Hello,

  I have a old Server 2000 SP4 box running as a FTP/RDP/VNC/VENT Server, and my system was INTRUDED last night and I stopped them in their tracks as they had control of the system from the corner of my eye.

For locking this system down I am running this system through a broadband connection through a Linksys Router with port forwarding for the required ports for the 4 services that are running.

I am ALSO running Zone Alarm (Free) edition FIREWALL with latest updates.

I also have Norton Antivirus Corporate Edition 8.1 running real-time protection with latest definitions.

For FTP, I am using Filezilla ( free FTP ) solution, and I have an admin password on this service as well as individual FTP user accounts set up with passwords to access only specific folders etc for FTP purposes.

This system also has all the latest MS Critical Updates completed on it inclusing Service Pack 4.

This system sits idle as just teh server for these services and somehow someone got in.

Does anyone know if there are any free or low cost tools / software out there which can test systems security for WEAKNESSES to prevent these types of intrustions. As well as any suggestions on any know issues with any of the tools I am using ( RealVNC 4.1, Filezilla (latest release non-beta), Ventrillo, or Windows Server 2000 SP4 RDP ( Terminal Service )?

Fortunately this system I have a Ghost Image for on a DVD-R, so I was able to blow away the damage and possible infections the Hacker could have planted. I was able to restore this system back to the way it was from image in about 15 minutes given that the image is only about 2.5GB in size, and I immediately changed all passwords and user names before plugging the Cat5 cable back in to the router.

Passwords by the way are very strong phrases with numbers and spaces etc.

Thanks for suggestions and tipsConsider using WinPatrol PLUS http://winpatrol.stores.yahoo.net/winplusmemre.html

Vulnerability testing:
http://www.grc.com/lt/leaktest.htm
http://www.microsoft.com/technet/security/tools/mbsahome.mspx
OverDrive http://www.pcpitstop.com/default.aspThanks!


WinPatrol looks very helpful and I have IMPLEMENTED. This system btw also passed the leak test since I am using Zone Alarm.

So intrusion is still interesting given they were able to gain control of system with Zone Alarm in place and locked down tight.

Anyone know if there is a vulerability with the FREE RealVNC 4.1.3 or Server 2000 (RDP) Terminal Services...trying to figure out method of intrusion to lock that out. Both VNC and the RDP have strong passwords. Hacker had control over desktop mouse and keyboard btw, saw activity before pulling plug. No one else is on my small network of 6 computers with this system the only one teedering on the DMZ through port forwards to it for the services. Also no wireless is set up so not a wardriver attack.

Is theer a log I can run to record all activity. I have Wireshark, but it seems like I need more than that to capture specific activity to the local IP of 192.168.75.101...any suggestions on network monitoring for a specific IP only for all activity with date/time stamp and ports opened and closed so I can reference ports to applications etc?

DaveYou might look into some encryption software. I don't use any so have no recommendations.

network monitoringThis here looks to be the means by which the hacker got in: "Go figure an Unauthenticated RPC call vulnerability"... This critical patch just came out yesterday and I applied today.

MS Critical Security Update for Windows (KB958644)
Released: October 23, 2008
for Windows 2000/XP/Server 2003
English & French

MS has identified a security issue that could allow an unauthenticated remote attacker to compromise your Microsoft Windows-based system and gain control over it.


Microsoft Security Bulletin MS08-067 : Critical
Vulnerability in Server Service Could Allow Remote Code Execution (958644)
Published: October 23, 2008

This security update resolves a privately reported vulnerability in the Server service. The vulnerability could allow remote code execution if an affected system received a specially crafted RPC request. On Microsoft Windows 2000, Windows XP, and Windows Server 2003 systems, an attacker could exploit this vulnerability without authentication to run arbitrary code. It is possible that this vulnerability could be used in the crafting of a wormable exploit. Firewall best practices and STANDARD default firewall configurations can help protect network resources from attacks that originate outside the enterprise perimeter.

This security update is rated Critical for all supported editions of Microsoft Windows 2000, Windows XP, Windows Server 2003, and rated Important for all supported editions of Windows Vista and Windows Server 2008.


NICE  HUH  If someone smart enough sets their mind to it ANYTHING is vulnerable. You just have to do what you can and be vigilant from there. Nothing is bulletproof.