Advertisement
Help Keep Boards Alive. Support us by going ad free today. See here: https://subscriptions.boards.ie/.
If we do not hit our goal we will be forced to close the site.

Current status: https://keepboardsalive.com/

Annual subs are best for most impact. If you are still undecided on going Ad Free - you can also donate using the Paypal Donate option. All contribution helps. Thank you.
https://www.boards.ie/group/1878-subscribers-forum

Private Group for paid up members of Boards.ie. Join the club.

SBS 2K3 server hacked and Poker program installed on it

  • 04-01-2011 12:34PM
    #1
    Registered Users, Registered Users 2 Posts: 3,619 ✭✭✭


    Hi all, our SBS 2K3 server was hacked during christmass and it seems that 2 poker programs have been installed on it. Namely Pokerstar and Poker Tilt. I wonder has anyone else experienced this or similar?


Comments

  • Registered Users, Registered Users 2 Posts: 7,258 ✭✭✭RangeR


    Are you sure they were hacked rather then employee interference could be at play? What does the browse cache/history state? In a real sense, it should be empty on a server, other than one or two known sites [microsoft.com etc]


    Do you have any port forwarding to this server? If so, why? Can they be closed? If not, apply all security updates and secure that box. Uninstall / disable any services that aren't being used.


  • Registered Users, Registered Users 2 Posts: 1,689 ✭✭✭JimmyCrackCorn


    RangeR wrote: »
    Are you sure they were hacked rather then employee interference could be at play? What does the browse cache/history state? In a real sense, it should be empty on a server, other than one or two known sites [microsoft.com etc]


    Do you have any port forwarding to this server? If so, why? Can they be closed? If not, apply all security updates and secure that box. Uninstall / disable any services that aren't being used.


    Doent make sense unless its an american kid who wants to play poker. Even then someone with sense would install an ssh server or proxy.


  • Registered Users, Registered Users 2 Posts: 7,258 ✭✭✭RangeR


    Doent make sense unless its an american kid who wants to play poker. Even then someone with sense would install an ssh server or proxy.

    Seriously, you are thinking like an intelligent person. I have a few customers who think that way too so, sometimes are lax on their server security. Some don't even have high grade server rooms.

    In some of these customer sites, it has been know for random employees to get onto them and surf because the servers would be excluded from an web filtering / restrictions.

    Do what I asked, have a look at the web history on that box or the Event logs for RDP / VNC access. Something should point you in the right direction.



    Edit : Sorry, I assumed you were the OP. You aren't.


  • Closed Accounts Posts: 18,966 ✭✭✭✭syklops


    Sounds like boredom induced stupidity to me. Some tech or Admin, in work over the Christmas period with literally nothing going on, and no one in, thinks its a good idea to install some poker software to while a way the hours. I can think of little to no other reason why a remote attacker would do such a thing.


  • Registered Users, Registered Users 2 Posts: 67 ✭✭.Bob


    may be admins as other members suggested, but also could be a lot more. People use stolen credit cards and use them on gambling sites to launder the money - they would play against a friend or themselves and intensionally lose.

    so there could be a (remote) chance the servers were used for this.


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 7,258 ✭✭✭RangeR


    I guess we'll never know. OP seems to have fooked off.


  • Registered Users, Registered Users 2 Posts: 7 fishcalledpaddy


    this has just clicked something in me..for the past few weeks i have been seeing this installed on customers servers that i support. i asked the customers not to install anything on the servers and they swore that they didnt. Ive counted 6 servers so far...
    im gonna dig deeper.
    either its a very popular program or ??


  • Registered Users, Registered Users 2 Posts: 7,258 ✭✭✭RangeR


    this has just clicked something in me..for the past few weeks i have been seeing this installed on customers servers that i support. i asked the customers not to install anything on the servers and they swore that they didnt. Ive counted 6 servers so far...
    im gonna dig deeper.
    either its a very popular program or ??

    How secure are the customer servers?


  • Registered Users, Registered Users 2 Posts: 7 fishcalledpaddy


    well...ithought they were secure :) usual stuff...smtp and ssl in + rdp with a above normal strenght password... have not changed the admin account name or the rdp port...so someone would have to brute hack a password.


  • Registered Users, Registered Users 2 Posts: 7,258 ✭✭✭RangeR


    well...ithought they were secure :) usual stuff...smtp and ssl in + rdp with a above normal strenght password... have not changed the admin account name or the rdp port...so someone would have to brute hack a password.

    I mean physically. If the servers are in rooms that have easy access by staff, then this is not secure, etc.


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 3,619 ✭✭✭Fujitsu10


    Sorry for not getting back to the Thread. The problem is now resolved (I hope). From a security point of view no body had access to the Physical Server (confirmed with CCTV).
    I'm not an expert on Servers but have a little knowledge (we employ an outside company to do this) however after doing some research and investigation with them it seems that not changing the Administrators user name is a big security risk. It looks like the server was hacked using RDC and a password program. We reconfigured the Firewall to only allow specific IP address to have access. We also changed all passwords and the administrators user name. The logs indicated that a user with administrator user name was hitting the server with various Ip address all from Asia.
    Hopefully all is secure now.


  • Registered Users, Registered Users 2 Posts: 1,689 ✭✭✭JimmyCrackCorn


    Fujitsu10 wrote: »
    Sorry for not getting back to the Thread. The problem is now resolved (I hope). From a security point of view no body had access to the Physical Server (confirmed with CCTV).
    I'm not an expert on Servers but have a little knowledge (we employ an outside company to do this) however after doing some research and investigation with them it seems that not changing the Administrators user name is a big security risk. It looks like the server was hacked using RDC and a password program. We reconfigured the Firewall to only allow specific IP address to have access. We also changed all passwords and the administrators user name. The logs indicated that a user with administrator user name was hitting the server with various Ip address all from Asia.
    Hopefully all is secure now.


    I assume you mean RDP


    Also please tell me you fully re-built the server so you know its not compromised/root-kitted/evil for sure.

    Other issues:
    -Your admin password was compromised. Revise your password policy.
    -Your server is accessible on the internet via rdp etc


  • Registered Users, Registered Users 2 Posts: 3,619 ✭✭✭Fujitsu10


    I assume you mean RDP


    Also please tell me you fully re-built the server so you know its not compromised/root-kitted/evil for sure.

    Other issues:
    -Your admin password was compromised. Revise your password policy.
    -Your server is accessible on the internet via rdp etc

    Our external IT Company carried out all of the above. And I should have typed RDP and not RDC!!

    I believe from speaking to other people that a lot of servers have these poker programs running on them.

    Just a point to note, I believe the hacker created a user called "sys" which had full administration rights.


  • Registered Users, Registered Users 2 Posts: 1,689 ✭✭✭JimmyCrackCorn


    Fujitsu10 wrote: »

    I believe from speaking to other people that a lot of servers have these poker programs running on them.

    I hope not unless your servers are used in the poker/gambling industry.


  • Registered Users, Registered Users 2 Posts: 3,619 ✭✭✭Fujitsu10


    I bet the majority of small business wouldn't even know if it was happening...


Advertisement