Holy unsecured server, Batman!!!

[FlyingPenguin]

Guy who set this up should be BITCH SLAPPED!

New potential client asks me to look at their network. They're using Terminal Server on a Server 2000 box. Remote office is seeing pings of 200 - 10000ms (!) to the server.

Everything checks out at the remote office so I went to see the main office where the server is located.

All they're using the server for is file serving and Terminal Services.

Ready for this?

Server is on a static IP cable connection - it is NOT behind a router or a firewall. No software firewall running. No critical updates ever installed. No IIS lockdown (mail, web and ftp servers are running and FTP can be logged into via anonymous login).

Server's wide open only being thinly defended by VERY unsecure passwords (less than 4 digits - all letters!).

The reason they're seeing such high pings to the office with the server is because the server is hogging all the bandwidth doing God only knows what: spam relay, DoS relay, warez FTP server (take your pick or choose all of the above). If I pull the plug on the server, the Internet connection is good and fast. Plug it back in and the pipe is maxed out.

Here's the good one: The previous IT consultant says the latency problem is due to the cable modem at the main office and they should have Road-Runner replace it.




I don't usually have to deal with someone else's screwups that are this bad - and I 've NEVER seen such an exposed and compromised server. Shit ANYONE has the common sense to at least put the server behind a router and use port forwarding!


Anyone want to chime in with a list of what trojans I'm likely to find? Norton Anti-Virus Enterprise is running and up-to-date, but that doesn't mean shit. It may be compromised, and I know there's some Spam relay trojans out there that are just modified Spyware and Norton won't detect them as viruses.

Needless to say I'm going to lock down IIS right off and probably slap a firewall on it as an immediate short-term solution (yeah, just a bandaid, but can't distrupt the office too much during business hours). Then do all the critical updates.

Eventually I have to get the bitch behind a router or (preferably) a VPN router.

Heck, I may even have to get the static IP changed depending on who's been hacking the box. For all I know someone's using it as a porn server.

Sigh.... I have to decide if I even want to take this one on - it's a long drive and it's going to be a LOT of work. Not sure I can spare all that time that far off the beaten track. I feel sorry for them though. Nice people and referred to me by a very good client

[DoPeY5007]

wow, what a mess!



good luck fixing all that

[FlyingPenguin]

I've been doing NETSTATs every hour or so since I got home (accessing the server via Terminal Services - fun to do with ping spikes of 10K).

The only connections are FTP (and LOTS of them). So it looks like someone's hijaacked the FTP server. Need to lock it down ASAP. Trouble is if they also have the admin password they may retaliate. I need to do this rather carefully.

I can't do anything until I get permission to work on it (and I decide if I want the job) - so far all I'm doing is a consult.

Also I won't touch a server until I've made a Ghost image of the drive.

To make matters worse I'm not sure if they're making regular backups. There's a tape drive, and I asked the receptionist if they're changing the tape regularly and she says as far as she knows that's the only tape and no one's ever changed it

Oh, and they have every single network protocal on the planet installed and exposed to the Internet: Appletalk(!), NetBEUI....

It just keeps getting better...

[DoPeY5007]

can you log into the FTP server and see what files are shared?

[FlyingPenguin]

I tried an anonymous logon to the FTP earlier - I could see a lot of folders, all with rather cryptic names. I couldn't open most of them as an anonymous user, and the connection is so slow it was tedious.

The traffic seems to get MUCH worse after 6pm so it's real frustrating to do anything on it right now. Otherwise I'd check the FTP folders from the desktop.

I'm sorely tempted to just slam the FTP closed but as I said, if they also have admin access they might just do something nasty when they find their porn/warez/whatever server is down. I'd rather go in, pull the plug on the network connection, lock it down, change all the passwords, and secure it in one stroke.

They've been living with it like this for MONTHS(!) so a few more days isn't a big deal.

HEH... just checked NETSTAT again: SIXTY simultaneous FTP sessions!!! Most of them the same IP using multiple ports so looks like about 10 seperate users, but 4 or 5 of them are using a Download Accelerator type program.

[donk]

Originally posted by DoPeY5007
can you log into the FTP server and see what files are shared?

Yea .. is there anything good? j/k

For right now, regardless if you take the job or not, I would convince them to unplug it from the network. This will prevent this mess while you/they decide how to proceed. I would definitely make a backup (ghost) of the system, but I would consider the whole thing tainted and I wouldn't use any of that data, unless it is the only copy and it should only be used then after very careful analysis.

Definitely go the router/firewall/vpn route. Since this is only one 2K server in an office connected via cable, I'll assume they are a small shop which lacks the funds for say a Cisco/Checkpoint VPN solution. Personally I'd go with a Smoothwall (http://www.smoothwall.org) at each site and VPN the firewalls together with FreeSwan (http://www.freeswan.org). I've never actually done it, but from what I've read it looks very promising.

I'd probably convince them to ditch Win2K for file services as well.. but hey that's my preference.

My 2 cents ..

[DoPeY5007]

and put f@h on that server

[FlyingPenguin]

Ack. It's so slow now I can't do anything. I'll play around some more in the morning. They're raping the server now.

The C drive is FULL - 20 Gb and only 383Mb free. That's a LOT of something on there, and I seriously doubt their own stuff is more than 5 Gb (EDIT --- Yup, just checked the FTP folder and it has 15Gb in it).

UNFORTUNATELY I see no scheduled tape backups so I think that's their only data

They're using a proprietary DOS application for customer managerment - not an MS product so HOPEFULLY the data is clean. They've had no issues with it - just complaining of slow access to Terminal Server.

I think someone's just stashing stuff on their FTP. I'll look in the FTP folders tomorrow.


Yeah, I agree that in the long run a clean install would be a GOOD THING. This system is heavily compromised. Trouble is I don't think they can afford the downtime for at least 3 weeks unless I want to work over a weekend.

I've also never setup Terminal Server so it'll be a learning experience. I'd probably set up a loaner box for them and just copy over the data, then take the server home and wipe it clean.

Sigh... what a waste.

[smb]

probably the quickest cheapest way is to go buy a dlink cable router that allows for vpn access. I use one here at work. It's a DI-614+ just so the boss and a few key people can access the server from remote locations. it will lock it down, and it is cheap as well (under $100.00). I like this router because you can actually set it to discard pings.

[FlyingPenguin]

I've taken the server off the network for now and will isolate it so they can work on it. Trying to keep this from being disruptive.

They can live with only being able to access it at the local office for now, and they can also live without Internet access.

I'm going to setup a new server for them that they can migrate to.

[DoPeY5007]

Originally posted by FlyingPenguin
and they can also live without Internet access.

people can live with out internet