Re: Hacked Server
- From: "Brian Cryer" <brianc@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 21 Nov 2007 09:17:31 -0000
"Geoff" <Geoff@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:D38D4538-8AED-432A-8F62-5303EDED5EF0@xxxxxxxxxxxxxxxx
Hello All,
We run a SBS 2003 Box with 2 NIC connected to the net via a fairly std
ADSL
Router. Two days ago I saw a lot of failed logon attempts in the logs.
Yesterday when I came in the server had been shut down.
I renamed the admin account and changed the password, closed all router
ports appart from VPN, and RWW ran full scans for viruses trojans etc
disabled all remote access permissions for all other accounts.
This morning its happened again? I have to assume that whoever did this
the
first time left some back door that I did not find so they could do it
again.
Can anyone point me in the right direction?
If you go back through the event logs do you see a reason for why it was
shutdown? Was it unexpected, ie hardware or power failure or a "normal"
shutdown?
If you think it might be someone connecting from the internet, then why not
power down the router over night and see if still happens. (Assuming you use
Exchange then you shouldn't lose emails for one night's downtime, they
should remain queued up by the sending server - but it might be inconvenient
for those using VPN and RWW.)
Another suggestion, if you think that you might have an account that has
been hacked then I suggest you force *all* users with any form of remote
access to change their passwords. Thinking of which, according to the logs
was anyone connected remotely when the server when down?
--
Brian Cryer
www.cryer.co.uk/brian
.
- Follow-Ups:
- Re: Hacked Server
- From: Geoff
- Re: Hacked Server
- Prev by Date: RE: Help uninstalling wsus 3
- Next by Date: Re: Remote Backup - Online Remote Backup Services
- Previous by thread: RE: Hacked Server
- Next by thread: Re: Hacked Server
- Index(es):
Relevant Pages
|
