NT33 Possible Hack Attempt!!

[Jim Nayzium]

I clicked on the ID numbers and saw nothing with NT at the beginning...where would I go exactly. Forgive the idiotness...I am very green.

[dpyers]

Quote:

Originally Posted by drobee

What's the easiest way to determine which users are on NT33?

If you know their domains, entering a ficticions subdomain (http://XX.example.com) in a bowser will return the server for domains hosted on NT.

[Jim Nayzium]

ok,

I entered XX@blueeyedpanda.com and it went straight to my normal blueeyedpanda.com??

sorry again. will try a different browsewr

[dpyers]

edited my post to change the @ to a .
sorry

[Jim Nayzium]

OK, wow, the email message used an @ sign instead of a . syntax...i am a moron

[Brangwyn]

I highly recommend that you all set up HSphere to send you a copy of all signup emails, you can then store them in a folder and very easily search these emails to get a list of customers on any one server (the standard signup emails has the server name/alias they're assigned as the FTP URL). Doing this I found all my effected customers in just a few seconds.

[Jim Nayzium]

thanks for the help.

All said either NT4 or NT17, so I have no worries correct?

[devorem]

right

[Jim Nayzium]

I do have it send them emails...good idea

[admin]

Quote:

Originally Posted by devorem

I couldn't tell you for sure if it was related or not, but one of my clients (on NT33) had their index.htm file replaced over the weekend with one that featured some gruesome pictures of mutilated children and it said:

YOU ARE CAUSE OF ALL THAT HAPPENED

FOR IRAQ,

FOR AFGHANISTAN,

FOR PALESTINE,

FOR ALL COUNTRIES UNDER SIEGE LIKE ABOVE.

TO BE CONTINUED...

HACKED BY Cool_Baby & sanaleskiya

TURKISH HACKERS

I was able to replace the file with a copy from Google cache. Apparently, my client didn't catch it in time and the hacked copy had already been backed up so Vortech wasn't able to restore it. I bought a copy of "Site Shelter" to back up my client's sites as a result of all of this.

I don't think this came from the same group or attackers. They started there little mess around 1:30pm yesterday. But I would for sure change there password.

[Brangwyn]

You say attack, but you sure this wasn't just the two variant worms that got into the wild yesterday? ... from the little you've said about it, it sounds like it may have been,

[craigdunlop]

What data would have been exposed to these hackers? Is it just the data/databases of these accounts on NT33 or is it also their account information that HSPhere stores, such as user details, passwords, etc? Does this mean it stores these on each local machine unencrypted? If I use a ssl cp, would that have helped to prevent their account details being pilfered?

[byron]

These were not the recent worms, because the worms affect RPC and cause unattended shutdowns and other less-critical annoyances. This was more of a backdoor/Trojan type of exploit that offered the hacker remote access, which they used to install other agents that basically "sniffed" out information over a 24-48 hour period before it was discovered and removed. We patched this vulnerable hole and haven't seen the similar vulnerabilities on any other box. The virus scans are something I've wanted to have in place for a while now, and firewalling is an even better manuever.

[Brangwyn]

Pretty sure at least one of the worms that surfaced last 48 hours opened up a backdoor of some sort, spent a good portion of yesterday disinfecting a corporate network of the pesky little buggers.

Virus scanning, realtime file sanning? that will add a reasonable overhead won't it? think every time a website logfile is updated, email placed in the SMTP Q etc. I've always led to believe that file scanning on a webserver really wasn't worth the overhead and not to mention the aggressive file locking problems some of them can cause.

Not a big fan of "extreme" firewalling myself, they do help with some things, but at the end of the day, securing the server is the best first line of defence, never have a service open on a port that you don't want someone to gain access too etc along with proactive monitoring of listening ports, lets face it your never going to stop IIS exploits with a firewall unless you go to some extreme measures. Just so I don't come across sounding all negative, on the flipside firewalls can be a great defence for denial of service attacks, making sure traffic doesn't "leak" from your server etc especially if used with a good network architecture that includes seperation of sensitive segments using vlans etc.

[admin]

No we can't do realtime, your right it would kill the servers.

The firewall is/was ( having issues with getting ftp to work even with the 1024+ ports open ) going to be just to block ports *not* used by use below 1024 and open 1024 and up. We would then use snort to look for anything that is now DNS, SMTP or FTP in these high ports. Since nothing but those things should really be running up there besides a few other things we already now about.

Firewall and snort are a little to reactive for me. Like you I like to be more active in makeing sure the box is 100% secure. But if we put all 4 things together it should make things a bit better all around. That is if we can get the firewall setting to let ftp work.