Hacked

[fireball3004]

Our website has been hacked twice both maliciously. We're not entirely sure but we think the IP addresses were from Germany though they posted the Brazilian flag the first time. Does anyone have any suggestions how to secure our website?

[EHaskins]

What kind of server? Who is hosting it? We'll need more info if you want us to help.

EDIT: I did a whois lookup on punahourobotics.org, and it appears that your site is hosted by BlueHost.com. Assuming you haven't been playing with DNS settings so you can self host your site, I doubt there is much you can do. Other than change hosting companies.

EDIT: I took to long to edit my post.

[whytheheckme]

Are youtalking about punahourobotics.org (69.89.25.188)?

I see that you are using bluehost as your web hosting company. They kindly kept your personal info safe from the WHOIS database, but unfortunatley left a slew of information about themselves instead of paying to have it show up as anonymous.

It looks like they have ports 23 and 53 buttoned up well, which is good for you.

Ports 80 and 21 are open, which are expected (perhaps you can request secure FTP instead?). I also see 110 open, which is pop3 (do you have an email server?)

I also ran a custom scan on 3389, which is closed (another big relief).

You really need to talk to bluehost and find out exactly how the intruder got in (which port, service, and hacking method.) You are running off a server called box188 on their system. Ask them to send you a report on all secure traffic on this box.

If the problem persists, change hosting companies. There is obviously a problem with the security of their hosting.

Jacob

[EHaskins]

Quote:

Originally Posted by whytheheckme

I also ran a custom scan on 3389, which is closed (another big relief).

Is there anyone hosting anything who is stupid enough to leave RDP exposed?!?!

[Uberbots]

Has this been a consistent problem with blue host? If so, we might have to think about changing web hosts...

[whytheheckme]

Quote:

Originally Posted by EHaskins

Is there anyone hosting anything who is stupid enough to leave RDP exposed?!?!

ummmmmmmmmmmmmmmmmm

In my early days of webhosting, I left my RDP open so I could access my webserver from anywhere (hey! give me a break... I was 8...)

Now-a-days, I actually DO have RDP open on my domain (which is run out of my datacenter), but my gateway (that I built, its a P4 w/ 2.5 GB RAM fyi) forwards the RDP port to a specific Terminal Server, that is set up soley for that purpose. Once logged into the Terminal Server, you can access a secure area of my network (using encryption) which allows you to Remote Desktop any of the servers on my network (I run 7 servers 24/7 on my domain).

So in short, I guess the answer is ME!!!

But I think I have the security measures to compensate. My domain has been running over 2 years without a problem (not referring to uhsserobotics.com, I'm referring to my personal domain that I use for remote services... FYI uhsserobotics.com is run from a seperate couple of servers in my datacenter).

Jacob

[EHaskins]

Quote:

Originally Posted by whytheheckme

So in short, I guess the answer is ME!!!

Ok, I should have said who would be stupid enough to do that without some insane amount of security.

EDIT: Just curious, what the power consumption of a setup like that? And whats it take to keep them cool?

EDIT: Your gateway is a P4 with 2.5gb of ram?!?! My server is only a p4 with 1gb!

[Uberbots]

Quote:

Originally Posted by whytheheckme

ummmmmmmmmmmmmmmmmm

In my early days of webhosting, I left my RDP open so I could access my webserver from anywhere (hey! give me a break... I was 8...)

Now-a-days, I actually DO have RDP open on my domain (which is run out of my datacenter), but my gateway (that I built, its a P4 w/ 2.5 GB RAM fyi) forwards the RDP port to a specific Terminal Server, that is set up soley for that purpose. Once logged into the Terminal Server, you can access a secure area of my network (using encryption) which allows you to Remote Desktop any of the servers on my network (I run 7 servers 24/7 on my domain).

So in short, I guess the answer is ME!!!

But I think I have the security measures to compensate. My domain has been running over 2 years without a problem (not referring to uhsserobotics.com, I'm referring to my personal domain that I use for remote services... FYI uhsserobotics.com is run from a seperate couple of servers in my datacenter).

Jacob

I envy your amount of servers, enthusiasm, and money.
I wish i had the resources to run such a system.

[whytheheckme]

Quote:

Originally Posted by Uberbots

I envy your amount of servers, enthusiasm, and money.
I wish i had the resources to run such a system.

I LOOOOOVEEEE servers. For the most part, my servers are retired gaming computers from myself and my friends (1ghz and above). I have a few powerhouse servers (such as my multimedia servers) that I built from NewEgg specials and black friday deals etc.

But all in all, my entire setup hasn't actually cost me that much. Except for the additional $125 a month on the electric bill (oops). But I have a job, plus I rent out server space to my friends for backups and immediate access to their files and such, so it isn't a huge deal. I just find it superconvienent to open my laptop on the road, hit the BT-DUN connect button (Verizon EVDO with hacked BT-DUN on my Q... I LOVE IT), hit WinLogo-R, type mstsc, put in my domain, hit the enter button, and BAM.... I'm right at home. I can access my email, leave my instant messengers open 24/7, control music at home, check security (both physical in the house and web security), check on some of the hosting servers I have for friends (I actually host a couple of MUDs for a few MUD fanatic friends of mine). If I'm on a high speed connection somewhere, I can remote desktop into my terminal server and secure remote desktop to one of my main rigs and feel right at home. I can watch movies, play music, organize pictures, post on chief delphi, or whatever! I also have a VPN set up so that I can locally mount disk images on any computer and play video games on any computer (public kiosks, lab computers, etc).

I have a love for servers. I'm always looking to expand my domain (no pun intended )

Jacob

EDIT: BTW, this is completly off topic.

[EHaskins]

Quote:

Originally Posted by whytheheckme

FYI uhsserobotics.com is run from a seperate couple of servers in my datacenter).

Jacob

Have you noticed a decrease in traffic lately? I get a GoDaddy parked free page if I try to view it.

[whytheheckme]

Quote:

Originally Posted by EHaskins

Have you noticed a decrease in traffic lately? I get a GoDaddy parked free page if I try to view it.

Yeah, I know

Waiting for payment on the domain name to clear..... For some reason I thought it would be good to send the bill to the team as opposed to me (it's only 10 bux a year... I should have just done it)

Now I have to wait for the bill to go through the team's process for paying for it (which, I hope to god it doesn't require a purchase order or some other beurocratic thing like that.... ) I was told it should be cleared by friday *crosses fingers*

But the servers are up and running exactly like they should be!

Jacob

[Tristan Lall]

Quote:

Originally Posted by whytheheckme

Now-a-days, I actually DO have RDP open on my domain (which is run out of my datacenter), but my gateway (that I built, its a P4 w/ 2.5 GB RAM fyi) forwards the RDP port to a specific Terminal Server, that is set up soley for that purpose. Once logged into the Terminal Server, you can access a secure area of my network (using encryption) which allows you to Remote Desktop any of the servers on my network (I run 7 servers 24/7 on my domain).

To stray a little from the topic at hand, I'm curious about that setup—mainly because I've always got it in the back of my head to try something similar. As I read your description it looks like your topology is like this:

Remote Computer (RC) ==RC's RDP=> Gateway ==Forwarded RC's RDP=> Terminal Server (TS) ==TS's RDP inside forwarded RC's RDP=> Specific Server

Doesn't that mean you're creating a second RDP session from within your terminal services client? Does that work well? (I've run RealVNC from within MSTSC, and it's terrible, but that should come as no surprise because MSTSC isn't VNC-aware. I don't recall what happens when you nest MSTSC, though.) Isn't it more usual (in the corporate world) to encapsulate the whole thing in a VPN over a different port, and have the gateway forward that directly to the required (specific) server?

Basically, it would be interesting to compare those methods...though in real life, I may have the rather more pressing problem of what to do when my cable or DSL provider decides to dynamically allocate a new IP, making me lose track of where my network exists at any given time.

[EHaskins]

Quote:

Originally Posted by Tristan Lall

I may have the rather more pressing problem of what to do when my cable or DSL provider decides to dynamically allocate a new IP, making me lose track of where my network exists at any given time.

Check out dyndns.com's dynamic DNS service. Its free, and I know that my Linksys router will automatically keep it up to date.

[whytheheckme]

Quote:

Originally Posted by Tristan Lall

To stray a little from the topic at hand, I'm curious about that setup—mainly because I've always got it in the back of my head to try something similar. As I read your description it looks like your topology is like this:

Remote Computer (RC) ==RC's RDP=> Gateway ==Forwarded RC's RDP=> Terminal Server (TS) ==TS's RDP inside forwarded RC's RDP=> Specific Server

Doesn't that mean you're creating a second RDP session from within your terminal services client? Does that work well? (I've run RealVNC from within MSTSC, and it's terrible, but that should come as no surprise because MSTSC isn't VNC-aware. I don't recall what happens when you nest MSTSC, though.) Isn't it more usual (in the corporate world) to encapsulate the whole thing in a VPN over a different port, and have the gateway forward that directly to the required (specific) server?

Basically, it would be interesting to compare those methods...though in real life, I may have the rather more pressing problem of what to do when my cable or DSL provider decides to dynamically allocate a new IP, making me lose track of where my network exists at any given time.

MSTSC works WONDERFULLY cascaded.... I regularly run 3 or 4 remote desktop windows inside of each other... Image this:

Remote Computer => The Internet (as low as 115kbps via cell phone up to say 30 or 40 megabit on a good cable connection or on campus) => my gateway => gigabit LAN => specific server => gigabit LAN => somewhere else on the network => gigabit LAN => somewhere else

and so on and so forth. The big speed problem is in your internet connection, but once inside the LAN, RDC windows running inside of each other is absolutley no problem. I believe that the client is actually designed to do this (as it does it so seamlessly.)

And regarding your 'dynamic IP'...

Most cable providers give dynamic IPs based on MAC address, so as long as you are connecting to the cable network with the same modem, you will have the same IP.... always.

DSL on the other hand
gives you a new IP dynamically every time you reboot the connecting modem. How wonderful.

Eric is TOTALLY on the ball as far as dyndns's service. It wonderful, as I used to use it before my cable provider started handing out 'static' IPs (yeah, I know, its not truely static, but its really really close.) You can use a bit of software to continuously report to dyndns your IP address. Awesome awesome stuff.

Jacob

[Tristan Lall]

And interestingly enough, DynDNS appears to be a FIRST team sponsor (for FRC501). I'll look into them....