| Author |
 Topic  |
|
|
Classicmotorcycling
Development Team Leader
Australia
2085 Posts |
 Posted - 16 April 2004 : 19:43:08
|
Well I had fun yesterday on my server just before I patched it with the latest hot fixes (I know I was slack). I found 3 IPC$ shares on my server from external 3 different IP Addresses:
\\62.147.188.156\ipc$ (owner proxad.net)
\\62.192.96.45\ipc$ (owner nl.easynet.net)
\\62.42.155.74\ipc$ (owner ono.com)
And I also found 3 worms on my system for the W32.Randex.gen. The 3 files were ntlord.exe (x 2) and winuser32.exe all in different locations through my server. The worm basiclly does this:
- Spreading through network shares
- Attacking randomly generated IP addresses
- Using default credentials or weak username/password pairs to connect to a remote target system
- Opening backdoor ports
- Opening connections to predetermined IRC servers and waiting for commands from an attacker
- Performing Denial of Service (DoS) attacks
More infor available here: W32.Randex.gen
I thought that I was pretty well protected, but obviously not as well as what I thought. So I thought that I would pass it on so for those that do their own hosting or even connect to the internet are subject to the attacks. 
|
Cheers,
David Greening |
|
|
Doug G
Support Moderator
USA
6493 Posts |
Posted - 16 April 2004 : 23:23:20
|
Did you determine how they got in to your server?
I had a server hacked some time back, I had a web server running and forgot it was exposed to the net, I only used it for development and not often at that. Sure enough, after not paying attention to it for a few months, I suddenly found various infections during a virus scan.
That reminded me to always pay attention to exposed services :)
|
======
Doug G
======
Computer history and help at www.dougscode.com |
 |
|
|
zinpin
Junior Member
Australia
202 Posts |
Posted - 16 April 2004 : 23:29:31
|
| sorry for my ignorance but how do you go about checking for something like that? I mean the IPC$ shares |
|
|
|
Classicmotorcycling
Development Team Leader
Australia
2085 Posts |
Posted - 17 April 2004 : 04:20:34
|
Yes, I found how they got in, but it has me beat as the user account they used doesn't have remote access or admin rights.quote:
Originally posted by Doug G
Did you determine how they got in to your server?
I had a server hacked some time back, I had a web server running and forgot it was exposed to the net, I only used it for development and not often at that. Sure enough, after not paying attention to it for a few months, I suddenly found various infections during a virus scan.
That reminded me to always pay attention to exposed services :)
It does pay to go over your server at least once a week. Not only virus update, but do a check to make sure no one is sharing your hard drives.  |
Cheers,
David Greening |
|
|
|
Classicmotorcycling
Development Team Leader
Australia
2085 Posts |
Posted - 17 April 2004 : 04:22:35
|
Zinpin,
The easiest way to check to see if someone is sharing your IPC$ is to open a command (cmd) box and type in net use to see who is sharing, but to see what shares you have on the computer, use net share.quote:
Originally posted by zinpin
sorry for my ignorance but how do you go about checking for something like that? I mean the IPC$ shares
That will show you what shares there are and if they are being accessed remotely. 
[edit:]I hate it when you type the wrong thing[/edit:] |
Cheers,
David Greening |
Edited by - Classicmotorcycling on 17 April 2004 04:25:53 |
|
|
|
chumbawumba
Junior Member
United Kingdom
304 Posts |
Posted - 17 April 2004 : 05:02:43
|
Net Share:
Share name Resource Remark
-------------------------------------------------------------
D$ D:\ Default share
ADMIN$ C:\WINDOWS Remote Admin
C$ C:\ Default share
IPC$ Remote IPC
The command completed successfully.
does this mean i have accessible shares on my pc ?
net use said there were no connections.
|
|
|
|
HuwR
Forum Admin
United Kingdom
20611 Posts |
Posted - 17 April 2004 : 05:31:51
|
| That depends on your situation, just because you have shared resources does not mean they are accessible. Are you behind a firewall or router ? if you aren't I would strongly suggest that you install one. |
|
|
|
Gremlin
General Help Moderator
New Zealand
7528 Posts |
Posted - 17 April 2004 : 07:18:55
|
| Windows by default creates certain shares at installation time, IPC$, ADMIN$ and one for each Hard drive any share with a $ at the end of it's name is a hidden share (which doesn't mean its secure, just that it wont appear if someones browsing the network enumerating shares. |
Kiwihosting.Net - The Forum Hosting Specialists
|
|
|
|
chumbawumba
Junior Member
United Kingdom
304 Posts |
Posted - 17 April 2004 : 13:08:55
|
ah I see ..
I do have a firewall, and these shares must be the ones created by windows. I didn't make them myself. Got a bit para then thinking the roots of my HD were being exposed without my consent. lol |
|
|
| |
Topic |
|
Topic Locked
