. It would appear that this is happening to all servers.
|
|
Posted by Imhotep on November 10, 2005, 10:31 pm
If you were Registered and logged in, you could reply and use other advanced thread options
> I have been looking into some issues that i have heard about from someone
> running a windows 2003 server network. It seems that rootkits get
> installed
> as quickly as they get removed. currently, they do not have an external
> firewall but they are going to get one. Right now, i would like some
> advice
> to stop the installation of these rootkits. The servers are up to date
> with
> patches and antivirus. they keep getting turned into torrent servers.
> any
> advice would be appreciated. as soon as the whatever thing that the
> hackers install gets taken off the server, it comes back again usually
> within an
> hour. It would appear that this is happening to all servers.
Chances are you were tricked into installing a trojan. Do "we" have our
local users in the local admin (or domain admin) groups. Stop being
foolish!!! This alone causes more problems than every other bad habit put
together......
90% or more of the rootkits need admin privs to install...
Imhotep
|
|
Posted by Roger Abell [MVP] on November 12, 2005, 10:58 am
If you were Registered and logged in, you could reply and use other advanced thread options
it is pretty simple to keep a server clean.
First, you need to do a fresh install, format on up.
During this, install from W2k3 with Sp1 integrated if at all possible,
else disconnect the network until Sp1 has been installed.
If you has Sp1 integrated, then follow its recommendations and
immediately update the machine, while it is under the temporary
cloak from the firewall, else if you do not have the integrated
media then after installing Sp1 turn on the firewall and go get the
machine updated.
Install the optional SCW (security configuration wizard).
Use the SCW, locally if a stand-alone, or, if you have a defined
process for the infrastructure to use SCW, follow that process.
Turn on the firewall and make certain that there are no unnecessary
network exposures. If you need to allow remote management, then
limit the scope of the firewall exposure for this to only the machines
that are necessary.
Define
- password expectations for all accounts able to log into the machine
- update process / schedule for the machine
- change control process for altering the services and/or firewall config
- appropriate use for the machine, which includes no non-management
use - no IE, no OE, no Firefox, no Opera, etc. It is a server, it should
serve, not be used as a client system.
With this little bit of effort you can place that box on the open internet
with no masking by other layers and its public IPs will get used only as
you have defined for them to be used. If you keep a little awareness as
to whether there are any MS or third-party code vulnerabilities, and you
either patch or take work-around action when such do exist and have
active exploit code in the wild, that machine will stay out there on the
open internet for a very long time in full health.
>I have been looking into some issues that i have heard about from someone
> running a windows 2003 server network. It seems that rootkits get
> installed
> as quickly as they get removed. currently, they do not have an external
> firewall but they are going to get one. Right now, i would like some
> advice
> to stop the installation of these rootkits. The servers are up to date
> with
> patches and antivirus. they keep getting turned into torrent servers.
> any
> advice would be appreciated. as soon as the whatever thing that the
> hackers
> install gets taken off the server, it comes back again usually within an
> hour. It would appear that this is happening to all servers.
|
| Similar Threads | Posted | | Preventing Log Evasion in IIS | August 28, 2005, 10:02 pm |
| 2 preventing access questions | October 8, 2005, 10:54 am |
| preventing information theft | July 3, 2008, 12:05 pm |
| Preventing Kerberos Ticket Expiration | December 26, 2007, 11:23 am |
| Virus preventing registry editor from opening? | July 17, 2005, 9:08 pm |
| Preventing Access to Network Printers by Computer | July 11, 2006, 2:54 pm |
| preventing Vista Firewall from beeing disabled by users | August 30, 2007, 4:00 pm |
| How do I know if XP SP2 is installed? | March 7, 2008, 10:16 pm |
| VirusBursters - How Does it Get Installed? | November 26, 2006, 10:46 am |
| "Some updates could not be installed"??? Please help! | August 1, 2007, 7:30 am |
|
XML site map