Sign in to follow this  
Followers 0

I Got Hacked; Need Help

4 posts in this topic

Posted · Report post


I set up a WHS 2011 2 months ago with 3 users and one HTPC computer connected (win7 Pro). I configured the WHS server and installed one add in; drive pool. This server is mostly used for movies and pictures and to gain acces from my Android phone. It is attached to a Zyxel router with NAT and I added the ip from the sever as a dedicated server to gain remote access. Firewall is up, virusscanner (AVG) on. I installed remote alert but this add in only works in V1. As for now, the WHS setup is still very standard, straight forward done.

After a week out I got home and I noticed my files in the server map were deleted and one map was added in 'document' ; 'this computer is hacked'. The creation date was 15-4-2012 with time stamp. In the security log I could identify the attacker with his computer name and ip address. Then I got puzzled; there was no user name, the directories were only 'everybody' was added in the security tab, were messed up (I hope). I saw a lot of attacks during the week from other IP addresses all over the world (I checked them all over a week and added them to the firewall, as I do regulary). He/she did not get to the directories where only one or two users had access to. The administrator account and directories are untouched. None of the passwords are changed.

Can somebody give me some advise?

- How did the attacker came in? How to check this?

- How can I monitor and prefend this in the future?

- How do I check the current install is not compromised (progs are installed to gain access again)?

- Where to look

I do not want to install the whole server again as I did with WHS v1 once and did not get access to anymore, the certificate didn't match etc.

Thx in advance.


This is the log from the security logbook which stated the attacker came in (it's in Dutch but the lay-out is similar ro the English version).

Er is een account aangemeld.


Beveiligings-id: NULL SID

Accountnaam: -

Accountdomein: -

Aanmeldings-id: 0x0

Aanmeldingstype: 3

Nieuwe aanmelding:

Beveiligings-id: ANONIEME LOGON


Accountdomein: NT AUTHORITY

Aanmeldings-id: 0x702bff9

Aanmeldings-GUID: {00000000-0000-0000-0000-000000000000}


Proces-id: 0x0

Naam proces: -


Naam van werkstation: COMPUTER-PC

Netwerkadres van bron:

Poort van bron: 59510

Gedetailleerde verificatiegegevens:

Aanmeldingsproces: NtLmSsp

Verificatiepakket: NTLM

Doorgezette services: -

Pakketnaam (alleen NTLM): NTLM V1

Sleutellengte: 128

Deze gebeurtenis wordt gegenereerd wanneer een aanmeldingssessie wordt gemaakt. De gebeurtenis wordt gegenereerd op de computer waartoe toegang wordt verkregen.

Share this post

Link to post
Share on other sites

Upgrade to a WGS Supporter Account to remove this ad.

Posted · Report post

My guess is that they used some security exploit in IIS. You *are* updating the server promptly, and keeping it fully up to date, right?

Also, IIRC, there is a way to block IP's in IIS, which may be a very good idea.

And I'd highly recommend installing a virus scanner, just in case.

Share this post

Link to post
Share on other sites

Posted · Report post

Thanks for your reply, Drashna.

Yes, updates and virusscanner are installed from the beginning. A vulnability in IIS is also the only thing I can imagine.

Attacks stopped after a while cause I rerouted the ports from the server and renamed the administrator account and group. Off course I changes every password straight away.

The only problem now is that I can't connect to http://SERVER/CONNECT but still can acces through the https:*** login. This is a problem cause the client computer can now not connect to the dashboard but can access the shares in the workgroup. Pitty cause now the 'green button' doesn't show the server anymore. Restoring to default didn't make a difference. It only works when I disable the firewall on the server and after the attack I do not want that.

Share this post

Link to post
Share on other sites

Posted · Report post

Solved: I made a rule in the firewall which allow the local computers (range of local ip-addresses) to get access through a range of ports. Now http://server/connect is now accessible and backups are running again.

The 'green' button is working again on the HTPC. Love it!

Share this post

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  
Followers 0

Upgrade to a WGS Supporter Account to remove this ad.

  • Latest Posts

    • RAID 5 on the Motherboard and Intel Rapid Storage Technology Application
      By Spaatz · Posted
      Greetings, I followed this guide (great by the way) to completion, using almost identical components and opted for the RAID 5 option to pool my 9TBs of disks into a 6TB RAID 5.  I opted to configure the RAID drives at the motherboard level using the BIOS.   I followed the directions to install the Intel Rapid Storage Technology application that runs in the background but have noticed that it reports errors of an incompatible SATA Array.  Is this because I didn't use the Intel Tool to configure RAID at the outset or a problem with the app?  Is my data safe on the drive? Love the manual.  I am building my second now using the same specs and would like to know if I should even install Intel's little tool or not again.
    • new server build - hdd choice
      By dazza666 · Posted
      Hello all  It's time to upgrade my server; I currently have a WHS v1setup, based around a tranquil PC 5 bay WHS v1 box, which has been mostly excellent, but due to the the limitation of 2TB HDD with V1. I have ended up with various USB expansion drives and its got to the point where its time to upgrade to a new system, at this point its not worth considering V2 of the home server software. The new set up is around a Windows 10 storage spaces & 4 bay HP microserver. I wanted to load up the Microserver with seagate's 8TB HDD, but after reading about the performance of this HDD i'm not so sure if I should choose a different drive as my boot drive Does anyone have any recommendations? I was considering a WD Red 5TB as the boot drive - but should I be looking at something else?
    • Windows 10 Server Not Suspend
      By Lamplugh · Posted
      Apologies for the delay in responding but I have been trying out a number of options all to no avail. As Andrew suggested I have disabled Wake on Pattern Match, (It was previously enabled.) The Power Power Management options were already ticked, so I have tried unticking them all waiting 24 hours and then reticking. Wake on Magic Packet is currently enabled, I don't know if I should change that. I don't seem to have the Shutdown Wake on Lan option but I do have WOL & Shutdown Link Speed which is set to 10 Mbs First. I still feel it is some W10 feature as the new system seems dead keen on talking to Microsoft at every opportunity. I have obviously tried to switch as many of these off as I know about. Any suggestion welcome as I don't really want my server on effectively 24/7.  
    • Temp Files Created By Server Backup
      By Dave Marchant (WGS) · Posted
      It sort of makes sense as the oldest tmp file corresponds to the oldest backup. I agree that it is not good design. I don't fancy a BSOD just at the moment as about to go away on holiday so need to have the server working reliably while I am away or I get no email  Could be one for the MVP's to feed back into Microsoft for a comment. 
    • Temp Files Created By Server Backup
      By glorp · Posted
      Thank you for confirming that Dave! I don't have the full gui installed so I couldn't do a Disk Cleanup on mine. I wondered if that would work to get rid of them. Guess not. I suspect they may be some kind of mount point for the vhd that is created right at the beginning of backup and deleting them causes havoc later when Server Backup tries to do incremental backups using the old mount point. My backups "exist" forever since they are on 1TB and in no danger of running out of space. It occurred to me that maybe they get deleted when a backup gets removed. In any case it's a pretty piss poor design to leave critical ".tmp" files in Windows\Temp if you ask me. If you really want to test things at your end, delete them In any case at least I know what has been causing the random BSODs I get every few months since I installed WSE2012 and what to do not to get them.  
  • Recently Browsing

    No registered users viewing this page.