Some help re Windows server security

The Dentist

VIP Member
VIP Member
Joined
Apr 2, 2006
Messages
8,321
Hi guys,

hope you are well. I wanted to pick your brains. I have a server at home running windows server 2016 - with 3 machines running on hyper-v. They had different jobs. one was for torrenting, one for cctv, google sync and another for general usage etc.
Server 2016 was running AD and each user would login with their AD credentials.
Now this is just a home pc, nothing important on there apart from years of pictures etc and CV and browser history and loads of films. They are all set to backup each night onto USB hdd.

Over the weekend I logged in and saw everything had been encrypted and all my files with a weird .encrypted extension. A note pad with an email address saying send some bitcoin to have your data back. Im running on a virgin media line and have a few ports forwarded to the main server and to one of the VM. Luckily I have my data backed up so not an issue but I am looking to rebuild again with better security.

My question is really, how did they get in and what can I do to secure myself? When I logged onto one of the vm's there was a command prompt open with something along the lines of:
x number of users detected
username : password

username was my wifes password and the password was what she set as the password.

the virgin router when I logged in to it said that the firewall was enabled - evidently it was rubbish.
 

janobi

Janet to us
VIP Member
Joined
Jan 25, 2006
Messages
8,645
Hi guys,

hope you are well. I wanted to pick your brains. I have a server at home running windows server 2016 - with 3 machines running on hyper-v. They had different jobs. one was for torrenting, one for cctv, google sync and another for general usage etc.
Server 2016 was running AD and each user would login with their AD credentials.
Now this is just a home pc, nothing important on there apart from years of pictures etc and CV and browser history and loads of films. They are all set to backup each night onto USB hdd.

Over the weekend I logged in and saw everything had been encrypted and all my files with a weird .encrypted extension. A note pad with an email address saying send some bitcoin to have your data back. Im running on a virgin media line and have a few ports forwarded to the main server and to one of the VM. Luckily I have my data backed up so not an issue but I am looking to rebuild again with better security.

My question is really, how did they get in and what can I do to secure myself? When I logged onto one of the vm's there was a command prompt open with something along the lines of:
x number of users detected
username : password

username was my wifes password and the password was what she set as the password.

the virgin router when I logged in to it said that the firewall was enabled - evidently it was rubbish.
Simple phising email I would say. Basically you've downloaded some ransomware, and been infected, which in turn has encrypted all your files. Do you know what the .ext was per chance? You may be able to unlock them for free.

If this is a networked device, the likelihood is that it has more than likely come in somewhere else, then been spread on the home network. Grab malwarebytes or similar and run on all the machines running windows that you have. Isolate the machines that have been infected (Pull them off the network), otherwise you risk further infection.

We're you running AV on the servers? Are you behind a firewall? Firewall wont have made any difference, as you've opened ransomware, but it's something to be aware of. Let me know if you need any help Dentist.
 

The Dentist

VIP Member
VIP Member
Joined
Apr 2, 2006
Messages
8,321
Hello Janobi. Thanks for the reply bud.

I have pulled the plug as it completely destroyed everything lol. I will switch it on tonight and check but I won't even try fixing it. Will do a complete rebuild of the environment.
Just want to understand how it actually happened. I didn't have any av on it unfortunately, my fault. I think the last thing I did before it happened was I downloaded Lord of the rings from an unknown torrent site although it was just mp4 files and srv files.

My fear was that someone physically logged onto it and ran it... Which would mean a physical flaw somewhere where they got in via an open port.

Another thing I noticed was upnp was enabled on the router which had forwarded a whole bunch of ports but think they were for plex.
 

The Dentist

VIP Member
VIP Member
Joined
Apr 2, 2006
Messages
8,321
Hello Janobi. Thanks for the reply bud.

I have pulled the plug as it completely destroyed everything lol. I will switch it on tonight and check but I won't even try fixing it. Will do a complete rebuild of the environment.
Just want to understand how it actually happened. I didn't have any av on it unfortunately, my fault. I think the last thing I did before it happened was I downloaded Lord of the rings from an unknown torrent site although it was just mp4 files and srv files.

My fear was that someone physically logged onto it and ran it... Which would mean a physical flaw somewhere where they got in via an open port.

Another thing I noticed was upnpwas enabled on the router which had forwarded a whole bunch of ports but think they were for plex.

Another thing to note is that it wasn't live as in nobody else was logging into the machines to access emails etc. All the machines were on an isolated network domain.
 

Grimeire

VIP Member
VIP Member
Joined
Dec 3, 2012
Messages
949
What was the ransomware called and I will find the main installation methods and IOCs. Do you have NIDS running in your environment?

Most malware is installed via the method janobi suggested (phishing) but file sharing protocols is another popular method. Unless you have enbled upnp forwarding and need it for something I would advise you disable.

I use Plex and can access it remotely and I do not need it enabled.
 

The Dentist

VIP Member
VIP Member
Joined
Apr 2, 2006
Messages
8,321
From what I could see they all had a *.BTC extension. Not sure if that means anything. Havent formatted it as hadn't had time last night.
Also, most extensions including vhdx files and vhd extensions were encrypted.

Unfortunately no NIDS - never set that up or had any experience setting it up.

Yep no need for uPNP so have disabled that. I also had ports 3388 and 3387 forwarded to 3389 into a couple of machines which I think was silly of me.

As I said, not too fussed about decrypting it, I wont even attempt it. Just interesting. Maybe once I have it set up again I can do some testing myself to find out security flaws.
 

OMENDATA

Member
Joined
Oct 31, 2012
Messages
28
The good days of forging ip packets and using syn-flood etc to cause the OS to crash and allow user access are pretty much over its all social engineering now - you most likely torrented a compromised file and ran it or it ran itself by setting up a task in task scheduler - thats a sneaky way to avoid a user noticing by running it early in the morning around 4am-7am.

Do you have SQL running?
If so then possibly SQL injection using the new fruity tool could get a user access but its pretty rare!

One thing is to make sure you check everything and wipe clean as these things are a pain to get rid off - just when you think you have removed it, a mutation engine can reapply itself and unencrypt itself and the file encrpytor is active again, deletes itself and saves another copy of the mutation engine somewhere else -very sneaky!

Btc is bitcoin virus similar to the Thor virus and probably written by the same team - they are pretty active on the Darknet!
You 99% must have run one of your dodgy torrents especially if you download games .exe .com files etc
I stick to movies myself!

Best just to wipe and reload to be honest as paying the ransom is unlikely to get anything but a lol from the perpetrator!
There was a fix for early encryptors but it doesnt work as they upgraded to RSA 2048 which is impossible to crack....until of course the first Quantum computer becomes available lol

Hardening the server by locking down services, changing the admin name , disabling task scheduler, removing all permissions from the HIVES in the three main RUN key locations in the registry are just some of the things you can do to avoid attack - And try not to use the Administrator account - thats why the SUDO command was invented on our Unix/Linux boxes. Windows 10 does have a nice feature of disabling access to selected folders to change anything but it makes usaeability a pain - there is always a compromise betrween suability and security im afraid!

Hope that helps a bit dude I know how devastating it can be as I have seen clients in tears after losing years of photos and family memories.
Apart from the pain in the ar** it is to rebuild and restore everything?

Learn the lesson now - REGULAR BACKUPS - DAILY PREFERABLY OR WEEKLY AT THE LEAST and to more than one location.
 

The Dentist

VIP Member
VIP Member
Joined
Apr 2, 2006
Messages
8,321
Cheers Omendata.
That is very good advice. Yeah I have just today finished the full rebuild. Was the most annoying thing every.
Just the wife alone had over 300000 photos LOL

Have disabled all ports apart the the required one. Only thing I have yet to set up is the torrent account. As the last setup had a folder which would auto download torrent files. I need to rethink the security on that before enabling that again. Possibly an isolated account with no permissions to any network shares.

Currently using the standard Windows server backup. That does the job, but a bit pitiful as the features are non existant. What's a good backup program in your opinion? For a home server not enterprise mind.
Currently have a daily backup to an external drive which is attached to the server.
What I want to do is have a rule that disables the USB port completely when the backup isn't running. So if there ever is an attack the USB drive is actually powered off.
Luckily this time they didn't touch the backup but who knows.
 

OMENDATA

Member
Joined
Oct 31, 2012
Messages
28
I use Symantec livestate recovery it backs up on the fly but its non existant now its old software but pretty much the best ive ever used.

Acronis is the best for data compression and squeezing those file sizes down and speed.
I have tested quite a few like Macrium reflect but all the free stuff lacks speed and compression.

My server setup is a bit different to yours as its all virtualized on my Dell Poweredge rackmount using Vmware server with failover clustering and Vmotion so backups are less of an issue but i still do em once a week to a 4tb Gig Nas box.

I also run ISA firewall running on an old Samsung laptop you really cant rely on the firewalls they provide with routers as they dont have stateful inspection or any form of antimalware - My isa does it all with addons surfcontrol etc

You can block the usb port using software.
I was a systems and games programmer back in the good old days of the CBM64 and BBC Micro so i prefer machine code but you could write a small C++ routine to disable it or do a search on the programming forums over on stack overflow if you know a bit of coding!

There is a way of doing it by manipulating a registry key just by creating 2 .reg files - toggle on/off
You could then put it in a batch file ausing the regedit import command and run it using task manager - that way you wouldnt really need to program as such.

Dont worry they will its the first thing i thought of when someone asked me at a recent security event how to improve viruses and it would be to search for all known backup extensions and encrypt them as well as search all drive letters and network shares -ENUMERATE ALL
I am quite surprised it hasnt already been done in the first iterations of many of the encryption for cash malware!

I wrote a simple virus to destroy hardware most people think its not possible and only exists inthe movies but it is - overwriting flash firmware is one way but running a multi core prime mersennes routine in a small 25k machine code routine on some old laptops can fry the graphics chip notably the nVidia Quadro NVS 135M used on many an old Dell but there are many possibilities - Things are getting much worse but peeps think they will never be affected - My motto has always been TRUST-NO-1 , backup everytning - The X-files was right - I dont even trust myself lol

Once holographic crystalline laser storage becomes a reality we wont have to worry about size and backup speed.
Backing up just 4tb of data is a real pain and that is just one of my movie repositories lol!
 
Joined
Mar 23, 2017
Messages
63
I do know i am a little late to this thread and i am not really well up on servers etc, but the older virgin routers and talk talk routers were vulnerable to the WPS Pixie Dust Attack and easy to break into. Easy to remember passwords are a usual method as is friends that know you. Sometimes people Will rename their router and even something that simple can give so much information about your password.
Just my thoughts
 
TEST
Top