Hackers attack, what to do?
Last week (October 2015) an old friend asked me to help. They had a disaster with accounting.
We’ve known the company for a long time, we’re friends with the director for 10 years. About 1.5 years ago they turned to us for help, but for some reason refused our services. As a result, we entered into an agreement with 1C franchisee, which began serving them remotely. The company assured that everything will be fine for the time being.
But then, at one point, the accountant cannot enter, there is no database, and after 10 days the tax records are submitted.
')
- Why are you a hearty friend (I say), I offered you our services several times.
- Well, it happened, he answered, help.
Some details of the hacker attack. Your server looks to the Internet with one port, it has a real IP address running a RDP service. Obviously, the attack is carried out on the selection of a password on the RDP, although below I will give a couple of other options. Log in via a remote session is allowed to an administrator who is given the right to manage not only the 1C databases, but also the rest of the server resources. After selecting a password, the hacker enters, makes the archive of your database the WinRAR archiver. Finds backup copies, puts them in a separate archive. On both archives sets a password of 10 characters. Bases 1C and archival copies deletes eraser. Creates a text file with the name IMPORTANT !!! as follows:
"Attention! Your databases are archived with a password, their use is impossible. To get the password to the archive, you are required to pay 18,000 rubles for Yandex money.
If you agree, write to the mail rob1111stewar@hotmail.com, indicating in the address the IP address of your server (external, you can find it by opening the site 2ip.ru)
The IP address is required to give you your personal password from the archives. "
Result: you have to pay a hacker, because it is impossible to access your database. Decrypting the archive by brute force password will take a very long time.
The hacker turned out to be surprisingly good, after the payment he issued a password and recommendations on how to eliminate security problems.
It seems that the story is over, but I will give possible ways of attacks and options for protection against them:
1. The option of direct selection of a password for access via RDP.
2. Virus attack option with the launch of the server control program for password cracking.
3. Option sabotage by the staff.
We will not analyze the third option, since there is no protection against it. Trusting to maintain your data, you always run the risk. The second option can be circumvented if you have an updated antivirus installed on the server. With this, too, everything is quite simple. Let's stop on the first variant and ways of protection.
1. You must completely eliminate the direct connection of your server to the network. If you need to provide access from the outside, install an external firewall. An example is the inexpensive D-Link DFL-210/260. With it, you will block any scan attempts and unnecessary open ports on your network. Access to this screen within your network should be restricted.
2. RDP service is best redirected to a port other than the default.
3. The password for the account that has the right of remote access should consist of a meaningless set of letters and numbers. Password length must be at least 10 characters.
4. On the server, set a password restriction. Let's say after 5 attempts to block your account for 10-15-30 minutes.
5. Access to administrator accounts from the outside block, selecting a separate account for your needs.
6. Backups should be available only to the administrator or backup user. Folder permissions to backup files should also be as limited as possible.
7. The most correct option, once a week to make backups on a portable media. A laptop director, an accountant.
Of course, it is impossible to fully defend against all types of hacker and other attacks. But as much as possible to complicate the life of a hacker is quite capable. With a probability of 90%, faced with such a server, the hacker will not waste time on you, but will find the victim easier.
From the author:
Colleagues, the article is not an advertisement for 1C or that hacker named Rob Stewart. This real-life story happened a week ago. It is focused on mere mortals and the most novice administrators.
In addition, the author of the article is aware of a variety of protection methods, including the transfer of an RDP port. But he, that is, I, specifically did not focus on this. As I consider that the listed methods are quite enough for protection.
P.S. Of the options not considered protection - virtualization. Separate the main database, access for updates, backups, use of specialized software. And so on, :).
We’ve known the company for a long time, we’re friends with the director for 10 years. About 1.5 years ago they turned to us for help, but for some reason refused our services. As a result, we entered into an agreement with 1C franchisee, which began serving them remotely. The company assured that everything will be fine for the time being.
But then, at one point, the accountant cannot enter, there is no database, and after 10 days the tax records are submitted.
')
- Why are you a hearty friend (I say), I offered you our services several times.
- Well, it happened, he answered, help.
Some details of the hacker attack. Your server looks to the Internet with one port, it has a real IP address running a RDP service. Obviously, the attack is carried out on the selection of a password on the RDP, although below I will give a couple of other options. Log in via a remote session is allowed to an administrator who is given the right to manage not only the 1C databases, but also the rest of the server resources. After selecting a password, the hacker enters, makes the archive of your database the WinRAR archiver. Finds backup copies, puts them in a separate archive. On both archives sets a password of 10 characters. Bases 1C and archival copies deletes eraser. Creates a text file with the name IMPORTANT !!! as follows:
"Attention! Your databases are archived with a password, their use is impossible. To get the password to the archive, you are required to pay 18,000 rubles for Yandex money.
If you agree, write to the mail rob1111stewar@hotmail.com, indicating in the address the IP address of your server (external, you can find it by opening the site 2ip.ru)
The IP address is required to give you your personal password from the archives. "
Result: you have to pay a hacker, because it is impossible to access your database. Decrypting the archive by brute force password will take a very long time.
The hacker turned out to be surprisingly good, after the payment he issued a password and recommendations on how to eliminate security problems.
It seems that the story is over, but I will give possible ways of attacks and options for protection against them:
1. The option of direct selection of a password for access via RDP.
2. Virus attack option with the launch of the server control program for password cracking.
3. Option sabotage by the staff.
We will not analyze the third option, since there is no protection against it. Trusting to maintain your data, you always run the risk. The second option can be circumvented if you have an updated antivirus installed on the server. With this, too, everything is quite simple. Let's stop on the first variant and ways of protection.
1. You must completely eliminate the direct connection of your server to the network. If you need to provide access from the outside, install an external firewall. An example is the inexpensive D-Link DFL-210/260. With it, you will block any scan attempts and unnecessary open ports on your network. Access to this screen within your network should be restricted.
2. RDP service is best redirected to a port other than the default.
3. The password for the account that has the right of remote access should consist of a meaningless set of letters and numbers. Password length must be at least 10 characters.
4. On the server, set a password restriction. Let's say after 5 attempts to block your account for 10-15-30 minutes.
5. Access to administrator accounts from the outside block, selecting a separate account for your needs.
6. Backups should be available only to the administrator or backup user. Folder permissions to backup files should also be as limited as possible.
7. The most correct option, once a week to make backups on a portable media. A laptop director, an accountant.
Of course, it is impossible to fully defend against all types of hacker and other attacks. But as much as possible to complicate the life of a hacker is quite capable. With a probability of 90%, faced with such a server, the hacker will not waste time on you, but will find the victim easier.
From the author:
Colleagues, the article is not an advertisement for 1C or that hacker named Rob Stewart. This real-life story happened a week ago. It is focused on mere mortals and the most novice administrators.
In addition, the author of the article is aware of a variety of protection methods, including the transfer of an RDP port. But he, that is, I, specifically did not focus on this. As I consider that the listed methods are quite enough for protection.
P.S. Of the options not considered protection - virtualization. Separate the main database, access for updates, backups, use of specialized software. And so on, :).
Source: https://habr.com/ru/post/269067/
All Articles