Attacking server

hi..
someone attacts to my server!

he can log-in without knowing administrator password...

I see he create users in users and groups..

how can it be blocked?

I see the following in events



I disabled The Accounts: Limit
local account use of blank passwords to console logon only

can he still log in my server?

Moved to IIS forum.

--Simon

this is not about IIS ?

Sorry, I thought it was a IIS problem. Is this attack coming in via your webserver? or directly to the server? What is the operating system and webserver? any other info?

--Simon

There are lots of exploits that may have happened. Generally if you got hacked you

a) haven't kept your server windows updates up to date
b) you don't have a firewall or it's not configured properly,
c) you don't have some form of antivirus and spyware blocking software,
d) you use the web server as a workstation and you did something that put bad stuff in your server,
e) you have allowed some untrustworthy person physical access to your server

a or b are likeliest. If you don't close IIS holes as soon as they are discovered and patches are available, it doesn't take long for some zombie computer to find yours and hack it.

the only user who can access to server (remote connection) is administrator.

no user can access to server
(I disabled "remote controll" all users without administrator)

there is no third party isapi,dll that is installed IIS.

I mean there are some holes on my server (w2k3).
and someone is using them to access my server.

he can log-in my server and can use my server he can install some applications to my server and he unistalled the antivirus that I used.. (NOD32)

connections are limited to server
only 2 users access to the server at the sametime
If I connect to server for 2 account , can he still access?

I didn't see your message sorry

OS w2k3 standard edition SP1
all updates are okay.. auto update is on

IIS 6.0

there is only one user who can access to server as remote control

but someone can create any user he want .
the users he created has administrator permissions

I have NOD32

my server are behind of firewall
there isnt local firewall

it is in datacenter (FDC)

what is your suggestions?

thank you.

If you get no more help here in the IIS forum, try rephrasing your question and re-ask it in the windows forum, making it clear you're looking for windows help. If you haven't make sure you run a complete antivirus/spyware scan.

You could always backup your data, then reformat and reinstall the server OS making sure all potential holes are plugged before you put it back in service.

Unless you opened a port in the firewall to allow access via remote desktop I highly dought this is how they are getting in. Most likely they exploited IIS or your web site code and dropped a backdoor app on your server usualy they drop something in that makes a conection to IRC server this way it bypasses the firewall as the server made the connection out. If you have little experience in this then blow away the server and rebuild make sure you fully patch it before putting back online, as well check your code for php or other exploits that may allow them to upload a program or run scripts. just my opinion. (big problem is rootkits as there is no 100% way to detect these)

there are more than 100 sites on IIS..
how can I know which site exploits to my server?

firewall is not local
my server is in datacenter, datacenter has a firewall system..

And he can still create users he wants
but he can't login to my server..

because I connected to server with 2 accounts..
more than 2 connections are not allowed..

help me pls

( scanned server with spyware and antivirus)

all sites' execute permissions are set as "scripts only".

Something else you can do is monitor if he has any hidden process using Process Explorer from Sysinternals.

www.sysinternals.com

There are a number of other good tools here including handle, and TCPView. Handle will allow you to find process bound to certian DLLs, and TCPView can help you ID some of the incoming/outgoing traffic patterns that they may be using. But, these are low level tools, they just show you things, what you learn from using them is valueable, but they do NOT give you any idea about what a process does, that is up for you to decide. windows has many built in processes, and you don't want to kill one of them accidentally.