OVH Community, your new community space.

Help! I've been hacked!


Busby
04-08-2010, 10:49
Hi ictdude, thanks for the answer..

The windows servers are used for the playout systems for my radio station and I also stream off them..

ictdude
04-08-2010, 10:27
Quote Originally Posted by Busby
It seems to be mostly Trojans. I used Trend Micro on-line scanner to remove them and closed a few exceptions in the firewall, changed the admin. password and have now been clean for 24 hours..

I'm not counting any chickens yet, but its best to have the peace of mind that I have antivirus taking care of things when I'm not around..

I have 3 Windows servers at the moment and if I do a port scan on 2 of them it shows most ports as 'closed' . However, the server I am having problems with, the port scanner just gives a 'timed out' message on the closed ports - is that correct?
You can also use http://technet.microsoft.com/en-us/s.../bb897437.aspx TCPView if there are some chickens trying to make a connection to the outside world this program show all open connections.

What is the main task those Windows servers do ? Hosting ?

Busby
03-08-2010, 21:25
Quote Originally Posted by ictdude
Is it a virus or a trojan ? This program also cleans a lot of trojans.http://www.malwarebytes.org/
I did use it a lot of times also with fake virus software scanners bugging some friends of mine. See if it find some trojans. Well just give it a try.
Is your system already clean ? Or now you need a good virus trojan scanner ? Intrusion detection system ?
It seems to be mostly Trojans. I used Trend Micro on-line scanner to remove them and closed a few exceptions in the firewall, changed the admin. password and have now been clean for 24 hours..

I'm not counting any chickens yet, but its best to have the peace of mind that I have antivirus taking care of things when I'm not around..

I have 3 Windows servers at the moment and if I do a port scan on 2 of them it shows most ports as 'closed' . However, the server I am having problems with, the port scanner just gives a 'timed out' message on the closed ports - is that correct?

ictdude
03-08-2010, 21:12
Quote Originally Posted by Busby
Still not found a suitable anti-virus that will work on Server 2003 standard that doesn't cost hundreds of pounds!

Anyone else got any suggestions please?
Is it a virus or a trojan ? This program also cleans a lot of trojans.http://www.malwarebytes.org/
I did use it a lot of times also with fake virus software scanners bugging some friends of mine. See if it find some trojans. Well just give it a try.
Is your system already clean ? Or now you need a good virus trojan scanner ? Intrusion detection system ?

Busby
02-08-2010, 20:22
Still not found a suitable anti-virus that will work on Server 2003 standard that doesn't cost hundreds of pounds!

Anyone else got any suggestions please?

Myatu
21-07-2010, 22:46
Don't worry. It's a learning process. Can't expect yourself to be an expert from the beginning

You can make Apache to listen on 127.0.0.1 only - this means it will not be accessible from the outside world, at least not without some help. Have a look at this section of the Apache 2 manual: http://httpd.apache.org/docs/2.1/bind.html

Busby
21-07-2010, 22:40
God! I am nervous wreck! Looks like I seriously underestimated the threat running my own server poses..

Is it possible to run Apache without it being accessible to the world. In other words, its accessible/viewable only when logged on via RDP, or is that not feasible/still risky?

Myatu
21-07-2010, 21:49
Quote Originally Posted by Busby
Well in spite of all that, all my software was up to date, and I had a firewall in place. However, in future, I won't be running Apache on my Windows server!
Apache itself quite secure. It's more how it is used what causes issues. For example, you might be using it to run a PHP-based site: You may have configured PHP to be insecure (allow reading/writing to any directory) and/or there's a security issue with the PHP-based site itself. But as mentioned before though, if you really don't need it - either disable it, don't install it to begin with or alternatively, let it listen only on 127.0.0.1 (good if you're testing things).

Also, keep in mind SSH. A lot - and I mean, A LOT - of rougue people will make this their 1st target to get into your system. If you have an easy to guess password, it'll be a matter of minutes. Best not to use a password at all but a certificate.

Lastly, Windows has RDP and that can also be a major security risk if not properly configured.

ictdude
21-07-2010, 14:59
Quote Originally Posted by Busby
Well in spite of all that, all my software was up to date, and I had a firewall in place. However, in future, I won't be running Apache on my Windows server!
Maybe off topic, but if you did run Apache why dont use linux ?
I did use Windows servers in the past. But i did learn Linux and must say
i am really happy with it. Okay also you need to secure Linux. But i had less down time and much better performance. Also in the past i did use Microsoft terminal server. But for a long time i am using NX Server Linux terminal server.
Its not the http://www.nomachine.com/ It has for the free version only 2 user accounts. I use http://freenx.berlios.de/
Its complicated to install pain in the ass. But i have i run smoothly. And
happy with it. No user license needed all GPL. And if users need Microsoft apps i have it solved with this http://www.winehq.org/

Busby
21-07-2010, 13:59
Quote Originally Posted by ictdude
Yes you are 100 % right. If Apache port 80 is open hackers still try to find a
vulnerable in that software. Its just that some people have no firewall at all and thats asking for troubles. You always have to be aware of updates and security stuff. Then at least you give a hacker a hard time to get in your system. And check your log files to see whats up and use monitor systems like Nagios. I have it running to. Security is just to serious to ignore...
Well in spite of all that, all my software was up to date, and I had a firewall in place. However, in future, I won't be running Apache on my Windows server!

ictdude
21-07-2010, 13:50
Quote Originally Posted by Winit
Firewall ain't gonna do jack if a vulnerable program is listening on an open port.

The main point here is to keep all software up to date and have a clue before putting a server on the interwebz.

Yes you are 100 % right. If Apache port 80 is open hackers still try to find a
vulnerable in that software. Its just that some people have no firewall at all and thats asking for troubles. You always have to be aware of updates and security stuff. Then at least you give a hacker a hard time to get in your system. And check your log files to see whats up and use monitor systems like Nagios. I have it running to. Security is just to serious to ignore...

Myatu
20-07-2010, 22:12
YouWhat has posted about one in this topic: http://forum.ovh.co.uk/showthread.php?t=3552 - though its about a beta product, so do not rely on it 100% for all your protection needs.

Trend Micro has also provided an on-demand scanner for several years now, which is free: http://housecall.trendmicro.com/uk/. It's "on-demand" in that it does not scan your system at a determined schedule or whenever you start an application/modify a file. So this could be good for periodic checks in addition to ESET.

PS: If you do want something that works well specifically for Windows Servers and don't mind paying a modest price for what you get, I would recommend Kaspersky (http://www.kaspersky.com/anti-virus_windows_server)

Busby
20-07-2010, 21:59
Don't laugh, but can anyone recommend an antivirus which will work on a server and not cost an arm and a leg?

No really, I didn't have one because I thought I didn't need one on a server ;(

Myatu
20-07-2010, 21:37
Quote Originally Posted by Busby
You have all been very helpful and its much appreciated!

As I am a novice myself, I will get some help to make my servers more secure..
Not to worry, it happens to all of us. I've had my share But you do learn from it! Hope you get it back up and running again...

Busby
20-07-2010, 20:19
You have all been very helpful and its much appreciated!

As I am a novice myself, I will get some help to make my servers more secure..

Winit
20-07-2010, 20:00
Quote Originally Posted by ictdude
What defense systems like firewall intrusion detection do you use ?
And do you have a good backup strategy ? So you could restore all before the infection and then re-check your security policy ? Always close all ports and services you dont use. And protect your server for iCMP. Hackers a lot of times find hosts by using ICMP (PING) And then check for open ports.
Dont forget to have complicated passwords. Mmmh the world is full of Pirates...
Myatu also give some good advice.

You can check this site as a tool: http://www.grc.com/default.htm
Firewall ain't gonna do jack if a vulnerable program is listening on an open port.

The main point here is to keep all software up to date and have a clue before putting a server on the interwebz.

Busby
20-07-2010, 10:34
Hi Neil

Thanks for the reply..

I have sent ticket No.497072 for your attention

Neil
20-07-2010, 09:53
Quote Originally Posted by Busby
Thanks for your reply ictdude..

One thing is clear - I am way out of my depth!

If anyone can help remove 'dfind.exe' for me, please pm me asap..

Thanks again
You can boot the server into 'WinRescue' in the OVH Manager and then run the Anti Virus program which may help in the removal of it,

Busby
20-07-2010, 00:46
Thanks for your reply ictdude..

One thing is clear - I am way out of my depth!

If anyone can help remove 'dfind.exe' for me, please pm me asap..

Thanks again

ictdude
19-07-2010, 23:45
Quote Originally Posted by Busby
Thanks for the detailed response!

I was hoping that I wouldn't have to wipe the server as its running my own copy of Windows Server, plus 3 licensed programmes which need to be de-activated before any re-install..

Nightmare!

Any more suggestions would be most welcome
What defense systems like firewall intrusion detection do you use ?
And do you have a good backup strategy ? So you could restore all before the infection and then re-check your security policy ? Always close all ports and services you dont use. And protect your server for iCMP. Hackers a lot of times find hosts by using ICMP (PING) And then check for open ports.
Dont forget to have complicated passwords. Mmmh the world is full of Pirates...
Myatu also give some good advice.

You can check this site as a tool: http://www.grc.com/default.htm

Busby
19-07-2010, 21:35
Thanks for the detailed response!

I was hoping that I wouldn't have to wipe the server as its running my own copy of Windows Server, plus 3 licensed programmes which need to be de-activated before any re-install..

Nightmare!

Any more suggestions would be most welcome

Myatu
19-07-2010, 21:05
Right, so this makes it a more delicate issue then (I had though you were receiving those scans).

On the upside, most decent Anti Virus scanners will catch the culprit (by default it's named "dfind.exe" - but obviously it's easy enough to obscure that name).

On the downside, your server must indeed have been compromised in order for someone to be able to upload an executable to it and then be able to run it.

The problem now becomes: what else has been compromised and will the anti-virus or a malware scanner find it all? Hence that OVH prefers you wipe and secure it before using it again.

The one thing I can recommend here is to make a backup of your most important files -- you should still be able to access your server through a Rescue Mode if I am not mistaken (see the OVH Manager, dedicated server, services, boot options and restart). Then wipe, secure (anti virus!) and then restore the backup of your files.

But... there may be other suggestions as well from others (Andy is the resident Windows Guru here), so hopefully there's a better alternative.

Busby
19-07-2010, 20:50
Yes, it is..

I assume from that its my machine that's doing the scanning

I know very little [nothing really], but I would imagine OVH wouldn't have an issue if they were inbound to me..

Myatu
19-07-2010, 20:46
Ah, the plot thickens... Is "91.121.136.191" *YOUR* IP?

Busby
19-07-2010, 20:39
Thanks Maytu, for your kind reply..

Sadly, OVH have taken the server down and want to wipe it! Do you have any suggestions please, or do you know anyone who would look at it for me?

Thanks again..

Myatu
19-07-2010, 20:33
These are outdated "vulnerability scans", as recently discussed in this topic also: http://forum.ovh.co.uk/showthread.php?t=4330

Rule of thumb: If you don't need it, don't install / enable it. So in your case, if you don't really use Apache, simply turn it off or uninstall it. The scans will undoubtedly continue, as they have for the past few years, but with nothing there that could be a potential vulnerability, it would be a non-issue.

Busby
19-07-2010, 19:49
I can almost hear the groans, but yes, another hacked server.. Can anyone help please?

The server is running Windows Server 2003, with a firewall.. I also have Apache running, which I don't really need. The question is, if I turn Apache off, will that solve the problem?

Here are the logs:

/var/log/httpd/error_log.1:[Thu Jul 15 12:48:27 2010]
[error] [client 91.121.136.191] client sent HTTP/1.1
request without hostname (see RFC2616 section 14.23):
/w00tw00t.at.ISC.SANS.DFind
/var/log/httpd/error_log.1:[Thu Jul 15 12:57:01 2010]
[error] [client 91.121.136.191] client sent HTTP/1.1
request without hostname (see RFC2616 section 14.23):
/w00tw00t.at.ISC.SANS.DFind
/var/log/httpd/error_log.1:[Thu Jul 15 13:05:34 2010]
[error] [client 91.121.136.191] client sent HTTP/1.1
request without hostname (see RFC2616 section 14.23):
/w00tw00t.at.ISC.SANS.DFind
/var/log/httpd/error_log.1:[Thu Jul 15 13:13:45 2010]
[error] [client 91.121.136.191] client sent HTTP/1.1
request without hostname (see RFC2616 section 14.23):
/w00tw00t.at.ISC.SANS.DFind
/var/log/httpd/error_log.1:[Thu Jul 15 13:22:20 2010]
[error] [client 91.121.136.191] client sent HTTP/1.1
request without hostname (see RFC2616 section 14.23):
/w00tw00t.at.ISC.SANS.DFind
/var/log/httpd/error_log.1:[Thu Jul 15 13:30:54 2010]
[error] [client 91.121.136.191] client sent HTTP/1.1
request without hostname (see RFC2616 section 14.23):
/w00tw00t.at.ISC.SANS.DFind
/var/log/httpd/error_log.1:[Thu Jul 15 13:39:31 2010]
[error] [client 91.121.136.191] client sent HTTP/1.1
request without hostname (see RFC2616 section 14.23):
/w00tw00t.at.ISC.SANS.DFind
/var/log/httpd/error_log.1:[Thu Jul 15 13:48:08 2010]
[error] [client 91.121.136.191] client sent HTTP/1.1
request without hostname (see RFC2616 section 14.23):
/w00tw00t.at.ISC.SANS.DFind
/var/log/httpd/error_log.1:[Thu Jul 15 13:56:50 2010]
[error] [client 91.121.136.191] client sent HTTP/1.1
request without hostname (see RFC2616 section 14.23):
/w00tw00t.at.ISC.SANS.DFind
/var/log/httpd/error_log.1:[Thu Jul 15 14:05:23 2010]
[error] [client 91.121.136.191] client sent HTTP/1.1
request without hostname (see RFC2616 section 14.23):
/w00tw00t.at.ISC.SANS.DFind
/var/log/httpd/error_log.1:[Thu Jul 15 14:14:00 2010]
[error] [client 91.121.136.191] client sent HTTP/1.1
request without hostname (see RFC2616 section 14.23):
/w00tw00t.at.ISC.SANS.DFind
/var/log/httpd/error_log.1:[Thu Jul 15 16:08:01 2010]
[error] [client 91.121.136.191] client sent HTTP/1.1
request without hostname (see RFC2616 section 14.23):
/w00tw00t.at.ISC.SANS.DFind
/var/log/httpd/error_log.1:[Thu Jul 15 16:16:34 2010]
[error] [client 91.121.136.191] client sent HTTP/1.1
request without hostname (see RFC2616 section 14.23):
/w00tw00t.at.ISC.SANS.DFind
/var/log/httpd/error_log.1:[Thu Jul 15 16:25:06 2010]
[error] [client 91.121.136.191] client sent HTTP/1.1
request without hostname (see RFC2616 section 14.23):
/w00tw00t.at.ISC.SANS.DFind
/var/log/httpd/error_log.1:[Thu Jul 15 16:33:41 2010]
[error] [client 91.121.136.191] client sent HTTP/1.1
request without hostname (see RFC2616 section 14.23):
/w00tw00t.at.ISC.SANS.DFind
/var/log/httpd/error_log.1:[Thu Jul 15 16:42:18 2010]
[error] [client 91.121.136.191] client sent HTTP/1.1
request without hostname (see RFC2616 section 14.23):
/w00tw00t.at.ISC.SANS.DFind

Many thanks in advance..