Re: Server hacked/being used as spammers haven...

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

I would call PSS Security at 1-866pcsafety. Ask for someone in the PSS security to look at this server.

Given it's position in the dmz and not sure what (if any) firewall has been protecting it, your best bet is to have someone review the box in detail.

Leythos wrote:
In article <exhDOLhJIHA.2480@xxxxxxxxxxxxxxxxxxxx>, tech_support@xxxxxxxxxx says...
So from what i've gathered, i have no choice but to reinstall?

The firewall product is a dlink wbr-2310. From what i've been reading, people have had problems with this router and allowing VPN to windows.

That device is a SIMPLE NAT ROUTER, it's not even close to being a firewall.

So, because of that we decided to allow DMZ to have this work. DMZ wasn't on originally...

The DMZ is not a protected area, it allows ALL internet traffic to your server - and that's VERY BAD - you may as well have just connected it directly to the ineternet and put out a sign that says FREE SERVER - HACK HERE.

A real DMZ has the same level of protection as a LAN, but you only get that if you have a Firewall and not a NAT router.

Sounds like i need to revert to our original vpn (3com officeconnect) to at least stop all of these connections, then find a way to clear it up...

No, you need a real firewall, and then go with a single NIC and then you can VPN into the firewall itself, then create rules in the firewall that allow access to the network. Real firewalls also allow many outbound VPN connections without causing problems.

The problem started when the 3com wouldn't allow multiple VPN connections from the same IP address... or we gathered it was the 3com because of the issues we had... so we changed the VPN to be handled from the 3com to RRAS. When we couldn't get RRAS to work through the 3com vpn, i decided to pick up a new router (dlink as listed above)... when the dlink wouldn't allow vpn through (even though the settings say it does), we tested by turning on DMZ... and thus it worked so we left it... Obviously something caused the server to be comprimised...

That's because neither the 3COM or the D-Link are firewalls, they are cheap NAT routers and most of those devices have problems and need work arounds to get more than 2 VPN's to work at the same time - if you can even get more than 2 working at the same time.

Look at something like the WatchGuard X550e or the X750e appliance, not cheap, but it will do a LOT to protect you.

At this point, if it was my server, I would wipe it and rebuild it in a CLEAN network.

.

Relevant Pages

  • Re: More on Remote Desktop
    ... Chances are good, though, that he's already got VPN capabilities on his ... firewall to do it for $100. ... > server at home...or purchase additional/new hardware... ... >> my firewall makes the PPPoE connection to my ADSL ISP. ...
    (microsoft.public.windowsxp.network_web)
  • Re: More on Remote Desktop
    ... You realize the Remote Desktop data stream is encrypted the same as a PPTP VPN link... ... Unless of course the original poster wants to implement an L2TP/IPSec VPN server at home...or ... > firewall to get between your clients and server on your own LAN. ... > setup so that my firewall makes the PPPoE connection to my ADSL ISP. ...
    (microsoft.public.windowsxp.network_web)
  • Re: VPN Firewall for new webserver
    ... > I'm setting up a webserver at a colocation and I need to put a VPN ... You're not going to get a quality firewall for that amount, ... and D-Link makes a DI-804HV unit ... users access to the SQL server, let them do it through a VPN session. ...
    (comp.security.firewalls)
  • Re: Cant logon to computer in SBS Domain..
    ... Does the user can access and log on to the Remote Web Workplace? ... Whether you can connect and log on to the server desktop through RWW? ... On the Firewall page, ensure that Enable firewall is selected. ... About External Firewall VPN ...
    (microsoft.public.windows.server.sbs)
  • Re: Unable to join AD domain from DMZ network
    ... To me that points to something outside the machine (Firewall most likely culprit) ... > the captured traffic between the server in DMZ to the DC from internal ... >>> authentication from DMZ to 2003 AD internal network. ...
    (microsoft.public.windows.server.active_directory)