1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

server hacked into

Discussion in 'BlackHat Lounge' started by davids355, Jul 15, 2013.

  1. davids355

    davids355 Jr. VIP Jr. VIP Premium Member

    Joined:
    Apr 25, 2011
    Messages:
    8,805
    Likes Received:
    6,372
    Home Page:
    Don't you just love it when you log into your server to be presented with a window open covered in Chinese writing, and in the middle of sniffing IP addresses for port 3389? Bitches.
     
  2. steelballs

    steelballs BANNED BANNED

    Joined:
    Dec 5, 2008
    Messages:
    1,832
    Likes Received:
    4,562
    Yes

    中国文字

    It is a bitch...:eek:
     
  3. derago21

    derago21 Jr. VIP Jr. VIP Premium Member

    Joined:
    Oct 24, 2010
    Messages:
    2,373
    Likes Received:
    1,193
    Gender:
    Male
    Occupation:
    Backlinker
    Location:
    Your Brain
    Time for a little clean up :)
     
  4. davids355

    davids355 Jr. VIP Jr. VIP Premium Member

    Joined:
    Apr 25, 2011
    Messages:
    8,805
    Likes Received:
    6,372
    Home Page:
    Yea, cleanup time:) already changed password to something more obscure, looked for any other accounts created or weak accounts.
    Exported all security logs so I can check through all successful logins.
    Also discovered when they first got in and how - rdp by the looks of it.
    And also found their dictionary file- and low and behold, it contained my (now changed) password:)

    Posted via Topify using iPhone/iPad
     
    • Thanks Thanks x 1
  5. QuantumBlue Bulgaria

    QuantumBlue Bulgaria Junior Member

    Joined:
    Jul 1, 2013
    Messages:
    196
    Likes Received:
    31
    Occupation:
    Web development, PPC Management
    Location:
    Haskovo, Bulgaria
    Welp, it's a good thing you know what you needed to do right away. Others are not fortunate enough and all they can do for several minutes, even hours, is panic.
     
  6. Asif WILSON Khan

    Asif WILSON Khan Executive VIP Premium Member

    Joined:
    Nov 10, 2012
    Messages:
    10,139
    Likes Received:
    28,607
    Gender:
    Male
    Occupation:
    Fun Lovin' Criminal
    Location:
    London
    Home Page:
    If you feel like sharing the dictionary file let me know, I would like to add it to my collection.
    Before anybody asks, no I am using them for nefarious purposes, I have an interest in computer security.

    For those worried about their password security, here are some interesting articles:
    http://uwnthesis.wordpress.com/2012/08/30/top-10000-passwords-are-used-by-98-8-of-all-users/
    http://digitaljournal.com/article/335497
    http://xato.net/passwords/more-top-worst-passwords/
    http://www.visualizing.org/visualizations/top-1000-passwords
    http://dazzlepod.com/disclosure/
    http://www.skullsecurity.org/wiki/index.php/Passwords


    Edit : The line above should read "Before anybody asks, no I am NOT using them for nefarious purposes, I have an interest in computer security.
     
    • Thanks Thanks x 3
    Last edited: Jul 15, 2013
  7. bartosimpsonio

    bartosimpsonio Jr. VIP Jr. VIP Premium Member

    Joined:
    Mar 21, 2013
    Messages:
    8,953
    Likes Received:
    7,565
    Occupation:
    ZLinky2Buy SEO Services
    Location:
    ⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩⇩
    Home Page:
    Is it a cloud based server? If so, I would dump it and start a new instance. You will never fully clean a hacked Windows OS. It's just swiss cheese with its undeletable files, unstoppable services, infinitely complicated registry and you name it....my worst nightmare was to work in a Microsoft server rack years ago.
     
    • Thanks Thanks x 3
  8. Moosey

    Moosey Senior Member

    Joined:
    Dec 5, 2011
    Messages:
    1,043
    Likes Received:
    747
    That is the worst, be sure to change all of your passwords and such mate. Sorry to hear
     
  9. davids355

    davids355 Jr. VIP Jr. VIP Premium Member

    Joined:
    Apr 25, 2011
    Messages:
    8,805
    Likes Received:
    6,372
    Home Page:
    Yes it is. But it is also production environment, so hard to take down:(

    i will be monitoring everything for a few weeks - auditing logins etc, and looking for any back doors left open.
     
  10. antichrist

    antichrist Jr. VIP Jr. VIP

    Joined:
    Aug 21, 2012
    Messages:
    1,725
    Likes Received:
    2,078
    Location:
    On top of the world!
    Maybe this is a sign to learn chinese XD
     
  11. davids355

    davids355 Jr. VIP Jr. VIP Premium Member

    Joined:
    Apr 25, 2011
    Messages:
    8,805
    Likes Received:
    6,372
    Home Page:
    Lol yea.

    Posted via Topify using iPhone/iPad
     
  12. bizzid

    bizzid Newbie

    Joined:
    Jul 15, 2013
    Messages:
    23
    Likes Received:
    2
    i have already faced the problem .. now am on new server and making my passwords strong .. but still i cant forget those days when i saw those hacked pages
     
  13. JFoulds

    JFoulds Power Member

    Joined:
    Apr 22, 2011
    Messages:
    538
    Likes Received:
    480
    Occupation:
    Genius billionaire playboy philanthropist
    Not sure if this is still the case, but up until Windows 7 (maybe on Windows 7 as well...), just naming any .exe 'lsass.exe' meant that it was completely unable to be terminated - regardless of the checksum of the file.

    If that doesn't make you want to shoot the Windows developers in the face, I don't know what does...
     
    • Thanks Thanks x 1
  14. TheRealRazzy

    TheRealRazzy Jr. VIP Jr. VIP

    Joined:
    Mar 2, 2011
    Messages:
    1,464
    Likes Received:
    1,761
    Location:
    Chicago, IL
    Home Page:
    Daaaammmmmnnnnn dude, that sucks :(

    Good to see you caught it quick though :D



    lololol [​IMG]
     
    Last edited: Jul 15, 2013
  15. TheRealRazzy

    TheRealRazzy Jr. VIP Jr. VIP

    Joined:
    Mar 2, 2011
    Messages:
    1,464
    Likes Received:
    1,761
    Location:
    Chicago, IL
    Home Page:
    Whoops, I guess I could have just edited my previous post. Mods/Admin you can delete this if you see it.

    Sorry about that.
     
  16. dome.d0nkss

    dome.d0nkss BANNED BANNED

    Joined:
    Jul 4, 2013
    Messages:
    332
    Likes Received:
    78
    Few days ago I`m was hacked by a "terorist" Algerian...I forgot his nickname, but he leaved a photo with 1 terrorist xD