General discussion

Locked

I've been hacked

By helpdesk ·
Can someone help me to identify the likely hacking activity was being conducted on one of my WinXp Voicemail systems (we had a weak password)? The following programs had been installed and a few accounts were created. I've disabled the accounts that were created and de-installed the programs listed below.

AllSubmitter 4.7
QIP 2005
Cabal Online v3.3
Free Promote 3
Hit Accelerator
WinRar

This conversation is currently closed to new comments.

5 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

data

by TheVirtualOne In reply to I've been hacked

I've said it once, and I'll say it again... data and security are the most important things about computing today.

Start over and lock the machine down. then install your software all over again. don't worry about that machine, worry about your data and your network.

Collapse -

Programs

by NickNielsen In reply to I've been hacked

AllSubmitter - automated software package used to submit websites to web directories

QIP 2005 - an instant messaging program

Cabal Online v3.3 - an MMORPG (massively-multiplayer online role-playing game)

Free Promote 3 - website promoter software

Hit Accelerator - Domain search software

WinRar - archiving utility similar to Zip. Good program. http://www.winrar.net

If the first five programs on your list were actually installed, you definitely have a problem and your best bet is to do as TheVirtualOne suggested: wipe the box and start over again. However, if the software was not installed (i.e., you only found download packages), you might be able to recover by increasing your security: stronger passwords, firewall blocking all ports except those necessary for the Voicemail server to function, etc.

Edit: spleling

Collapse -

I would not take that chance

by jdclyde In reply to Programs

It is time for a bare metal install.

It is also time to look at the log files to make sure if it was hacked from internal or external, and then take a look at the security again.

Disable admin access from the WAN is also a must. It doesn't MATTER what your password is, if you disable this.

Look into a new firewall. You DID have a firewall between the internet and your server, right? And this time, only allow in and out the protocols you HAVE to have going. If it is a server that is accessed from the internet, it belongs on a DMZ, not your local LAN.

Collapse -

Agreed

by JamesRL In reply to I would not take that cha ...

1) You might have not uncovered everything, and its best not to take the risk. Format the drive and start from scratch. In the end it may save you time.

2) Isolate this server. Firewall it, put it on an isolated segment, or if it must be on the net, put it on a DMZ. Do not put it back where it was, with the old address - you have to make it as difficult as possible. Retire the old IP, or better yet create a honeypot there.

3) Disable as JD suggests remote access for any admin function including installation of applications. Make it difficult.

4) Ensure physical security - is the server room locked? Is entry to the room logged?

5) Do NOT have any shared logons to the system, especially ones with admin access. Every amdin user must have a unique ID with a password that must change on a regular basis and have strong password rules - 8 charecters, upper and lower case, numbers and special charecters. You may feel the need to have one "secret" login with a password that doesn't change in case you have a lockout feature.If you have one, do not use that login regularly (so it doesn't show up in a log), keep its existence quiet and make sure it has a very complex password.

6) Have a lockout feature that after X tries the account is disabled.

Am I paranoid?

Not at all. One company I worked for had their PBX hacked and had people logging on to make free long distance. Another had their website hacked and defaced.

James

Collapse -

Many Thanks

by helpdesk In reply to Agreed

Our password was weak and our network "firewall" (routers trying to be firewalls) did not work obviously. We founds some email programs and it appears the box was used or primed for mass mailings to/from Russia (w/Love). Anyhow, thank you for your input, security and data is our new mantra and we're moving to get our real firewall, AD security has been stepped (account lockouts, complex passwords... expirations/account history). This box belongs to the PBX vendor and they are confident that the doors have been closed off, PCAnywhere is removed.... I'll be keeping a closer eye on it and we'll ask for a clean install if anything weird happens, thx again

Back to Software Forum
5 total posts (Page 1 of 1)  

Related Discussions

Related Forums