help with a hacking problem. please

Noobaside · 20 Dec 2011 at 11:30

for the past week weve had a hacker trying to gain access to one of our servers and we have been blocking it quite easily but hes just started another attack on the server but its not showing any ip adddress any idea

1 what hes doing to mask it and 2 a way to stop it as its rather annoying

J.B · 20 Dec 2011 at 11:37

What do you mean doesn't show any IP address?

What kind of attack?

What server?

What makes you think you are being targeted?

Noobaside · 20 Dec 2011 at 11:55

well he managed to gain entry to the server last week due and setup a porn hosting site on the server so im pretty sure its being targeted. <--- has been rectified.

its a ftp server so theres always people trying to access it

its a dos attack

and the security logs show incoming failed password attemps as originationg from ip: - just a single dash before they where originating from proxys.

EDIT: hopefully thats enough info sorry for the lack of info in op am currently really busy at work only an it aprentice atm

everyones out of office as a creditcard companys servers we look after went boom

Ev0 · 20 Dec 2011 at 12:02

Doesn't sound like a dos attack to me.

Unless his actions are stopping the legitimate services that server provides from being accessed.

My first comment would be stop using FTP!! Move to a more secure file transfer protocol.

When he gained access was it that he used a valid username/pass that was setup on the box?

How many ftp accounts are setup and are the passwords audited for strength at all?

J.B · 20 Dec 2011 at 12:03

Noobaside said:
well he managed to gain entry to the server last week due and setup a porn hosting site on the server so im pretty sure its being targeted. <--- has been rectified.

its a ftp server so theres always people trying to access it

its a dos attack

and the security logs show incoming failed password attemps as originationg from ip: - just a single dash before they where originating from proxys.

EDIT: hopefully thats enough info sorry for the lack of info in op am currently really busy at work only an it aprentice atm everyones out of office as a creditcard companys servers we look after went boom

Made me laugh!

What FTP Server software is it?

Noobaside · 20 Dec 2011 at 12:06

we told em not to use ftp but some crappy software they use needs it and they wont change

and there passwords are audidted they just got lucky

J.B · 20 Dec 2011 at 12:24

Ev0 said:
When he gained access was it that he used a valid username/pass that was setup on the box?

That's a point, was the FTP account also a system account? I did wonder if he might of installed something on the box but I think even then it would still show up with an IP

Noobaside · 20 Dec 2011 at 12:25

the server died because we told them it had adequet failovers they wanted to test it so they pulled out power from back of the server while it was starting up and corrupted it luckily the failover did work

Noobaside · 20 Dec 2011 at 12:26

he logged on using an old account of somebody who had left who didnt have any admin powers

Ev0 · 20 Dec 2011 at 12:33

Noobaside said:
he logged on using an old account of somebody who had left who didnt have any admin powers

And the account wasn't removed? tut tut

Well my first action then would to audit every account on there to make sure you only have the minimum number required on there. Account management is a massively overlooked area and when not managed properly can land you in a world of hurt.

If it's a public facing box then I would also highly recommend a pen test (I'm sure J.B.'s rates are reasonable

) or at least a vuln scan just to see if anything is picked up.

But depending on the size of your company you might already you might already have this kind of thing done, especially if you look after credit card servers and fall into PCI-DSS compliance...

randal · 20 Dec 2011 at 12:35

Noobaside said:
he logged on using an old account of somebody who had left who didnt have any admin powers

Sounds like you have some housekeeping to do.

Clear out old accounts, ensure active accounts have strong passwords, as above stop using FTP and start using SCP etc. where possible.

Sounds like prevention might be the best cure in this instance.

Noobaside · 20 Dec 2011 at 12:39

any idea how hes masking the ip though am curious gotta learn all i can

anything I don't mind · 20 Dec 2011 at 12:42

If they insist on using FTP then they will be exploited. Ftp is insecure enough to warrant changing the software that depends on it. If you must use ftp then you should set it up in a dmz and have no access to main network. Alternatively put it on another internet line completely and use a manual way of getting data off it, usb stick.

Switch to sftp. Set up a freebsd server with sftp access, but you should still put that in to a dmz.

Ev0 · 20 Dec 2011 at 12:46

Or if the software really won't change from ftp then you could setup a kind of reverse proxy to do it.

Outside world > Gateway machine file transfers by some secure method

Then you could transfer from your gateway machine to the actual application via ftp as the traffic will be internal/from a dmz to internal through a firewall.

The main thing is that you're not exposing FTP to the outside world directly.

But that would all depend on how the initial connection is made as to if that would ever work

Noobaside · 20 Dec 2011 at 12:48

there not gonna change untill there forced to by some hacker who destroys there system .

Sp00n · 20 Dec 2011 at 12:51

Can't you lockdown port 21 to specific IPs or does access come from various different places?

TNGL · 20 Dec 2011 at 12:53

Is there any data on there that's supposed to be confidential? If so you have a serious problem if the hacker can access it...

But just make sure that the backups (if any) are being scheduled, and are actually working.

EDIT:
Also, it would show his IP in the router logs, I would've thought...

J.B · 20 Dec 2011 at 12:57

Ev0 said:
highly recommend a pen test (I'm sure J.B.'s rates are reasonable ) or at least a vuln scan just to see if anything is picked up.

I agree completely and I have been known to have flexible rates

I did some work for public sector client who had a very similar requirement we ended up recommending they have a staging area which was public-ish (DMZ) facing where the files were dumped before being picked up and taken into the network for whatever it is they did with them.

We also recommended they used IP filtering as they data was always coming in from the same place.

Sometimes businesses are adverse to change but there are little things that can be done to not make it such easy pickings.

Ev0 · 20 Dec 2011 at 12:57

Noobaside said:
there not gonna change untill there forced to by some hacker who destroys there system .

Usually the case, I was just thinking out loud really

As has been said, check other logs for connections at the same time as the failed logins to see if they will reveal his ip.

Also if he (or she!) has got in before then make sure they haven't done anything to the logging to mask their attempts (like switch of IP address logging), are other users IP addresses being correctly logged?

Ev0 · 20 Dec 2011 at 12:58

J.B said:
I agree completely and I have been known to have flexible rates

Wish I was still doing it tbh, aw well.