Sign in
Microsoft.com
 
Microsoft
 
 
 

locked
Hacked or Normal? RRS feed

 > 

  • Question

  • Question
    Sign in to vote
    0
    Sign in to vote
    Remote Alert logs show me that IP addresses from China, The Netherlands, Italy and Russia have "attempted" remote entry or utilization of my Home Server. Most of the queries were limited and criptic.  Now the log entries show "/uploads/2007/09/10/favicon.ico".  Now even my own desk top PC shows this entry when attaching to the Home Server.  I cannot find this location on the server.  

    Is this normal or have I been hacked? If hacked how do I stop its malicious use. 

    Additionally at the same time as a foreign IP remote entry was timed, a couple of system files appear to have been changed and the time stamp updated. The changed files are: "rdpload.aspx", "standardUpload.aspx" and "Richupload.ascx".

    I would appreciate any advice that can be given.
    Tuesday, March 9, 2010 7:48 PM

All replies

  • Question
    Sign in to vote
    0
    Sign in to vote
    You need to give us something to go on if you want our help. A sample of the actual log entries might be useful, for instance.

    But if you fear your server has been hacked, I'd recommend disconnecting it from the rest of your network, then downloading some good virus scanning tools that you can run from a bootable CD-ROM, and scanning your server repeatedly. And if you've been hacked, please post a bug on Connect!
    I'm not on the WHS team, I just post a lot. :)
    Tuesday, March 9, 2010 9:30 PM
    Moderator
  • Question
    Sign in to vote
    0
    Sign in to vote
    Hi,

    favicon.ico is requested by most web browsers in the current directory where the main HTML document has been retrieved - it uses this to set the mini icon next to the URL in the address bar in most browsers so this in itself is nothing to be suspicious of.

    However, if the file stamp times have changed on those files I would assume you have been hacked and would suggest disconnecting your server from the network and running a thorough scan for malware - that said there are not many free software options available so you may be better off with a server recovery.

    Also try and keep as up to date with updates as possibly - Microsoft release updates weekly and hackers work 24/7

    Cheers,
    Al
    --
    Wednesday, March 10, 2010 10:36 AM
  • Question
    Sign in to vote
    0
    Sign in to vote
    Hi,

    favicon.ico is requested by most web browsers in the current directory where the main HTML document has been retrieved - it uses this to set the mini icon next to the URL in the address bar in most browsers so this in itself is nothing to be suspicious of.

    However, if the file stamp times have changed on those files I would assume you have been hacked and would suggest disconnecting your server from the network and running a thorough scan for malware - that said there are not many free software options available so you may be better off with a server recovery.

    Also try and keep as up to date with updates as possibly - Microsoft release updates weekly and hackers work 24/7

    Cheers,
    Al
    --
    Actually, MS releases security updates once a month (affectionately known as "Patch Tuesday", the second Tuesday of the month).  Sometimes there are various other non-security updates on the fourth Tuesday of the month.  Rarely does MS release critical/security patches outside of that schedule (and when they do, they are deemed by MS to be so vital that it couldn't wait until the next normal update cycle).
    Thursday, March 11, 2010 2:19 AM
    Moderator