First off let me explain.
I called about some upload issues with the server and asked if SM would check this problem out well in doing so the person that did check the server left the firewall disabled when they checked it which lead my server being open to the world to do as they please.
When I logon to the server and right click the taskbar and open task manager and select the users tab I have a session #RDP 5 -> or more the most I've seen is 15 sessions @ once.
I have notified Sm of this issue and they still dont see the server as being compromised..
Heres just a little of the e-mail that SM security team sent to me.
-----E-mail---------
Do you RDP into the server? RDP often uses at least 12Kbytes per second (48Kbit/sec), which would probably explain the bandwidth utilization. This is an incredibly small amount and is nothing to be concern about. We saw no evidence to suggest your server is compromised.
Resolution
-----E-mail---------
-----Note to security------
Um its not rdp Im worrired with its the number of Sessions and ID states.
-----Note to security------
Why are you charge me for something that an employee of sm did
If anyone could explain the user sessions of 15 in the users taskmanager please let me know asap.
Thanks.
Full Version: Sm dosent see it.
15 active sessions? :shock:
How is that even possible? Windows won't allow you to have that many active sessions at once without additional CALs.
How is that even possible? Windows won't allow you to have that many active sessions at once without additional CALs.
There are several ways around the user limit, especially if your using Windows 2000 Server on the client end. CAL licenses do not negotiate between 2000 and 2003 properly, thus you can be allowed many more connections than you have licenses.
Sorry I haven't posted sooner X has me shoping like an elf :-).
I still cant for the life of me understand why I have such high sessions.
When I logon to orbit and check the Bandwidth usage out I notice it spikes at these times.
I guess My only other option is to contact Servermatrix's Security team directly and resolve this issue.
Thanks guys have a wonderful Xmas.
I still cant for the life of me understand why I have such high sessions.
When I logon to orbit and check the Bandwidth usage out I notice it spikes at these times.
I guess My only other option is to contact Servermatrix's Security team directly and resolve this issue.
Thanks guys have a wonderful Xmas.
Without giving away secure information
what are the names of the accounts and how many active login's via RDP are they using?
By default Administrator can connect via RDP even if thier account isn't listed under RDP users. Remember, Admin = God
If you have other users, and don't need them to be, you can specify this in thier account properties.
what are the names of the accounts and how many active login's via RDP are they using?
By default Administrator can connect via RDP even if thier account isn't listed under RDP users. Remember, Admin = God
If you have other users, and don't need them to be, you can specify this in thier account properties.
Is the server comprimised or do you just see weird RDP sessions? Is this 5 or 15 sessions at once? Is the box doing anything else out of the ordinary?
Yes the most I've seen is 15 sessions @ one time.
PF :=248 during these times.
CPU :=5%
Orbit :=Bandwidth Spikes.
If you call my website playing music without me adding this feature to it,Slow upload speeds takes almost forever to pull my site up from 3 different providers, Spikes of bandwidth usage showing in Orbit at these times<- I see that type of usage when I host games for friends and family members but I haven't hosted a game in months -> then yes I think somethings been comprimised.
I know what you speak of about the rdp weirdo thing but I don't think that is an issue here tho.
I wish it was...
BTW the music that played was awsome.
I've tried to contact SM's Security team but they want to charge me $$$ to look into this issue.
Why should I be charged or punished for an employee's mistake of forgetting to turn the firewall back on again after troubleshooting the problem
Even if SM dosent charge me for an os reinstall this has left me in a mess of noodles.
Like backing up programs,website,database,misc data, setting up the server ,uploading fresh data.......
If you need the ticket # let me know and I'll pm this to you.
Thanks :-)
PF :=248 during these times.
CPU :=5%
Orbit :=Bandwidth Spikes.
QUOTE (klaude)
Is the server comprimised or do you just see weird RDP sessions?
Is this 5 or 15 sessions at once?
Is the box doing anything else out of the ordinary?
Is this 5 or 15 sessions at once?
Is the box doing anything else out of the ordinary?
If you call my website playing music without me adding this feature to it,Slow upload speeds takes almost forever to pull my site up from 3 different providers, Spikes of bandwidth usage showing in Orbit at these times<- I see that type of usage when I host games for friends and family members but I haven't hosted a game in months -> then yes I think somethings been comprimised.
I know what you speak of about the rdp weirdo thing but I don't think that is an issue here tho.
I wish it was...
BTW the music that played was awsome.
I've tried to contact SM's Security team but they want to charge me $$$ to look into this issue.
Why should I be charged or punished for an employee's mistake of forgetting to turn the firewall back on again after troubleshooting the problem
Even if SM dosent charge me for an os reinstall this has left me in a mess of noodles.
Like backing up programs,website,database,misc data, setting up the server ,uploading fresh data.......
If you need the ticket # let me know and I'll pm this to you.
Thanks :-)
Turning off a firewall can't change Windows' licensing mode. You have to buy extra licenses to get 15 concurrent RDP sessions. Have you performed a user audit or seen what ports are open or what processes are running? Have you looked at your site code to see how the music was put back in?
Actually, if you're a competent server admin, your server shouldn't be that easily hackable when your firewall is turned off. A firewall is meant for additional security against attacks.
I have clients who figure they can save money by going without a firewall and just have me harden their server as best as I can with the existing options available in Windows. It's actually worked fairly well so far. None of my clients have been hacked and one's been up an entire year having had me manage his server.
Don't take this the wrong way, I'm not trying to belittle your capabilities or boast at all. The point I'm trying to make is that disabling a firewall should not automatically make you that vulnerable that you'd immediately get hacked.
So, while ServerMatrix may have made a boo boo by not re-enabling the firewall, I don't think you can hold them entirely responsible for having been compromised.
I have clients who figure they can save money by going without a firewall and just have me harden their server as best as I can with the existing options available in Windows. It's actually worked fairly well so far. None of my clients have been hacked and one's been up an entire year having had me manage his server.
Don't take this the wrong way, I'm not trying to belittle your capabilities or boast at all. The point I'm trying to make is that disabling a firewall should not automatically make you that vulnerable that you'd immediately get hacked.
So, while ServerMatrix may have made a boo boo by not re-enabling the firewall, I don't think you can hold them entirely responsible for having been compromised.
Then how or why is the session state of 15 being displayed?
Including Orbit Bandwidth spikes during these times?
I havent tried the above quoted statment by lunchbox yet but I will try using 2000 advanced server to see if this works.
Website code looks normal nothing I could find such as injections within code or database was found.
Yes did all the above without any such luck.
I also use packet filters on ports but the needed ports are allowed.
(80) ect...
Including Orbit Bandwidth spikes during these times?
QUOTE (Lunch[box)
]
There are several ways around the user limit, especially if your using Windows 2000 Server on the client end. CAL licenses do not negotiate between 2000 and 2003 properly, thus you can be allowed many more connections than you have licenses.
There are several ways around the user limit, especially if your using Windows 2000 Server on the client end. CAL licenses do not negotiate between 2000 and 2003 properly, thus you can be allowed many more connections than you have licenses.
I havent tried the above quoted statment by lunchbox yet but I will try using 2000 advanced server to see if this works.
Website code looks normal nothing I could find such as injections within code or database was found.
Yes did all the above without any such luck.
I also use packet filters on ports but the needed ports are allowed.
(80) ect...
Kyle:
If this is ture why do you use antivirus software?
Using attrib A,H,R,S,
E = Encrypted, C = Compressed, T = Temporary, O = Offline
ATTRIB +H Directory,ATTRIB [ + attribute | - attribute ] [pathname] [/S]
files would solve everything.
unless your just OP inclined :-)
See my point.
If this is ture why do you use antivirus software?
Using attrib A,H,R,S,
E = Encrypted, C = Compressed, T = Temporary, O = Offline
ATTRIB +H Directory,ATTRIB [ + attribute | - attribute ] [pathname] [/S]
files would solve everything.
unless your just OP inclined :-)
See my point.
QUOTE (NetFrameWorker)
Kyle:
If this is ture why do you use antivirus software?
Using attrib A,H,R,S,
E = Encrypted, C = Compressed, T = Temporary, O = Offline
ATTRIB +H Directory,ATTRIB [ + attribute | - attribute ] [pathname] [/S]
files would solve everything.
unless your just OP inclined :-)
See my point.
If this is ture why do you use antivirus software?
Using attrib A,H,R,S,
E = Encrypted, C = Compressed, T = Temporary, O = Offline
ATTRIB +H Directory,ATTRIB [ + attribute | - attribute ] [pathname] [/S]
files would solve everything.
unless your just OP inclined :-)
See my point.
It is true and I use A/V to filter my customers' incoming/outgoing mail.
...and no, I don't see your point.
Ok I've done all i can to make aware and alert the Servermatrix.com security team and its lv1 thru lv2 technicians of the current problem my server is facing.
Everything else is out of my control and I will not be held responsible for any or all actions including legal damages made or taken by the server rented by me and or third parties from Servermatrix and the Orbit company. They have been notified and been made aware of this issue within 1.5 months of the current issue posted here dated (12-11-2004).
I have notified them of this issue and taken every measure to update content and try to aid them with updated data to help resolve or end this issue.
I am aware of the documented AUP content posted by this company or any jointed or third party contributors within or connected to this company or binded by contract and other infringement rights that may occure that may be subject to testify on behalf of the company and or to agree with statments of contract to provide leagal statments and documents before the court and provide documented proof of this statment within as dated.
Your giving me no other choice but to take steps further than I think are necessary for this issue to be resolved.
Everything else is out of my control and I will not be held responsible for any or all actions including legal damages made or taken by the server rented by me and or third parties from Servermatrix and the Orbit company. They have been notified and been made aware of this issue within 1.5 months of the current issue posted here dated (12-11-2004).
I have notified them of this issue and taken every measure to update content and try to aid them with updated data to help resolve or end this issue.
I am aware of the documented AUP content posted by this company or any jointed or third party contributors within or connected to this company or binded by contract and other infringement rights that may occure that may be subject to testify on behalf of the company and or to agree with statments of contract to provide leagal statments and documents before the court and provide documented proof of this statment within as dated.
Your giving me no other choice but to take steps further than I think are necessary for this issue to be resolved.
Ok so have you bothered to set a limit on the number of RDP sessions using the Terminal Services Manager? I'm pretty sure you can set the overall and user-defined limits on how many sessions you can have. You can also set to kick them out on idle *except for your account*
To be honest, unless you're forgetting to mention something, it doesn't look like you have a problem. You're just not going at solving it the right way.
As I mentioned before, try setting the limit on # of sessions (reboot if possible - kill vampire services) and see if that doesn't atleast get you closer to solving the problem.
Otherwise, you may have to part with your $$$ if the problem is of the utmost importance.
To be honest, unless you're forgetting to mention something, it doesn't look like you have a problem. You're just not going at solving it the right way.
As I mentioned before, try setting the limit on # of sessions (reboot if possible - kill vampire services) and see if that doesn't atleast get you closer to solving the problem.
Otherwise, you may have to part with your $$$ if the problem is of the utmost importance.
Sorry but Im not parting with any $$.$ esp when I wasn't the one who caused this in the first place.
I don't know about you but I work for my money.
Its not given to me I earn it like the rest of the world and to ask me to give money for something I did not do or contribute to then your asking to much from me.
Unless your talking about what Lunch[box] spoke of or directly accessing tscc.msc dialog properties that you can configure? could you please be more define as to what kind of solution or avenue you are suggesting I take to resolve this issue.
I don't know about you but I work for my money.
Its not given to me I earn it like the rest of the world and to ask me to give money for something I did not do or contribute to then your asking to much from me.
Unless your talking about what Lunch[box] spoke of or directly accessing tscc.msc dialog properties that you can configure? could you please be more define as to what kind of solution or avenue you are suggesting I take to resolve this issue.
Ok Lunch[Box] I've tested it using windows 2000 advanced server and it worked like a charm but it took some tweaking + other configuration settings that needed to be adjusted inorder for this to work.
Nice job lunch[box] I give you a
rating on this one.
Kyle :
The point I tried to explain to you is if you use an antivirus for email I/O and an employee disabled this feature without enabling it again after testing then where would that leave you being a host provider and what kind of actions should your customers take ect?
Kyle: I try to take every bit or byte of information and use the information shared by you and others to help advance my administration capabilities so no hard feelings taken by me at all in the least.
Nice job lunch[box] I give you a
rating on this one.
Kyle :
The point I tried to explain to you is if you use an antivirus for email I/O and an employee disabled this feature without enabling it again after testing then where would that leave you being a host provider and what kind of actions should your customers take ect?
Kyle: I try to take every bit or byte of information and use the information shared by you and others to help advance my administration capabilities so no hard feelings taken by me at all in the least.
All credit goes to Lunch[Box] for solving this one. [RDP session State]
Instead of searching the MS void try the below link to verify his statment.
http://support.microsoft.com/?kbid=324380
Other additional links.
http://www.microsoft.com/technet/technetma...ng/default.aspx
Just to note on 12/19/2004 the firewall was disabled plus the FTP site I had disabled was enabled and premissions also granted to users I restricted from day one users like ->( Everyone,Guest) ect <- and the creation of the new folders that contained the Mp3 data was born.
I have 3 new folders that I did not create and within them hold close to 200 Mb of Mp3/Wav data that I did not add within them.
At least the Person or Persons should have uploaded Titles like ->
Disturbed -Bound,SocialBurn or Pitbull-DammitMan. lol <-;
Security told me that it could be an exploite within my website code but if all I have running is index.htm without any type of input fields available like using textboxes or comboboxes or database access(not using MSDE or Access Or Mysql or Oracle or any type of database connection) ( AKA Injection attacks or better known as Cross site scripting) then how would this be possiable for someone to exploite my server and beable to disable the firewall enable the FTP site and Configure user accounts and premission sets.
If you can figure this one out let me know for Im not paying 150.00 per hour for someone to tell me that I need an os reinstall or a new Ip block pool to be rid of this pest for the moment. All tho I could use the information this person/persons forgot to remove and defend myself but that would just effect others on our network and effect others on the network that the attack came from that did nothing to me.
BTW does anyone remember the link to the site that test and scans for subclassed kernel API redirection aka (Root intercepted Api calls)
If so Please post the link.
If not I have it saved to disk somewere and when I find it I'll post it if anyone hasen't yet.
Oh well on to the lighter side Woot!
We only have 2 days until christmas.
I hope all you tech junkies out there get something you can truly enjoy or just rip apart and figure out what makes it tick.
Thanks again guys
Instead of searching the MS void try the below link to verify his statment.
http://support.microsoft.com/?kbid=324380
Other additional links.
http://www.microsoft.com/technet/technetma...ng/default.aspx
Just to note on 12/19/2004 the firewall was disabled plus the FTP site I had disabled was enabled and premissions also granted to users I restricted from day one users like ->( Everyone,Guest) ect <- and the creation of the new folders that contained the Mp3 data was born.
I have 3 new folders that I did not create and within them hold close to 200 Mb of Mp3/Wav data that I did not add within them.
At least the Person or Persons should have uploaded Titles like ->
Disturbed -Bound,SocialBurn or Pitbull-DammitMan. lol <-;
Security told me that it could be an exploite within my website code but if all I have running is index.htm without any type of input fields available like using textboxes or comboboxes or database access(not using MSDE or Access Or Mysql or Oracle or any type of database connection) ( AKA Injection attacks or better known as Cross site scripting) then how would this be possiable for someone to exploite my server and beable to disable the firewall enable the FTP site and Configure user accounts and premission sets.
If you can figure this one out let me know for Im not paying 150.00 per hour for someone to tell me that I need an os reinstall or a new Ip block pool to be rid of this pest for the moment. All tho I could use the information this person/persons forgot to remove and defend myself but that would just effect others on our network and effect others on the network that the attack came from that did nothing to me.
BTW does anyone remember the link to the site that test and scans for subclassed kernel API redirection aka (Root intercepted Api calls)
If so Please post the link.
If not I have it saved to disk somewere and when I find it I'll post it if anyone hasen't yet.
Oh well on to the lighter side Woot!
We only have 2 days until christmas.
I hope all you tech junkies out there get something you can truly enjoy or just rip apart and figure out what makes it tick.
Thanks again guys
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.