SBS 2K3 server hacked and Poker program installed on it

Fujitsu10

Hi all, our SBS 2K3 server was hacked during christmass and it seems that 2 poker programs have been installed on it. Namely Pokerstar and Poker Tilt. I wonder has anyone else experienced this or similar?

RangeR

Are you sure they were hacked rather then employee interference could be at play? What does the browse cache/history state? In a real sense, it should be empty on a server, other than one or two known sites [microsoft.com etc]


Do you have any port forwarding to this server? If so, why? Can they be closed? If not, apply all security updates and secure that box. Uninstall / disable any services that aren't being used.

JimmyCrackCorn

RangeR wrote: »

Are you sure they were hacked rather then employee interference could be at play? What does the browse cache/history state? In a real sense, it should be empty on a server, other than one or two known sites [microsoft.com etc]


Do you have any port forwarding to this server? If so, why? Can they be closed? If not, apply all security updates and secure that box. Uninstall / disable any services that aren't being used.

Doent make sense unless its an american kid who wants to play poker. Even then someone with sense would install an ssh server or proxy.

RangeR

JimmyCrackCorn wrote: »

Doent make sense unless its an american kid who wants to play poker. Even then someone with sense would install an ssh server or proxy.

Seriously, you are thinking like an intelligent person. I have a few customers who think that way too so, sometimes are lax on their server security. Some don't even have high grade server rooms.

In some of these customer sites, it has been know for random employees to get onto them and surf because the servers would be excluded from an web filtering / restrictions.

Do what I asked, have a look at the web history on that box or the Event logs for RDP / VNC access. Something should point you in the right direction.



Edit : Sorry, I assumed you were the OP. You aren't.

syklops

Sounds like boredom induced stupidity to me. Some tech or Admin, in work over the Christmas period with literally nothing going on, and no one in, thinks its a good idea to install some poker software to while a way the hours. I can think of little to no other reason why a remote attacker would do such a thing.

.Bob

may be admins as other members suggested, but also could be a lot more. People use stolen credit cards and use them on gambling sites to launder the money - they would play against a friend or themselves and intensionally lose.

so there could be a (remote) chance the servers were used for this.

RangeR

I guess we'll never know. OP seems to have fooked off.

fishcalledpaddy

this has just clicked something in me..for the past few weeks i have been seeing this installed on customers servers that i support. i asked the customers not to install anything on the servers and they swore that they didnt. Ive counted 6 servers so far...
im gonna dig deeper.
either its a very popular program or ??

RangeR

fishcalledpaddy wrote: »

this has just clicked something in me..for the past few weeks i have been seeing this installed on customers servers that i support. i asked the customers not to install anything on the servers and they swore that they didnt. Ive counted 6 servers so far...
im gonna dig deeper.
either its a very popular program or ??

How secure are the customer servers?

fishcalledpaddy

well...ithought they were secure usual stuff...smtp and ssl in + rdp with a above normal strenght password... have not changed the admin account name or the rdp port...so someone would have to brute hack a password.

RangeR

fishcalledpaddy wrote: »

well...ithought they were secure usual stuff...smtp and ssl in + rdp with a above normal strenght password... have not changed the admin account name or the rdp port...so someone would have to brute hack a password.

I mean physically. If the servers are in rooms that have easy access by staff, then this is not secure, etc.

Fujitsu10

Sorry for not getting back to the Thread. The problem is now resolved (I hope). From a security point of view no body had access to the Physical Server (confirmed with CCTV).
I'm not an expert on Servers but have a little knowledge (we employ an outside company to do this) however after doing some research and investigation with them it seems that not changing the Administrators user name is a big security risk. It looks like the server was hacked using RDC and a password program. We reconfigured the Firewall to only allow specific IP address to have access. We also changed all passwords and the administrators user name. The logs indicated that a user with administrator user name was hitting the server with various Ip address all from Asia.
Hopefully all is secure now.

JimmyCrackCorn

Fujitsu10 wrote: »

Sorry for not getting back to the Thread. The problem is now resolved (I hope). From a security point of view no body had access to the Physical Server (confirmed with CCTV).
I'm not an expert on Servers but have a little knowledge (we employ an outside company to do this) however after doing some research and investigation with them it seems that not changing the Administrators user name is a big security risk. It looks like the server was hacked using RDC and a password program. We reconfigured the Firewall to only allow specific IP address to have access. We also changed all passwords and the administrators user name. The logs indicated that a user with administrator user name was hitting the server with various Ip address all from Asia.
Hopefully all is secure now.

I assume you mean RDP


Also please tell me you fully re-built the server so you know its not compromised/root-kitted/evil for sure.

Other issues:
-Your admin password was compromised. Revise your password policy.
-Your server is accessible on the internet via rdp etc

Fujitsu10

JimmyCrackCorn wrote: »

I assume you mean RDP


Also please tell me you fully re-built the server so you know its not compromised/root-kitted/evil for sure.

Other issues:
-Your admin password was compromised. Revise your password policy.
-Your server is accessible on the internet via rdp etc

Our external IT Company carried out all of the above. And I should have typed RDP and not RDC!!

I believe from speaking to other people that a lot of servers have these poker programs running on them.

Just a point to note, I believe the hacker created a user called "sys" which had full administration rights.

JimmyCrackCorn

Fujitsu10 wrote: »

I believe from speaking to other people that a lot of servers have these poker programs running on them.

I hope not unless your servers are used in the poker/gambling industry.

Fujitsu10

I bet the majority of small business wouldn't even know if it was happening...