1

I have a simple setup. Email server,Web server IIS running on windows 2012. The site is simple static with a contact form. No uploading capability.

Today I found it was encrypted by ransomeware asking to pay to get all files back. Luckily there was backups of most things so just reinstalled everything.

Just wondering how it might be possible for someone to attack such setup as no one has access to the machine, so I can say 100% no one clicked a link on the server itself.

The only thing that comes to mind is that someone hacked the admin account and put it on there. Would this be a correct assumption.

AliK
  • 161
  • 1
  • 3
  • 1
    Are you up to date on patches? A contact form is typically **non**-static, as it has to process the form submission in some fashion. Brute-forced passwords, reusing a password that got compromised elsewhere, etc. etc. etc. – ceejayoz Apr 23 '19 at 12:42
  • @ceejayoz Yes I understand about the contact form I meant that it does not allow upload, but is processed by backend .net. I was thinking the same thing regarding password hack as for my knowledge as far as I understand outside of sql injection not much can be executed without clicking/running anything from the server itself. That was my concern. It is a VPS but not sure if that makes much difference. – AliK Apr 23 '19 at 12:53
  • 1
    is your windows 2012 patched? do you have a physical firewall patched with correct rules allowing only web and smtp? do you have an antivirus? is it patched? – Deltaforest Apr 23 '19 at 12:53
  • No antivirus, but all updated to latest security patches. VPS so probably a physical firewall in the datacenter, but 3rd party provider, so can't say for sure. – AliK Apr 23 '19 at 12:56
  • 3
    So you have an web server running under IIS. Thats a huge attack vector. What kind of scripts, etc running is vulnerable? You say that it is a VPS. Normally you don't have a physical firewall, if you don't pay for it. If so, which ports are open? If there is no external firewall, then the only thing protecting your windows box is the built in firewall. Which ports and protocols are open in the Windows instance? File service, ftp, remote desktop. I could list a few services that is known to be vulnerable if exposed to the internet. Then we have account hacking. Any easily guessed pswds? – Ingvar J Apr 23 '19 at 13:54
  • Can you tell us the name of the Ransomware your server was infected with? Some Ransomware are delivered in specific ways (ie: RDP bruteforcing) so it might be possible to link it to a certain attack vector. – Aura Apr 23 '19 at 14:07
  • Regarding IIS I understand risks of scripts etc, but this is a static site not running much in terms of js etc. The name of the ransomeware was not given, just said phoenix. Regarding ports only mai ports 25/110/587 nothing else. I set these up regularly so pretty much even change the default 3389. I guess I am just trying to understand how it can happen as I mentioned for my knowledge something would need to execute and no one was on the server, but its worrying that bruteforce could delivery such malware. – AliK Apr 23 '19 at 14:57
  • So, which e-mail server? Did you by any chance also inspect the file owner of some encrypted files? – Gerrit Apr 23 '19 at 15:36
  • @user188737 I did not check the files, due to time had to get it up and running within given time frame so did not check that quickly. Regards email server we run hMail. – AliK Apr 23 '19 at 17:33

0 Answers0