• Announcements

    • Terry (WGS)

      WGS Forums Will Close on January 31st 2017   01/18/17

      Hi everyone, We're coming up to We Got Served's ten year anniversary and I've been taking a good look at the site to work through some plans for the future. I wanted to give you all a couple of weeks notice that I'll be closing WGS Forums at the end of this month.  As you'll be aware, the forums were opened to support Windows Home Server users and have done so brilliantly, thanks to everyone's participation. However, with each day that passes, there are fewer and fewer WHS deployments out there, meaning that forum registrations and traffic has now dwindled. I've tried a few times over the years to test some forums on related or adjacent topics, however, they simply haven't caught on. It's clear that these were always going to be predominately Windows Home Server forums and, with the passing of that platform, they've served their purpose well. So, please take some time to archive anything you need over the next two weeks. Access to the forums will end on Jan 31st 2017. Many, many thanks once again for your participation and support here. It's been a great community! Very best wishes Terry
LeRoi

I Got Hacked; Need Help

4 posts in this topic

All,

I set up a WHS 2011 2 months ago with 3 users and one HTPC computer connected (win7 Pro). I configured the WHS server and installed one add in; drive pool. This server is mostly used for movies and pictures and to gain acces from my Android phone. It is attached to a Zyxel router with NAT and I added the ip from the sever as a dedicated server to gain remote access. Firewall is up, virusscanner (AVG) on. I installed remote alert but this add in only works in V1. As for now, the WHS setup is still very standard, straight forward done.

After a week out I got home and I noticed my files in the server map were deleted and one map was added in 'document' ; 'this computer is hacked'. The creation date was 15-4-2012 with time stamp. In the security log I could identify the attacker with his computer name and ip address. Then I got puzzled; there was no user name, the directories were only 'everybody' was added in the security tab, were messed up (I hope). I saw a lot of attacks during the week from other IP addresses all over the world (I checked them all over a week and added them to the firewall, as I do regulary). He/she did not get to the directories where only one or two users had access to. The administrator account and directories are untouched. None of the passwords are changed.

Can somebody give me some advise?

- How did the attacker came in? How to check this?

- How can I monitor and prefend this in the future?

- How do I check the current install is not compromised (progs are installed to gain access again)?

- Where to look

I do not want to install the whole server again as I did with WHS v1 once and did not get access to homeserver.com anymore, the certificate didn't match etc.

Thx in advance.

Roi

This is the log from the security logbook which stated the attacker came in (it's in Dutch but the lay-out is similar ro the English version).

Er is een account aangemeld.

Onderwerp:

Beveiligings-id: NULL SID

Accountnaam: -

Accountdomein: -

Aanmeldings-id: 0x0

Aanmeldingstype: 3

Nieuwe aanmelding:

Beveiligings-id: ANONIEME LOGON

Accountnaam: ANONIEME LOGON

Accountdomein: NT AUTHORITY

Aanmeldings-id: 0x702bff9

Aanmeldings-GUID: {00000000-0000-0000-0000-000000000000}

Procesgegevens:

Proces-id: 0x0

Naam proces: -

Netwerkgegevens:

Naam van werkstation: COMPUTER-PC

Netwerkadres van bron: 82.173.125.222

Poort van bron: 59510

Gedetailleerde verificatiegegevens:

Aanmeldingsproces: NtLmSsp

Verificatiepakket: NTLM

Doorgezette services: -

Pakketnaam (alleen NTLM): NTLM V1

Sleutellengte: 128

Deze gebeurtenis wordt gegenereerd wanneer een aanmeldingssessie wordt gemaakt. De gebeurtenis wordt gegenereerd op de computer waartoe toegang wordt verkregen.

Share this post


Link to post
Share on other sites

Upgrade to a WGS Supporter Account to remove this ad.

My guess is that they used some security exploit in IIS. You *are* updating the server promptly, and keeping it fully up to date, right?

Also, IIRC, there is a way to block IP's in IIS, which may be a very good idea.

And I'd highly recommend installing a virus scanner, just in case.

Share this post


Link to post
Share on other sites

Thanks for your reply, Drashna.

Yes, updates and virusscanner are installed from the beginning. A vulnability in IIS is also the only thing I can imagine.

Attacks stopped after a while cause I rerouted the ports from the server and renamed the administrator account and group. Off course I changes every password straight away.

The only problem now is that I can't connect to http://SERVER/CONNECT but still can acces through the https:***.homeserver.com login. This is a problem cause the client computer can now not connect to the dashboard but can access the shares in the workgroup. Pitty cause now the 'green button' doesn't show the server anymore. Restoring to default didn't make a difference. It only works when I disable the firewall on the server and after the attack I do not want that.

Share this post


Link to post
Share on other sites

Solved: I made a rule in the firewall which allow the local computers (range of local ip-addresses) to get access through a range of ports. Now http://server/connect is now accessible and backups are running again.

The 'green' button is working again on the HTPC. Love it!

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now



Upgrade to a WGS Supporter Account to remove this ad.



  • Posts

    • I am running WSE2012 R2 and I only ever see red, yellow or green. I have never seen blue even when backing up. I can't explain what could be happening here, but maybe some feedback from other users may help us pin it down. What OS are your client PC's? Mine are all Win 10. Not sure if that may have a bearing.   
    • I made the leap from WHSv1 to WSE2012R2.  I like the new system but one thing seems to be missing.  In WHS v1, the tray icon would change colors to indicate various things blue - backing up now green - everything is healthy yellow - warnings detected (e.g. haven't backed up in a while) red - critical issues (e.g. recent backup failed) In WSE 2012 R2, however, I only get the blue and green indicators, even when there are critical errors on my home network.  For example, a server hard drive had failed for several weeks, but the connector icon in my system tray remained green.  I only discovered the issue when I happened to login to the dashboard for something else. Does anyone know if this feature has been removed in the latest WSE versions?  Or have I just mis-configured something?
    • I am building a new home server: I really want to use StableBit DrivePool and Scanner - am used to them and like the relative ease of use. Hardware = PC running Windows 7 Pro has SSD for OS and 5 additional 2TB HDDs + SansDigital Towerraid (model TR5M6G) connected by eSATA controller (pCie) with 5 2TB HDDs of varying age (2 brand new WD Red and the remaining 3 a combo of Hiatachi and Seagate of varying age - all test out fine for now). Towerraid is currently configured as JBOD, so I can't really see individual drives, and neither does StableBit drive pool - so I get a pool consisting 5 1.82 TB drives (the ones on the PC) and 1 giant 9.1TB drive. I have about 10 TB of data ready to go into this new build.  Will be adding more over time.  Not sure when but certain I'll have HDDs go bad on me, of course. My question(s): 1)  Is there a RAID configuration that will let StableBit do its thing watching individual drives and letting me identify sick drives that need to be removed/replaced?                           2)  If I decide to give up the RAID and just let DrivePool handle duplication, how do I configure the SansDig?                           3)  Am I just getting it all wrong from the get-go? Would appreciate any advice - thanks   
    • I have almost 10 TB in the storage pool so I was not surprised when my first server backup took a very long time (22 hrs.).  Lately the incremental server backups have been fast (15 - 18 min.)  Two days ago the server apparently initiated a full backup that failed twice but completed successfully this morning after about 23 hours.  An hour later the regular daily backup is back to a normal incremental backup times (18 min.) So why did the previous backup take so long, as long as a full backup would take? Does the server occasionally make a fresh start with a full backup to reduce the time a full incremental recovery takes?  (fewer increments, less processing time) I don't see a setting in the server backup options for specifying a number of increments between full backups, for example.    
    • I just posted a similar question elsewhere.  By Shadow Copies are you referring to the Windows 10 File History backups that periodically use shadow copy to backup open files? I too discovered that a huge amount of backup space was consumed by File History backups, no doubt because I was moving some large Blu-Ray files around.  That I fixed by moving the temporary and final file folders to the server, where they are backed up as part of the daily server backup.  That too, of course, uses Shadow Copies but that is another story. Has anyone done the math?  What is the equivalence .. or lack thereof ... between the traditional WS2012r2 (WHS v1 et al.) daily incremental backup :: and a Win7 System Image backup + File History backups? Restore time comparison? Which do you feel is best?
  • Popular Contributors