|
|
|
|
|
Posted by on January 12, 2008, 3:23 am
If you were Registered and logged in, you could reply and use other advanced thread options
My server is being hacked. User from Hong Kong [kenny] he emailed me;
Created user "asp.net" gave it admin rights, then logged on using
terminal services. I restricted TS to my IP, he came in as the
server???
Has anybody got any ideas how this can happen? Iam at a loss and
tried everything from renaming admin, firewall, disabling everything
in IIS apart from ASP.
thanks
|
|
Posted by Malke on January 12, 2008, 9:12 am
If you were Registered and logged in, you could reply and use other advanced thread options
nick.kernick@gmail.com wrote:
> My server is being hacked. User from Hong Kong [kenny] he emailed me;
> Created user "asp.net" gave it admin rights, then logged on using
> terminal services. I restricted TS to my IP, he came in as the
> server???
>
> Has anybody got any ideas how this can happen? Iam at a loss and
> tried everything from renaming admin, firewall, disabling everything
> in IIS apart from ASP.
In practical terms you only have one course of action: flatten the
server and reinstall. Hopefully you took an image and can use that to
quickly get up and running again. If not, as a systems administrator you
should make regular imaging part of your normal routine.
As for how it happened, obviously your network and/or programs, OS are
not secure. There is no way for people just reading about it on a
newsgroup to know the details. Hire an outside professional to come
on-site and set you up properly. This will not be someone from
BigComputerStore/GeekSquad but a computer professional with skills in
setting up servers.
Since your server is compromised, you also need to check all
workstations for infection. This is a big job but not one that you
should skip.
Malke
--
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic!"
MS-MVP Windows - Shell/User
|
|
Posted by =?Utf-8?B?QW50ZWF1cw==?= on January 12, 2008, 5:32 pm
If you were Registered and logged in, you could reply and use other advanced thread options
Malke's comments are good. The main thing I'd add is that you need to be a
LOT more careful with security on any server which allows outside access,
than on one which is purely serving LAN users. If not needed, disable
Terminal Services, or firewall it so that only the LAN can access. If you
need remote access, then use a secure tunnelling protocol, and/or a
sophisticated firewall which will allow you to properly restrict access to
one remote IP.
Also, remote access is only as secure as the weakest user/password combo
with remote permissions. If one user with remote permission has a guessable
password, then the whole system is weak.
Also, noting IIS, you should never,never serve an Internet-visible website
from a fileserver inside the firewall. For this kind of duty you would be
better using a separate machine as a DMZ. If licensing cost is an issue, then
Linux is ideal for webserving.
nick.kernick@gmail.com wrote:
> > My server is being hacked. User from Hong Kong [kenny] he emailed me;
> > Created user "asp.net" gave it admin rights, then logged on using
> > terminal services. I restricted TS to my IP, he came in as the
> > server???
|
| Similar Threads | Posted | | Using SSL Certificate for TSAC on NLB Windows 2003 Terminal Server | March 28, 2006, 11:42 am |
| Windows 2000 subordinate CA ---> 2003 | July 22, 2008, 5:54 pm |
| Windows 2000 Certificate server---->2003 | August 26, 2008, 3:52 pm |
| Services - Windows Server 2003 R2 | November 6, 2006, 10:48 am |
| Terminal Services | December 1, 2005, 4:26 pm |
| Terminal Services | December 2, 2007, 3:37 pm |
| Terminal services oddity | July 24, 2005, 12:56 pm |
| Remote / Terminal Services | August 31, 2005, 3:20 pm |
| Remote Desktop and Terminal Services | July 12, 2006, 7:12 pm |
| Certificate Services features vs Windows 2003 server editions | May 24, 2006, 3:17 pm |
|
|
|
XML site map