Forum Moderators: open
"We found a compromise running on your server called Cain. This compromise basically wll try to steal passwords on the server it is running on and try to make network connections to other servers and try to steal passwords.
This was running under the account "admin"
We blocked access to the IP that was accessing this account and disabled the account.
"In order for someone to run this they would have had to have access to your server. We recommend that you change the passwords for all users on the server as soon as you can. "
I assume they mean a program called Cain and Able.
After changing my passwords,I looked around the server. This was not a hacker or someone trying to destroy my data. I assume he must have wanted to use my server as a zombie, DOS or something. A look at my NT Services shows one or two strange services that were running. One was called D.N.S. (with periods) and the description had a mistake in English so no doubt he is German and English is a 2nd language. The other file I suspect is "MS Login Services," although I could be wrong.
I am actually a Mac user and not very skilled with Windows, let alone Win 2003. I wonder if some of you could look over the following list of NT Services that are running and let me know if there are any more strange files or if anything is running which shouldn't be:
CCDed
COM+ Event System
COM+ System Application
Computer Browser
Cryptographic Services
D.N.S. DNS Server (put here by hacker)
DCOM Server Process Launcher
Debug Diagnostic Service
DHCP Client
DHCP Server
DHCP Client
DHCP Server
Distributed Link Tracking Client
Distributed Link Tracking Server
Distributed Transaction Coordinator
DNS Client
DNS Server
Event Log
Galaxy Client Event Manager
Galaxy Communications Service
HID Input Service
HTTP SSL
ISS Admin Service
Internet Authentication Service
Logical Disk Manager
MS Login Services (possibly put here by hacker)
Network Connections
Network Location Awareness (NLA)
Network News Transfer Protocal (NNTP)
Persits Software EmailAgent
Plug and Play
Print Spooler
Protected Storage
Remote Access Connection Manager
Remote Proceedure Call (RPC)
Remote Registry
Removable Storage
Secondary Logon
Security Accounts Manager
Server
Serv-U FTP Srver
Shell Hardware Detection
Simple/TCP/IP Services
SmarterMail Service
Smarter Stats Service
SQL Server (SQLEXPRESS)
SQL Server VSS Writer
System Event Notification
Task Scheduler
TCP/IP NetBIOS Helper
Telephony
Terminal Services
User Profile Hive Cleanup
Windows Management Instrumentation
Windows Time
Workstation
Wold Wide Web Publishing Service
These are all the services that are "started." I did not include all the files as the list is very long.
I ran SpyBot but it did not come up with anything. Any advise you can give me to help determine what he might have done would be helpful. Any advice on preventive measures would also be appreciated.
The list:
CCDed
D.N.S. DNS Server (put here by hacker)
Debug Diagnostic Service
Galaxy Client Event Manager
Galaxy Communications Service
MS Login Services (possibly put here by hacker)
Persits Software EmailAgent
Serv-U FTP Srver
Simple/TCP/IP Services
SmarterMail Service
Smarter Stats Service
User Profile Hive Cleanup
These are services that are not immediately recognised by me as being common to a stock windows environment.
serve-U is *very* popular amongst hackers, so if you didn't put it there, someone else did.
Simple tcp/ip services includes tftp, trivial ftp. a big glaring security hole.
As for the rest of the services you have running, there are way too many for a web server. This makes the attack surface larger. A web server should be running with the bare minimum of services. This means that if you were to disable one more service, some required functionality of the specific web site would be unavailable.
With the right firewall rules and server setup it is possible to run a publicly exposed windows server for years without ever being breached.
It takes time and expertise, but it can be done.
I don't know what your host's firewall rules are, but I have the distinct feeling I can reach your server on a port that should not be open.
BTW, you did not mention if you use PHP. If you do, it is a big steaming security hole. Maybe not in and of itself, but the apps that rely on PHP often are. PHP apps are a security professionals nightmare. You never know what hole is going to show up next. No matter how tempting the app is, I refuse to run PHP of any form. I don't care if it's fastcgi, cgi or isapi mode.
Used by my host
D.N.S. DNS Server (put here by hacker)
Disabled as it is from the hacker
Debug Diagnostic Service
Galaxy Client Event Manager
Galaxy Communications Service
Don't know what the above are
MS Login Services (possibly put here by hacker)
Disabled as put there by hacker
Persits Software EmailAgent
Don't know what that is for
Serv-U FTP Srver
It is the FTP client I use and should be there
Simple/TCP/IP Services
Don't know this one either
SmarterMail Service
Smarter Stats Service
I use Smarter Mail as my mail software so I guess these are ok
User Profile Hive Cleanup
This is supposed to be a legit MS product but what I don't like about it is that it is running in the Program Folder and not in Win 32. I tried to delete it but couldn't as it is running.
I have a hardware firewall. I am going to block IPs other than mine and my programers.
