server hacked -- need some advice

Networking/Security Forums -> Computer Forensics and Incident Response

Author: moondoggie PostPosted: Thu Apr 07, 2011 7:15 am    Post subject: server hacked -- need some advice
one of my clients noticed that their bandwidth was extremely slow and in the process of investigating this, i found a rogue svchost.exe process. when i traced it back to its source, it was running from the desktop of a user whose account i don't recall creating, but i'm not the only one with admin rights to the server, so it could have been done by anyone. as a precautionary measure, i disabled the account, changed the admin password and renamed the offending profile. i looked into a couple of the text files from the rogue account and found what looks like a brute force dictionary attack against the admin password. the file had a structure like this:



my questions are:
1. is there any benefit in having a forensic image taken of the server hard drive and having it analyzed?
2. if so, how would i accomplish this?
3. what can i do to detect if another rogue account gets created?
4. is there a way to audit if/when files are accessed and by what account in SBS2003?
5. is there any way of determining who created the account, or what date the account became active? i have a set of dates where it was obvious the account logged into the server, and a set of dates when the rogue svchost.exe was installed, but i'm not sure who gave this account domain admin rights or when.

Author: ryansuttonLocation: San Francisco, California PostPosted: Thu Apr 07, 2011 8:37 am    Post subject:
I would treat it the same as if a fellow IT admin was fired. Change *all* privileged account passwords. Audit your network for security holes, or hire someone to do this for you. That last sentence is short, but encompasses a lot of things. The only thing worse than getting hacked, is getting hacked twice.

In response to your questions:
1) I do not see any benefit justifying the cost
2) n/a
3) Setup account auditing in AD. It also wouldn't hurt to setup auditing of sensitive files/directories/shares.
4) You need to setup an auditing policy and then specify what you want audited. Make sure you audit both directory objects as well as files. This is well documented, take a look at Tech Center for info.
5) Unlikely, unless you already had auditing enabled.

Author: moondoggie PostPosted: Thu Apr 07, 2011 8:01 pm    Post subject:
i'll be heading back onsite there later today to set up the auditing. is there a good intrusion detection program i can also use to make sure this is not going to be a repeat offense?

Author: moondoggie PostPosted: Fri Apr 08, 2011 6:16 pm    Post subject:
ok, i turned on the auditing as shown via group policy, but when i went to create a test account it only showed that i had used mmc and not which module, and not for what purpose. how do i set up an auditing scheme to tell me if/when an account is created?

Author: ryansuttonLocation: San Francisco, California PostPosted: Fri Apr 08, 2011 8:35 pm    Post subject:
To setup auditing, it's a multi-step process:
1.Enable the auditing policy VIA the local DC policy
2.Enable auditing of specific OU's that you want audited
3.Test by creating a new account
4.Check the security event log to see if you are getting events. I recommend filtering by event ID as the security log is huge. For example, you should be able to filter by event 624 to show account creation events.

Did you complete all 4 steps?

Author: moondoggie PostPosted: Fri Apr 08, 2011 9:02 pm    Post subject:
apparently i had the wrong permissions set for auditing and it was only auditing permissions changes instead of creation/deletion of objects. all fixed now. thanks for the help!

Author: jemesright PostPosted: Thu Apr 28, 2011 7:07 am    Post subject:
I wholeheartedly agree with what said about finding a new provider as you definitely need 24 hours around the clock support for issues such as hardware failures or other matters where you need critical support right away and if they are not providing that then I would definitely be looking elsewhere.

Now regard to the matter of your security, if your data center did not say what they did or what the problem was, I would serious be concerned with their handling of the matter or competence particularly given that you now say that you have been "hacked again".

Did they run scans for exploits? Rootkits? Etc?

What exactly was done after the first attack?

Now granted that most data center technicians are not security experts but they should have at least told you what they did do towards trying to resolve your situation or what they found out about your server.

Fortunately, you do not have to wait for them to open and I am sorry I did not see your post 2 hours ago because I certainly would have responded then as I can get to the bottom of how you server was hacked, what problems you have, and help you take necessary steps to help you make sure you don't go do this all over again a third time.

At this point, you need a detailed intensive assessment of your server because if it's been compromised twice now, there is a very high probability that your server has already been rooted and that is something that you most certainly need to know ASAP and depending on your server's current situation you may or may not look at reloading things and definitely want to do a full security review and closely examine all your activity logs everywhere.

Networking/Security Forums -> Computer Forensics and Incident Response

output generated using printer-friendly topic mod, All times are GMT + 2 Hours

Page 1 of 1

Powered by phpBB 2.0.x © 2001 phpBB Group