Hacked !!!!!!

[DjM]

Retaliation is likely not the smart thing to do here (remember, he got you once, next time he might be destructive). I recommend, if you have had enough of the little bugger, put in a firewall rule to completely drop his IP ( or the whole subnet if you want). Take a small snapshot of your firewall log and send it off to [email protected] and let them take care of him. You have got enough to do just cleaning up his mess.

Good Luck.

Cheers:

[KapperDog]

netstat only shows 1 established right now.

TCP 192.168.1.200:445 24.193.235.232:1791

That mean anything to anyone?

[qwerty_smith]

port 445
microsoft-ds 445/tcp Microsoft-DS
microsoft-ds 445/udp Microsoft-DS
looks like some vulnerabilities... Dos attacks, etc.
http://www.dshield.org/port_report.php?port=445
http://archives.neohapsis.com/archiv...2-q2/0025.html
port 445 is also used by Nimda

port 1971
ea1 1791/tcp EA1
ea1 1791/udp EA1

24.193.0.0 - 24.193.255.255
ROADRUNNER-NYC
13241 Woodland Park Road
Herndon, VA, 20171
US

[Tiger Shark]

Kapper:

To be honest at this point, disconnect the box from the internet. No offence but you seem to be a tad out of your depth. I have been busy and still am but I need to reread the whole thread. It seems like you are not firewalled, (but I might have missed that), and that it is possible he still has control. That would put your other boxes at risk too if they already haven't been "jumped"

Let me look through and I'll see if we can chose the most efficient course of action - or maybe play with them if we can secure the rest of the network......

[str34m3r]

Port 445 is Microsoft's way of running SMB over TCP/IP instead of using 3 ports to do it as they had before. There's a good explanation of it here:

http://ntsecurity.nu/papers/port445/

What are the file sizes of those gz files you mentioned... If they're relativelyt small, could you post them here for us to look at?

EDIT: TigerShark is probably right. At this point, it's looking more and more like we'll have to figure this out from a forensics point of view rather than a observer point of view.

[KapperDog]

I have been sitting here thinking the same thing.

I need to go to work for a few hours and I hate to leave this unattended. And, you are right. I am definitely out of my depth but, this is why I set up a web server. So, I could learn about how this type of stuff happens. Heaven forbid I should learn this stuff on my corporate web site or a customers. (If I had one. LOL)

I want to learn. That's the whole idea.

I believe he has comprimised my web server because I have it in the DMZ (no software firewall). I don't run a software firewall since I installed the router. When I set up a box in the DMZ I guess I should have added a software firewall?

I suppose I should install ZA or TPF on the web server.

For now, I will shut down the web server.

I'm going to also, remove the IP from the DMZ on my router.

I'll be back in a few hours.

Thank you all very much. Doesn't look liike AO has changed much since I hung around. Still a great group. Is JP still in charge?

Hogfly? MsMittens? Negative? Well, I'll reminise later. LOL

I'll be back in a few hours.

[noODle]

Once you get back online read the following thread:
How to Lock Down Your WinXP Box...
Many things apply to other NT based machines as well so don't be fooled by the title.

Hope you have logged some off that traffic and got in touch with the abuse mail person.
Try reading up a bit on intrusion detection.

If you really want to learn more about the subject consider setting up a honeypot if you have a spare box.

[KapperDog]

OK, I really am leaving this time. LOL

My wife is screaming about the pics for her eBay auctions so, the server is still up. LOL

I took the IP of the server out of the DMZ and put it into port forwarding under port 80.

Hope this is OK.

See ya in a few and, thanks again, guys.

[Spyrus]

you may also want to consider changing all your passwords. I am not sure if yo uhave thought of this but go through the manage users accounts and take a look in AD, if you are running it, at the list of users, any there that dont belong? delete them. Change the login/password on your router. Change your normal admin and users passwords. Just some precautions to be on the safe side.

Edit: have you run a recent antivirus scan with all the definitions up to date? just a thought make sure he didnt use some form of virii to initially get in

[TSeNg]

hmm.... Well After reading all this, i come to the following:

1) you built a webserver, because you wanted to learn..... Well, your learning.... I think you should take advantage of that fact that your being hacked as we speak.... I say that you try your best to take this guy down, by what DJM said.. Report him..

2)I say you leave the server there,(but disconnect it from your lan) because, you have so much information about him (except his home address) you know where hes at (france), we know that he uses ADSL, and even have his ip... I say take advantage of the fact that he keeps coming back to load files on your server.... if you have this much on him already, why just unplug it now... Read as much as you can brother. We all dont know EVERYTHING, but this gives you no reason to give up.. "I built it to learn" so learn, Learn how to take this guy down..

3) (Gz) is a file extension, i believe when playing around with my linux box, this is a file that is what we call "tarred" like "zipped" in windows case... i think hes using your computer to serve Linux files.... I think you should send those files to someone running linux... maybe they pick apart the file on a machine that is really shitty.. i would say send it to me, but i really dont know enough either! hahaha... awsome thread it gives me shivers reading everyones reply...
Good luck... and remember, if he keeps coming back "he thinks you dont know",or He "wants you to know." and thats where his mistake lies....

I must admit for a cracker that dedicated alot time ****ing up your system, he was REALLY messy.......