Keep getting my server wiped out.

Since just after Xmas I believe my server has been attacked and erased
twice. The first time was NT server 4.0 SP4, and the most recent
attack, today, was on a different server running Server 2000. Each
time the partitions disappear and all the data is gone. I have
installed a more powerful firewall, but still seem compromised
somehow. How can I determine what or who is doing this attack? Any
help would be greatly appreciated.

Pablo

corrco@telus.net

wrote:

> Since just after Xmas I believe my server has been attacked and erased
> twice. The first time was NT server 4.0 SP4, and the most recent
> attack, today, was on a different server running Server 2000. Each
> time the partitions disappear and all the data is gone. I have
> installed a more powerful firewall, but still seem compromised
> somehow. How can I determine what or who is doing this attack? Any
> help would be greatly appreciated.


What is making you think that it's an internet attack, though?


-WD

<> wrote in message
news:...
> Since just after Xmas I believe my server has been attacked and erased
> twice. The first time was NT server 4.0 SP4, and the most recent
> attack, today, was on a different server running Server 2000. Each
> time the partitions disappear and all the data is gone. I have
> installed a more powerful firewall, but still seem compromised
> somehow. How can I determine what or who is doing this attack? Any
> help would be greatly appreciated.
>
> Pablo
>
>

maybe its a hardware fault

--
Mimic

ZGF0YWZsZXhAY2FubmFiaXNtYWlsLmNvbQ== ( www.hidemyemail.net )
"Without knowledge you have fear. With fear you create your own nightmares."
"There are 10 types of people in the world. Those that understand Binary,
and those that dont."
"He who controls Google, controls the world".

On Mon, 26 Jan 2004 00:23:36 GMT, wrote:

>Since just after Xmas I believe my server has been attacked and erased
>twice. The first time was NT server 4.0 SP4, and the most recent
>attack, today, was on a different server running Server 2000. Each
>time the partitions disappear and all the data is gone. I have
>installed a more powerful firewall, but still seem compromised
>somehow. How can I determine what or who is doing this attack? Any
>help would be greatly appreciated.

First of all, you should be more concerned with preventing this type
of thing from happening. Learn how to secure your server, or you will
keep getting your server wiped.

If you don't know how to secure it, don't put it on the net until you
do.

There's plenty of good information on the net (well ... I should
rephrase that ;-P ) to help you along.

Once you've learned how to secure it, you can then look at logging any
attempts to crack it.

With the proper security in place, and with proper administration of
the server, you can reduce the risk - but you won't be free of the
risk.

In no particular order (and by no means is this a be all and end all
solution), you should always:

1. Keep your system updated with the latest security patches.
2. Use antivirus software - and keep it updated.
3. Disable unnecessary services.
4. Use a *good* firewall - and learn how to use it.
5. Use strong passwords.
6. Study your logs (system and firewall).
7. Stay in touch of the latest security news.
8. Understand that you are never *completely* safe.
9. Understand what you are doing.

Take a look at (and read and understand) the following links:

http://labmice.techtarget.com/articl...ingwin2000.htm
http://www.nsa.gov/snac/win2k/
http://www.microsoft.com/technet/tre...ps/default.asp

Hope this helps.

Dazz

>Pablo
>
>

wrote:
> Since just after Xmas I believe my server has been attacked and erased
> twice. The first time was NT server 4.0 SP4, and the most recent
> attack, today, was on a different server running Server 2000. Each
> time the partitions disappear and all the data is gone. I have
> installed a more powerful firewall, but still seem compromised
> somehow. How can I determine what or who is doing this attack? Any
> help would be greatly appreciated.
>
> Pablo
>
>

What firewall you using ?

Antivirus software installed, running and up to date ?

What activity do your System and Security logs record at the time in
question ?

If nothing useful has been logged turn on all the audit options for a while,
see what you can track.


--

Alan

On Mon, 26 Jan 2004 00:23:36 GMT, whilst in NewsFroup alt.computer.security,
articulated the following sentiments :

>Since just after Xmas I believe my server has been attacked and erased
>twice. The first time was NT server 4.0 SP4, and the most recent
>attack, today, was on a different server running Server 2000. Each
>time the partitions disappear and all the data is gone. I have
>installed a more powerful firewall, but still seem compromised
>somehow. How can I determine what or who is doing this attack? Any
>help would be greatly appreciated.

All the partitions ? Can you erase the boot partition while it's in use ?

This is an honest question, I'd just like to know.

When I say 'boot' partition, I mean Microsoft lingo for the partition with
all the Windows system files on it, not the 'System' partition, which
contains booting info right ? Most of the time they are one and the same if
I'm not mistaken.

Corrco, please report back here if you can with any new 'developments'. I
hope there aren't, if you get my meaning, ie. no more lost data.

Pete.

Obvious answer. Some one has or is getting access to Administrator account.
That leads to the conclusion that either there a "Backdoor" or Trojan on
your system somewhere, A "key Logger" is being used to harvest passwords.
You have not secured one of the utility accounts (guest, anonymous,
everyone, or user). You are not properly using NTFS security.

There are other possibilities, but starting with the simple ones...it would
seem you are not taking basic precautions. Once you do that, as mentioned in
another message...you can activate "auditing" especially for logon/logoff,
use of system process, configurations changes, etc. Which will allow you to
narrow down the suspects and/or method of entry/attack.

Finally, are you possibly trying to run a dual boot system? Possibly with a
single disk?


<> wrote in message
news:...
: Since just after Xmas I believe my server has been attacked and erased
: twice. The first time was NT server 4.0 SP4, and the most recent
: attack, today, was on a different server running Server 2000. Each
: time the partitions disappear and all the data is gone. I have
: installed a more powerful firewall, but still seem compromised
: somehow. How can I determine what or who is doing this attack? Any
: help would be greatly appreciated.
:
: Pablo
:
:


---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.572 / Virus Database: 362 - Release Date: 1/27/2004