1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Server got hacked today

Discussion in 'Black Hat SEO' started by davids355, Jul 26, 2011.

  1. davids355

    davids355 Jr. VIP Jr. VIP Premium Member

    Joined:
    Apr 25, 2011
    Messages:
    8,775
    Likes Received:
    6,307
    Home Page:
    One of the servers that I manage got hacked today- found out that someone got in via remote desktop.

    Installed amr (is that what it's called?), torrent program, and also some sort of server program - can't remember the name just now.

    I have tightened things up now. Really annoyed though.

    Good thing is, they guy left behind 850,000 email addresses:)
     
  2. xSubZer0x

    xSubZer0x Junior Member

    Joined:
    Apr 3, 2009
    Messages:
    177
    Likes Received:
    45
    make sure you've checked your server well in case he's left any hidden back door's or has added any additional users or changed passwords one of the reasons i dislike windows vps heh
     
  3. davids355

    davids355 Jr. VIP Jr. VIP Premium Member

    Joined:
    Apr 25, 2011
    Messages:
    8,775
    Likes Received:
    6,307
    Home Page:
    Sorry not amr, ams.

    Yup I have been quite thorough :

    Uninstalled his programs
    Renamed his whole profile folder (kept files for analysis).
    Deleted his user accounts (he made 3 backdoors).
    Reset passwords for ALL accounts
    Took his ports out of firewall - yes he got in there as well!
    Disabled RDP - we did really need it(stupid).
    Checked running files, services etc.

    The only thing that bothers me is:
    CGatePro-Solaris-Intel

    Not familiar with that and he had setup file of it, but it looks like Linux version to me so did he bring wrong software? Anyone know??

    Thanks.
     
  4. elvis1973

    elvis1973 Power Member

    Joined:
    May 13, 2011
    Messages:
    735
    Likes Received:
    274
    Occupation:
    Digital Signage Consultant
    Location:
    St Helens, UK
    Home Page:
    how did he get in?
     
  5. davids355

    davids355 Jr. VIP Jr. VIP Premium Member

    Joined:
    Apr 25, 2011
    Messages:
    8,775
    Likes Received:
    6,307
    Home Page:
    I'm embarrassed to say that we had remote desktop enabled AND an account with a very weak password.
     
  6. Knoxgates

    Knoxgates Supreme Member

    Joined:
    Aug 9, 2008
    Messages:
    1,266
    Likes Received:
    918
    Last month i had the same problem. I had a very weak password "5678" and hacker logged in to my System and installed a few bots which keeps connecting to remote sites. I have formatted the system and implemented a strong password. this time i have also renamed administrator as something else.
     
  7. keinehabe

    keinehabe Supreme Member

    Joined:
    Nov 4, 2008
    Messages:
    1,207
    Likes Received:
    472
    Gender:
    Male
    Occupation:
    -= CEO =-
    Location:
    Heaven
    Home Page:
    leson learned I hope ! :) ... actually the ams software it's not so big deal , and most probably the scriptkiddie just gave you few K emails worthless to be used ... don't think they are good for something ....
     
  8. jbarrett

    jbarrett Registered Member

    Joined:
    Jul 21, 2011
    Messages:
    98
    Likes Received:
    40
    do u have anti-virus on your server? If yes scan the server, if no, I think u need to install one
     
  9. davids355

    davids355 Jr. VIP Jr. VIP Premium Member

    Joined:
    Apr 25, 2011
    Messages:
    8,775
    Likes Received:
    6,307
    Home Page:
    Actually there were 8k emails stuck in mail queue (exchange) ;)

    Anyway, can I do anything with his list(s)?
     
  10. davids355

    davids355 Jr. VIP Jr. VIP Premium Member

    Joined:
    Apr 25, 2011
    Messages:
    8,775
    Likes Received:
    6,307
    Home Page:
    Yes we have AVG business Ed. Will be running a scan:)
     
  11. keinehabe

    keinehabe Supreme Member

    Joined:
    Nov 4, 2008
    Messages:
    1,207
    Likes Received:
    472
    Gender:
    Male
    Occupation:
    -= CEO =-
    Location:
    Heaven
    Home Page:
    go to make money section from forum check who can take some email traffic :) and send out hes list :)) free money like :))
     
  12. xSubZer0x

    xSubZer0x Junior Member

    Joined:
    Apr 3, 2009
    Messages:
    177
    Likes Received:
    45
  13. davids355

    davids355 Jr. VIP Jr. VIP Premium Member

    Joined:
    Apr 25, 2011
    Messages:
    8,775
    Likes Received:
    6,307
    Home Page:
    Second time in a month that I have had a server hacked as well - last time was victim to an apache vulnerability I think, and the attacker deleted the whole wamp folder - luckily we had a backup of everything, otherwise would have been f'ed.
     
  14. davids355

    davids355 Jr. VIP Jr. VIP Premium Member

    Joined:
    Apr 25, 2011
    Messages:
    8,775
    Likes Received:
    6,307
    Home Page:
    Always use logmein. But sometimes have rdp on as well as it sometimes works where lmi won't - ie if server is out of resources.

    Also it's quicker.

    BUT I've learned something here: if you use it, you need a very strict password/membership policy!!!!!!!!
     
  15. becauseimhot

    becauseimhot Junior Member

    Joined:
    Aug 18, 2008
    Messages:
    116
    Likes Received:
    25
    Occupation:
    Coder pHp
    Location:
    Mars
    Home Page:
    This crap has been happening to me too lately!
     
  16. davids355

    davids355 Jr. VIP Jr. VIP Premium Member

    Joined:
    Apr 25, 2011
    Messages:
    8,775
    Likes Received:
    6,307
    Home Page:
    Yup, it's becoming more regular. I am putting in place some much stricter security policies from now on.

    It needs to be done.
     
  17. xSubZer0x

    xSubZer0x Junior Member

    Joined:
    Apr 3, 2009
    Messages:
    177
    Likes Received:
    45
    go the linux route and install denyhosts and don't look back =P
     
  18. Drink More Tea

    Drink More Tea Regular Member

    Joined:
    Apr 15, 2011
    Messages:
    208
    Likes Received:
    166
    I used to use fail2ban for this sort of thing, it supports quite a wide variety of services and works excellently.
     
  19. jethro

    jethro Regular Member

    Joined:
    Jun 20, 2011
    Messages:
    300
    Likes Received:
    48
    Occupation:
    Information Technology

    "Welcome to CommuniGate Pro, the Unified Internet Communication Server.

    Based on open standards, CommuniGate Pro provides an integrated platform for Store-and-Forward (E-mail, Calendaring) and Real-Time (VoIP, Video, Instant Messaging, White Boards) communications over IPv4 and IPv6 networks.

    CommuniGate Pro can be used via its built-in WebUser Interface, the bundled Pronto! communication client, as well as any third-party client applications employing the SMTP, IMAP, POP, MAPI, SIP, XMPP, HTTP, FTP, WebDAV, CalDAV, CardDAV, XIMSS, and other standard protocols.

    CommuniGate Pro can exchange E-mail and Groupware information with other standard-based servers and systems using the SMTP protocol. CommuniGate Pro supports Real-Time communications (VoIP, IM, Presence) with other standard-based systems using the SIP and XMPP protocols."


    I think it was installed to use your server for mail routing.

    Check all active network connections with netstat command from the windows shell (cmd.exe).

    Check if some web site/services were added.
     
  20. davids355

    davids355 Jr. VIP Jr. VIP Premium Member

    Joined:
    Apr 25, 2011
    Messages:
    8,775
    Likes Received:
    6,307
    Home Page:
    Thanks jethro. Done another full check today and looks like we got rid of this guy.