Windows 2003 , MSDE 2000, Terminal Services

  • Thread starter nick.kernick@gmail.com
  • Start date
N

nick.kernick@gmail.com

My server is being hacked. User from Hong Kong [kenny] he emailed me
Created user "asp.net" gave it admin rights, then logged on using
terminal services. I restricted TS to my IP, he came in as the
server???

Has anybody got any ideas how this can happen? Iam at a loss and
tried everything from renaming admin, firewall, disabling everything
in IIS apart from ASP.

thanks
 
M

Malke

nick.kernick@gmail.com wrote:
> My server is being hacked. User from Hong Kong [kenny] he emailed me
> Created user "asp.net" gave it admin rights, then logged on using
> terminal services. I restricted TS to my IP, he came in as the
> server???
>
> Has anybody got any ideas how this can happen? Iam at a loss and
> tried everything from renaming admin, firewall, disabling everything
> in IIS apart from ASP.

In practical terms you only have one course of action: flatten the
server and reinstall. Hopefully you took an image and can use that to
quickly get up and running again. If not, as a systems administrator you
should make regular imaging part of your normal routine.

As for how it happened, obviously your network and/or programs, OS are
not secure. There is no way for people just reading about it on a
newsgroup to know the details. Hire an outside professional to come
on-site and set you up properly. This will not be someone from
BigComputerStore/GeekSquad but a computer professional with skills in
setting up servers.

Since your server is compromised, you also need to check all
workstations for infection. This is a big job but not one that you
should skip.


Malke
--
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic!"
MS-MVP Windows - Shell/User
 
A

Anteaus

Malke's comments are good. The main thing I'd add is that you need to be a
LOT more careful with security on any server which allows outside access,
than on one which is purely serving LAN users. If not needed, disable
Terminal Services, or firewall it so that only the LAN can access. If you
need remote access, then use a secure tunnelling protocol, and/or a
sophisticated firewall which will allow you to properly restrict access to
one remote IP.

Also, remote access is only as secure as the weakest user/password combo
with remote permissions. If one user with remote permission has a guessable
password, then the whole system is weak.

Also, noting IIS, you should never,never serve an Internet-visible website
from a fileserver inside the firewall. For this kind of duty you would be
better using a separate machine as a DMZ. If licensing cost is an issue, then
Linux is ideal for webserving.

nick.kernick@gmail.com wrote:
> > My server is being hacked. User from Hong Kong [kenny] he emailed me
> > Created user "asp.net" gave it admin rights, then logged on using
> > terminal services. I restricted TS to my IP, he came in as the
> > server???
 
You must log in or register to reply here.

Similar threads

W
NO access to any device and settings hidden and not accessible by myself
Replies
0
Views
510
whitneyulfig#mom2
W
R
Microsoft Released Windows CLU kb4577063_buildno_19041.546 to Windows 10 v2004 20H1 and buildno_19042.546 to Windows 10 v2004 20H2 and to Windows 10 s
Replies
0
Views
441
RAJU.MSC.MATHEMATICS
R
B
Weird issue with standard application
Replies
0
Views
195
blind3d2019
B
Server Man
Announcing the general availability of Windows Admin Center, version 1910
Replies
0
Views
491
Server Man
Server Man
M
Announcing the general availability of Windows Admin Center, version 1910
Replies
0
Views
450
Microsoft Windows Server Team
M
Back
Top Bottom