We’ve been Hacked! A Client’s issue

I deal with a lot of small businesses and getting them to understand security risks of old software and why hackers would want to hack them is difficult at best. Recently one client of mine learned the hard way.

Money they say is the root of all evil, and for SMBs a root of security problems. They do not want to spend money to upgrade PCs and servers until the last possible minute before they crash out. You tell them that they are insecure because of the old systems, and they come back with, “We are small and have nothing that a hacker would want.” This is due to the way hacks are presented in the media. All you hear about are the hacks of government systems, or large companies that have credit card data. SMBs don’t have huge secrets (most of the time), and just don’t get it.

This attitude recently bit one of my clients in the rear big time. They noticed that things were running slow on their SBS2003 server. they also noticed a bunch of new user accounts set up on the server. We would delete the accounts and they would say, ok, we will watch for this to happen again. I ran malware detection programs such as Malwarebytes on their machines and server to find nothing more than a couple of tracking cookies and a few common adware toolbars. I’d remove these and we would then wait. The waiting is the hardest part. Finally it became so annoying they asked what we could really do, as they were not spending money on a new system. So, at their behest, I went on site where I could focus on the task at hand without being disturbed by other clients, and watch the system from the console. That is where the fun really began.

I started off using process explorer to just take a general look at the system health. I noticed the CPU was being heavily used, but I have seen that on SBS servers before, usually because of e-mail coming in and being scanned, or SQL databases being used. Still,. I kept Process explorer open and opened the Terminal Server manager, where I noticed a clue to what was happening.

In the matter of minutes I watched a listener connect and disconnect, an obvious brute force attack on remote access for the server. this prompted me to open up Wireshark and take a look at incoming connections. This is what I saw:

primecoin wireshark

A quick check online of this IP Address showed it to be in Germany. Now why would someone from Germany try to brute force this small company? Well the next clue was hiding in plain site.

The problem with working in the IT field is overconfidence. It is what makes us overlook the obvious. In this case I was not noticing something in Process Explorer.

Process Explorer hack primecoin

Yes the suspended processes in the screen shot were the culprits. Don’t they look like normal Windows Processes though? They key was their actual path. Svchost.exe normall resides in C:\Windows\System32, but in the case of the processes I suspended they were located in c:\Windows\System. Odd I thought so I went to the C:\Windows\System directory and noticed a bunch of files I had not seen before, including a subdirectory. I double checked on a different client’s SBS2003 server (Yes I have a few that still run it), and sure enough, the subdirectories and extra files I had found were not supposed to be there. The System directory is not supposed to have any subdirectories at all. Add on that one of the directories was called Primecoin. Well a quick Google search revealed that Primecoin is a Bitcoin competitor, and obviously that the mining of Primecoins was the reason people were interested in this server.

The WMIAPSRV.exe seen above actually had the handles below:

Digging into the folder I found the config file which had a bunch on nodes listed in it:

This was all fine and good, but removing these files and directories, while cleaning up the system and bringing the processor load down, does not remove the way that they were getting in. Yes we had removed all the obvious fake accounts, but what else were they using? Turns out that when they had gotten the Admin Password cracked, they had enabled a couple of built in accounts, given them admin rights plus created a couple of accounts that sounded like they should be there. The biggest culprit was a built in support account which should have been disabled by default. I proceeded to remove or disable the accounts and reset permissions as needed, along with changing the admin password, and forcing the whole company to change their individual passwords, plus add on factors to the passwords to make them stronger.

There was one last thing to take care of, and that was the brute force attack on the server. I went in and reconfigured the Firewall and the Terminal Services to allow a rather low connection count/retries on the port that we had terminal services open on.

Since going through all these steps, there have not been any signs of the server being hacked. No odd accounts have shown up, no odd directories have shown up, and most importantly the server is running smooth and the CPU has not been spiking. Does this mean they are completely clean? Of course not, but the prognosis is leaning that way. We all know once compromised, a machine is easier to compromise again. Vigilance is the key here, at least until they decide to get a new server.


Disclaimer: The client I talk about in this article knows I was going to write about this and have left their name out of the article at their request.

Deck the Halls with Security advice

It is that time of year. Holiday shopping, Black Friday, Cyber Monday (that still sounds like a XXX movie), and the like. Special offers abound, and the bad guys are ready to get you. Some simple steps to stay safer during the holidays.

This is the time of year that the criminal digital underground loves. People rushing to get the best deals they can, be it online or offline. The odds of someone clicking on a malicious link, increases with desperation, and of course making the deals looks good. Nothing will 100% guarantee that your going to be free of malware, or that your identity will not be swiped, but there are some simple things to remember to keep the risks at more of a minimum.

1) If it looks to be too good of a deal, it probably is, especially online. Deals are the easiest thing to snag someone online with. Pair that with fake URLs that look legit, and you have a recipe for disaster. The trick here is to find out what the real URL is. In Outlook and most browsers out can hover over links to see what they are sending you to. Doing a right click and copy hyperlink then pasting into notepad is a good way to see the full link itself for a quick check. If it shows something that bothers you, don’t go to it, don’t click on it.

2) Keep up to date with your purchases. This is easy enough to do with online banking. Check at minimum once a week online with your bank and credit card companies. Look for anything out of the ordinary. the faster you see something that looks fraudulent the faster things can be taken care of, and the less hassle there is overall.

3) Single Click on the web! I see this all too often. We as a society have gotten so use to double clicking to open programs that we forget it is a single click on a link. This is important because that second click could hit a hijacked ad on the site you were going to and at that point it is game over. You are pwnd and let the malware flood gates open.

4) Backup Backup Backup. Get an external drive that you only connect to backup your files, Use Mozy or Carbonite, do something to backup your files. Especially with Cryptolocker out there, the clean backup is important so you don’t have to pay to recover your files and take the risk that the bad guys are not going to keep their end of the bargain.

5) If you do not have to enter your pin on a pad, DON’T! Most bank cards can be used as “Credit Cards” (They have the Mastercard or Visa logo on them) meaning you do not have to punch in your security pin. Who knows if that pin pad is secure. Yes it only stops the pin from being gotten but that can be enough to stop someone from emptying your account.

Yes, these are basics, and yes milli0ns of people each year tend to not think about them. They are simple and pretty effective, but remember not perfect. If someone hacks the store or bank, you have no control over that. If the credit card or ATM machine has been tampered with, you don’t have control over that. Just do what you can to keep a little safer, and have a great holiday season!




Microsoft Surface. Hit and Miss.

Microsoft entered the tablet hardware business with the launch of the Surface line starting with the RT back in October. The timing on it for me was pretty good because my office was getting ready for a technology refresh, and I got to test it. Now, months later, what I call the new shiny syndrome has worn off.

When you look at what works and what doesn’t in the world of technology you come to realize a few things. First, so much is subjective. Second, people tend to dislike change. Third, change is inevitable. With this in mind, looking at the past 9 months with the Surface RT I have found a lot to like about it. There are pitfalls with it also, but it really is a solid tablet.

The Windows 8 interface is perfect for the RT. I find live tiles to be a great idea that matches and surpasses the widgets I have on my Android Tablet. iOS of course does not have anything like widgets or live tiles to compare to. The problem with the live tiles is the way they update, or at times don’t update. I find news stories to be on the older side half the time. I don’t get decent updates often enough for my liking. These problems though I have found to be true of widgets also.  There also is no intuitive way of stopping the live feed on the tiles.

Metro style apps are easy enough to get use to. Gestures for bringing up menus and doing things inside these apps are very consistent, which makes the learning curve a lot simpler than iOS or Android. The issue with Metro Style though is that same thing. If you are use to the way an app works on the other OSes, odds are you will have trouble finding the same features easily. Also the swipe down partially to bring up menus can be a bit trying at times, although not as difficult to master as the swipe completely down to close apps. If you don’t start from the right spot and go at the right speed, closing apps does not work, and I still find myself taking 3 or 4 swipes to close apps.

The biggest plus is the Office apps that come with the Surface RT, and with Outlook being added to that with the 8.1 Windows release, this just becomes better.

The biggest issues for me though come in the touch screen itself. I find it inaccurate. For instance, if I am on Facebook and want to share something on a friends timeline, I find myself going through the steps 4 or 5 times because I think I am tapping on share to friends timeline and it reads it as share to group. I find myself hitting links multiple times before it registers the tap also.

The soft keyboard which I have is decent, but also has its issues. I have found it losing responsiveness when typing, or registering the wrong key. In fact there is no rhyme or reason for this as the keyboard winds up either overly sensitive, or not registering my pressing at random. The Tablet itself will type normal for a moment, then buffer oddly and take 30 second or more to show the next stuff typed, which makes corrections rather difficult and causes delays in getting work done.

The weight and feel of the Surface are my final complaint about it. It shouldn’t feel as heavy as it does. Also the way it is shaped can leave hard marks in ones hand and cause pain if held for extended periods.

Don’t get me wrong, I love the tablet itself, and it gets used way more than my iPad. My ASUS Android tablet is still my primary tablet overall, but the Surface makes a nice backup. People seem to be worried about the amount of apps for the Windows RT environment, but honestly, I find most things I use a tablet for have an app, and most of them are available across the board. A decent free IRC app is all I have not been able to find so far. With the recent price cuts, I would recommend this to most people, although I am sure there are better devices out there from other manufacturers with Windows RT on it.