I Got Hacked; Need Help

4 posts in this topic


I set up a WHS 2011 2 months ago with 3 users and one HTPC computer connected (win7 Pro). I configured the WHS server and installed one add in; drive pool. This server is mostly used for movies and pictures and to gain acces from my Android phone. It is attached to a Zyxel router with NAT and I added the ip from the sever as a dedicated server to gain remote access. Firewall is up, virusscanner (AVG) on. I installed remote alert but this add in only works in V1. As for now, the WHS setup is still very standard, straight forward done.

After a week out I got home and I noticed my files in the server map were deleted and one map was added in 'document' ; 'this computer is hacked'. The creation date was 15-4-2012 with time stamp. In the security log I could identify the attacker with his computer name and ip address. Then I got puzzled; there was no user name, the directories were only 'everybody' was added in the security tab, were messed up (I hope). I saw a lot of attacks during the week from other IP addresses all over the world (I checked them all over a week and added them to the firewall, as I do regulary). He/she did not get to the directories where only one or two users had access to. The administrator account and directories are untouched. None of the passwords are changed.

Can somebody give me some advise?

- How did the attacker came in? How to check this?

- How can I monitor and prefend this in the future?

- How do I check the current install is not compromised (progs are installed to gain access again)?

- Where to look

I do not want to install the whole server again as I did with WHS v1 once and did not get access to homeserver.com anymore, the certificate didn't match etc.

Thx in advance.


This is the log from the security logbook which stated the attacker came in (it's in Dutch but the lay-out is similar ro the English version).

Er is een account aangemeld.


Beveiligings-id: NULL SID

Accountnaam: -

Accountdomein: -

Aanmeldings-id: 0x0

Aanmeldingstype: 3

Nieuwe aanmelding:

Beveiligings-id: ANONIEME LOGON


Accountdomein: NT AUTHORITY

Aanmeldings-id: 0x702bff9

Aanmeldings-GUID: {00000000-0000-0000-0000-000000000000}


Proces-id: 0x0

Naam proces: -


Naam van werkstation: COMPUTER-PC

Netwerkadres van bron:

Poort van bron: 59510

Gedetailleerde verificatiegegevens:

Aanmeldingsproces: NtLmSsp

Verificatiepakket: NTLM

Doorgezette services: -

Pakketnaam (alleen NTLM): NTLM V1

Sleutellengte: 128

Deze gebeurtenis wordt gegenereerd wanneer een aanmeldingssessie wordt gemaakt. De gebeurtenis wordt gegenereerd op de computer waartoe toegang wordt verkregen.

Share this post

Link to post
Share on other sites

Upgrade to a WGS Supporter Account to remove this ad.

My guess is that they used some security exploit in IIS. You *are* updating the server promptly, and keeping it fully up to date, right?

Also, IIRC, there is a way to block IP's in IIS, which may be a very good idea.

And I'd highly recommend installing a virus scanner, just in case.

Share this post

Link to post
Share on other sites

Thanks for your reply, Drashna.

Yes, updates and virusscanner are installed from the beginning. A vulnability in IIS is also the only thing I can imagine.

Attacks stopped after a while cause I rerouted the ports from the server and renamed the administrator account and group. Off course I changes every password straight away.

The only problem now is that I can't connect to http://SERVER/CONNECT but still can acces through the https:***.homeserver.com login. This is a problem cause the client computer can now not connect to the dashboard but can access the shares in the workgroup. Pitty cause now the 'green button' doesn't show the server anymore. Restoring to default didn't make a difference. It only works when I disable the firewall on the server and after the attack I do not want that.

Share this post

Link to post
Share on other sites

Solved: I made a rule in the firewall which allow the local computers (range of local ip-addresses) to get access through a range of ports. Now http://server/connect is now accessible and backups are running again.

The 'green' button is working again on the HTPC. Love it!

Share this post

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

Upgrade to a WGS Supporter Account to remove this ad.

  • Posts

    • Well, the  WD Reds are usually pretty good.  Seagate NAS (aka "Ironwolf") drives are a good option.  If you want cheap, large capacity storage, Seagate Archive drives are fantastic, but they have some poor write performance.
    • Looking for recommendations for 6TB+ HDDs.  I am running WHS 2011, no Raid, server is left on 24x7.  Mostly used for media streaming and client backups.  Had a WD 4TB red fail and the RMA replacement from WD is showing SMART CRC errors after 4 months.  Thanks!
    • When I was running Server 2016 TP, I was running with the Essentials role installed.  I decided to go back to WHS 2011 as neither Server 2012 or 2016 have anything new that I need and both consumed more resources on my relatively old hardware.  Thanks for the tip about SeaFile.
    • Probably a simple fix, but when I try to hit my server's web address I just end up at the IIS landing page. Any suggestions? Have set up RWA, Anywhere Access, VPN, etc. 
    • OK made some progress. Looks like one has to change the Windows10 clients to access the WSE-2016 DNS. So in windows 10 I go to networks,  bring up the adaptor setting. Bring up "Internet Protocol Version 4 (TCP/IvP4) and instead of "Obtain the DNS address automatically" change it to always get the DNS address on the WSE-2016 (found with ipconfig).  Then within Windows I use System, about, and Join the server DOMAIN.  It now works I can then see the Server files and the server can see the Windows 10 shared files. There are still problems however. When I reboot the Windows 10 client. I have a brand new user screen with only some of my original desktop icons showing.   Do I have to essentially rebuild up everything on my desktop again!  Question: Is the not a way to have my original desktop appear when I am joined to the Domain. Second since there will be times when the server is off I used the router static DNS IP address as the alternative address in the above dialog box of the Windows10 clients.  Seems to work since the client can access the internet even with the WSE 2016 off.   Here is my second question. I have a few home laptops as well.  If I force the DNS to the server what happens when I travel.  Do I have to manually go into the laptop network adaptor settings and change things back to the “Obtain DNS automatically” each time?  There has got to be a better way. Anybody have any ideas. John  
  • Popular Contributors

    Nobody has received reputation this week.