URGENT help, somebody is breaking into my computer

[jerry2]

Hi there

I am desperate. I have Windows 2003 server and Plesk 8.2 installed, nothing else. Running one web site.

Since few days ago someone is connecting to my system with remote connection as administrator :-((( Happens at evening. I am 100% as he opens some windows that are not there when I end the session.

I have changed administrator and Plesk passowrd, but it doesn't help. I can not think of anything else than that there is a security failure in Plesk itself.

Any ideas how can I log at least his IP? He is using remote connection.

Thank you

 

[andrey@]

You must look to Administrative Tools\Event viewer\Security to see 'who', 'when' and 'from' log on to your system. Also you may add more audit events from Administrative Tools\Local Security Policy\Local Policies\Audit Policy.

What windows did you see?

 

[jerry2]

I saw the eventsconsole open, because he has deleted the security events. However in the system events there was evidence he was here and after he deleted it, there was still a log of his log out of the Remote Desktop connection. So I have his IP now. But that doesn't help me much how he got in.C Changing admin password didn't help...

Is there any known Plesk security issue in 8.2?

 

[GiDEoN82]

change your admin password. If he's using Remote Desktop I doubt its a Plesk Issue. Unless he used Plesk to gain access to your Windows administrator password.

 

[jerry2]

I did, it doesn't help :-( He is back in...

I looked when he first accessed the server (the date) and I found a suspicious file names readphp.exe.

Ok, I will reformat my server, but how did he got in in the first place? I didn't use browser, I only have Plesk installed...

 

[jerry2]

Ok, I found out hacker planted a NetMonInstaller service and WinPcap. Can anybody tell me what info can he get with this sniffer?

But how did he get in in the first place?

Jerry

 

[WillemW]

Originally posted by jerry2
Ok, I found out hacker planted a NetMonInstaller service and WinPcap. Can anybody tell me what info can he get with this sniffer?

But how did he get in in the first place?

Jerry

Jerry,

I am no expert, but I have (had) the similar problem in the past two weeks. I also run W2003 & Plesk, and found out someone using my server through Remote Desktop.
I found out they came in through the ASP.NET worker account.
And yes, even changing passwords did not help. They used a PHP program for using the server. Eventually I discovered they installed BitTorrent in the filesystem and used the server for that. However, it got worse ; apparently the server details of how to to enter became " hacking public " and soon I got email notifications through the ISP that my server was being used in abusing attacks on other systems.
Search your files for files called like " Dlist.txt " that contain lists of servers their rogue programs try to attack and sniff at.

A second ASP.NET account may also have been created in the users list.

Final solution to all was rebuild the complete server softwarewise, which I have done. And checking with your ISP you will find this situation happens more often than you think or they want to admit.
Take out the drive and hang it as a slave on another system and run anti-virus and you will find like I had for instance PHP.Backdoor.Trojan installed...

 

[jerry2]

Hm, thanx for your findings. I don't have this program, but I found by date he downloaded some file phpinfo.exe to install some kind of sniffer that had PCcaps component and used the service.

I have deleted the service and firewalled ports for Remote Desktop and Plesk only to my static IP (hope my ISP doesn't change it).

I still don't know how they got in in the first place to plant all this. So I don't know if this will help. How can they come without Remote Desktop and Plesk? I have other services like telnet disabled.

What did they sniff for? The hacker was here 2 times for 2 and 1 hour. That is a lot of time. I know I will have to reformat now, but my concern for this form is this:

There must be a plesk security problem or one of the components must be compromised (so I am not saying it is Plesk)... But I have reformatted computer about 14 days ago so it is abrand new out of the box Plesk 8.2 system.

I am deeply shatered as it is like if someone would walk in my house every night and I am not able to find a door that is open :-( I didn't have any real value info like security transactions, but anyway, what can they get with sniffing? Why sniff, they got to the admin account anyway...

 

[jerry2]

I have only one site and it uses ASP only. I don't use ASP.NET service.

WillemW, how did you trace how they got in?

 

[WillemW]

Hi,

I started same like you ; I opened my server by RDP for routine control , and noticed strange things , such as the RDP windows would open to another listed connection (not from me) , then I saw websites visited by a user called Inet_wood (which I did not create), checked the logfiles, but these are routinely cleaned out by their actions when they logg off (through their installed programs).
I thought Sh&*1!? , and changed pw's etc, and thought that was it.
But of course after such an incident, I started checking more regularly, and more detailed. So I came across these files hidden in some user that has like I said txt files with listings of servers tried. There was also a KDE program installed apparently running out of my connections.

Even deleting this user Inet_wood did not help ; next day it was back, so they knew how to get in and stay in even after changing passwords.

Worst came when a week ago, the ISP closed off my server after getting these attack messages from security companies in the US, attacks orinigating from my server. Then of course, there was no other choice but to take it away and rebuild it. I am still in paranoid status and check like every hour if I see something uncommon .
It's like when they break into your house, it will take time before you take cabinet away from blocking the doors ....

 

[jerry2]

Yes, I can certanly relating to your feelings.

Did you ever find our how they got in? Now that you reinstalled you are safe? Did you block RDC except your IP? I think this is a good idea.

I thought if hacker comes it wipes your disk, but seems they want to use your server for some other job :-(

Did you have any problems with the ISP to turn your server back on when you cleared things?

 

[jerry2]

Do you use Plesk 8.2? Did the problems start when you went to 8.2 if you did?

 

[WillemW]

Jerry,

- I run a server with more than 1 site (in fact, close to 25), but I do have webshops running, so I was very concerned.
However, I did not find any eveidence they were either interested in any of my sites or even the webshop database. As far as I saw, they never even touched my sites and or site-files.
I believe they merely used the server for connecting to others for obviously bad things, but maybe they think that once your websites are touched you have instant notification someone did this, and their entry secret is out, and measures will be taken to prevent it.
(or at least, faster that now as a result of the abuse attacks)

In answer to your last question, no the ISP is not making any trouble, but they were quick to take it offline. And then the " nice " thing ; they notify you by email which you cannot receive because ..... exactly ! That cost me a half day trying to figure out why all of sudden my RDP did not work anymore ..

Kind regards for now,

Willem Waasdorp

 

[WillemW]

No, this was on 8.1 upgraded from 7.6 .
The new setup however is with 8.2 (but some problems here that have already been listed on the forums, such as SpamAssasin etc)

Perhaps I should point out that the previous server had been running for almost a year without any, any problem at all. Not with Windows , not with Plesk .

 

[jerry2]

Yes, same here, one year with ftp hacks attempts in log, but nothing that serious :-(

 

[henry@]

Guys, to prevent such thing to happen (nothing is 100% secure) please secure your RDC connections with a SSL certificate and don't allow regular unencrypted rdc connections.

 

[jerry2]

Yes, this is what I have read now. Please tell me, is the default Plesk certificate ok? If I lock myself out I will be in a big trouble.

 

[andrey@]

1) turn off all network adapters
2) close all network ports except really needed for you in firewall
3) change administrative password for all users in Administrative group
4) remove
4.1) on 64bit machine HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\PLESK\PSA Config\Config\papswd
4.1) on 32bit machine HKEY_LOCAL_MACHINE\SOFTWARE\PLESK\PSA Config\Config\papswd
5) remove all unrequired users from Remote Desctop Users group
6) remove all accounts from Administrative Tools\Local Security Policy\User Rights Assignment\Allow log on through Terminal Services, then add only self account to this privilege
7) run netstat -a -o and ore
7.1) put here output
7.2) close and move to some temporary folder all non Microsoft and non Plesk program from netstat output
8) restart Plesk services
9) remove all urequired applications and drivers
9) turn on all required network adapters
10) resrart your machine

 

[andrey@]

Originally posted by jerry2
Yes, this is what I have read now. Please tell me, is the default Plesk certificate ok? If I lock myself out I will be in a big trouble.

I think better to generate new.

 

[jerry2]

Thanx. I will do that.

I have now closed Plesk and Remote Desktop in firewall for all but my IP. Can the IP be spoofed? So that somebody can mask as my IP? He seems to be gone for this moment.