Some Accessed Our Dedicated Server

[bkkmick]

Hi

I got an email from our hosting company in the UK saying that they think someone has gained access to our server and was trying an FTP connection (continuously) to a server in Holland.

Nobody's in at the hosting company (still early in the UK).

Is there any software that allows me to search the logs for illegal activity (if this can be identified at all).

I immediatly changed all the passwords to the domain and sub domains.

We're running Windows Server 2003 (no op. sys. recommendations please)

Any ideas? Or software that checks for vulnerabilities.

Thanks

Mick

Edited June 3, 2009 by bkkmick

[jackdanielsesq]

Use Linux

Get close to the admin there - they have logs of everything - how & why did they warn you?

So long as folks dont trash your system or download sensitive data, no problem.

Folks will always be accessing everything - it might simply have been a troll.

If your sites are all OK, dont sweat it. Secure your email - if its income related or sensitive.

I have recently setup several gmail addresses as backup for all my corporate emails - its a freebie.

Some folks advise changing p/w weekly - sounds a little like overkill.

BR>Jack

[bkkmick]

A company in Holland said that they were receiving attempts to connect via FTP from our IP address. I can't find any new code on there.

Some of the sub domains (set up years ago) had the executable permission set to Scripts and Executables which I changed to Scripts Only (not sure if that would give anyone access to do anything). Changed all the ftp passwords. Not sure what else to do.

Cheers Jack.

[jackdanielsesq]

If ya like, PM me the website - I will go look see

Did you get hold of the Brits?

BR>Jack

[Crushdepth]

Suggest you make a full copy/backup of your server as the first order of business, in case the attacker decides to try and cover their tracks or cause further damage. With that in hand, should seriously consider reinstalling the OS and restoring your data from a trusted backup. Otherwise you can never be 100% sure they haven't left something nasty behind. Good idea to ask your hosting company to harden the server, if they have such a service. Also a good idea to rotate all your admin passwords (not just FTP) with long and random ones.

[Prasert]

If you have a timestamp from the FTP attempt, check the security event log on your server to see who was logged on at that moment. Also a good idea to save all logs right now before they're overwritten in a rotation.

If the connection attempt could have been generated from a webscript, it's worth having a look at all the IIS logs from each website (I hope you checked every single logging option).

In case you find anything in the logs, it's certainly worth it going through the scripts running on that particular website.