J
JJ
Hi,
I have a win2k server which until recently had no problems.
2 Weeks ago I installed all available updates including SP4.
I then went on holiday for a week.
In that time, my machine was hacked using the DCOM exploit.
It shows up in the event log as dcom calls, then the rpc stops working and
gradually all the web sites fail as visitors access them.
I had no idea what had happened, and didn't realise that my machine had been
hacked.
However I installed the 2 critical updates on the server which became
available through windows update last week.
The RPC/DCOM still happened after that though, so I installed the MS03-026
patch on it's own.
After that the RPC/DCOM exploit happened again, so I can only presume that
the Microsoft patch did not fix my server.
In hindsight, perhaps this was as the result of something the hackers did.
Anyway, as the websites kept failing (The server was ok apart from iis) I
kept investigating.
I searched for files which had been created in the last week, and guess what
I found...!!!!!!
A whole stack of German DVD's!!!, an FTP server, A back door service, and
other dodgy files.
I have since removed the files, and resecured the server as much as
possible. Clearly the only real option is to reformat the drive, but I am
hoping that perhaps the hackers will leave me alone as I discovered the ftp
stuff quickly.
On my travels though I thought i'd see exactly how the hackers are doing
this stuff, seeing as this information would clearly be useful to protect a
system. The most interesting site I found was a site (I was going to mention
it, but i'd better not) which literally had code to perform the dcom exploit
and also a port scanner 'x-scan' to locate vunerable computers.
Microsoft really needs to be looking at this site in particular, as most
other sites seem to get there info from it.
Additionally the site also mentions that the MS03-026 fix does not fix all
systems.
To summarise, this is an extremely dodgy business to be in, and all I can
suggest is a ghost type backup every night to save massive reconfiguring!
Any Comments are welcome!
JJ
I have a win2k server which until recently had no problems.
2 Weeks ago I installed all available updates including SP4.
I then went on holiday for a week.
In that time, my machine was hacked using the DCOM exploit.
It shows up in the event log as dcom calls, then the rpc stops working and
gradually all the web sites fail as visitors access them.
I had no idea what had happened, and didn't realise that my machine had been
hacked.
However I installed the 2 critical updates on the server which became
available through windows update last week.
The RPC/DCOM still happened after that though, so I installed the MS03-026
patch on it's own.
After that the RPC/DCOM exploit happened again, so I can only presume that
the Microsoft patch did not fix my server.
In hindsight, perhaps this was as the result of something the hackers did.
Anyway, as the websites kept failing (The server was ok apart from iis) I
kept investigating.
I searched for files which had been created in the last week, and guess what
I found...!!!!!!
A whole stack of German DVD's!!!, an FTP server, A back door service, and
other dodgy files.
I have since removed the files, and resecured the server as much as
possible. Clearly the only real option is to reformat the drive, but I am
hoping that perhaps the hackers will leave me alone as I discovered the ftp
stuff quickly.
On my travels though I thought i'd see exactly how the hackers are doing
this stuff, seeing as this information would clearly be useful to protect a
system. The most interesting site I found was a site (I was going to mention
it, but i'd better not) which literally had code to perform the dcom exploit
and also a port scanner 'x-scan' to locate vunerable computers.
Microsoft really needs to be looking at this site in particular, as most
other sites seem to get there info from it.
Additionally the site also mentions that the MS03-026 fix does not fix all
systems.
To summarise, this is an extremely dodgy business to be in, and all I can
suggest is a ghost type backup every night to save massive reconfiguring!
Any Comments are welcome!
JJ