Knowledgebase

Windows server hacked

Posted by feivi18, 12-23-2009, 12:14 PM
Hello, Yesterday I found out that my dedicated server had been hacked (a mass email program having been installed was kind of a dead-giceaway...). Anyway, taking a look at the event log, I noticed many 528/10 logons from an account which has the same name as my server provider. Is this normal? EDIT: looking closer at the logs, the vast majority of the logons outside of normal business hours, either early AM or late PM. Can this be the hacker, who is using a user name corresponding to my provider so I wouldnt notice? Or is it possible that someone at my provider has a side job? Or can this just be some normal security check (which is weird, because the logons are at all kinds of different times, and sometimes some days had more than others). Last edited by feivi18; 12-23-2009 at 12:20 PM.
Posted by feivi18, 12-23-2009, 01:22 PM
Alright, here's the answer: I just spoke to my provider, who stressed that they absolutely do not create accounts on their clients servers. He also pointed me to a site which helped me track the IP from the logins to Jakarta, Indonesia...
Posted by Motiv, 12-23-2009, 02:31 PM
Ehh, not good. Hope you can get it cleaned up easily!
Posted by feivi18, 12-23-2009, 02:51 PM
Thankfully, my current server admin (24x7servermanagement.com) is doing an excellent, excellent, job. They've been very quick to react to and solve any problems.
Posted by brentsaner, 12-24-2009, 01:43 AM
yikes. definitely not normal. once you get cleaned up, i'd definitely audit the web content (assuming it's serving any www traffic). since it's JUST an e-mailer that you can find so far, i'd suggest it's something that was planted via a web vuln and not a full-blown compromise- you'd probably not even see those entries if it was a full-blown compromise. as for it being the same name as the provider, that doesn't necessarily mean anything. more important here is that you're compromised; you can do further forensics as to whom once you get that taken care of.


Was this answer helpful?

Add to Favourites Add to Favourites

Print this Article Print this Article
Also Read
Digihosters.com Down? (Views: 648)
Litespeed VPS (Views: 611)
ev1 down? (Views: 639)
ddos protected windows vps (Views: 583)
Resseller package for Rs.3000 per year (Views: 592)


Language:

Client Menu

 

Client Login

Email

Password

Remember Me

Search



  
 

Clients

Hosting

VPS Hosting

About Us

Contact Us

Copyright © 2015 DC International LLC in partnership with Bragin IT Solutions Inc. - All Rights Reserved.