Server Protection - All Help Wanted

[HomeAdmin247]

Hello Everyone,

 

As of September 8th my main server has been hacked. I live in a house-hold. I run this server for 2 different gaming servers. I am asking for some serious help. I don't know what to do. I have Windows Server 2022 Datacenter(Desktop Experience) installed. I was using PC Manager the free edition from Microsoft. I guess it didn't help because the server got hacked and they changed the Login and I was unable to access my server. I had to actually take the hard drive out and put it into another server as a secondary drive to browse the files on it. Finding in the "Downloads" Directory there were some files downloaded that I never downloaded. It was on September 8th. That is how I know that it got hacked.

 

I am un-sure what Antivirus/Firewall to use. My home desktop uses ESET Smart Security. I would use ESET Server Security but I don't want to pay an arm and leg for their service so I need something open source that is free right now if that is even possible. I have tried to Google my way around to finding a Antivirus/Firewall for my server but I have had no luck.

 

I am also un-sure how the hacker even hacked my server. If anyone might know of a way to figure out how I can check to see how my server got hacked that would be a huge plus as I have been struggling with that as well.

 

Much help is applied right now.

 

Thanks so much,

-HomeAdmin247.

[FinOxy]

Hello

Sorry, some of the things you posted was a little unclear, to me atleast.

1. What is the actual deployment you are running? 
Did I understand correctly, that you have a physical computer hosting 2 different game servers. If I understood correctly, this is running some sort of windows server. 

 

36 minutes ago, HomeAdmin247 said:

I am also un-sure how the hacker even hacked my server. If anyone might know of a way to figure out how I can check to see how my server got hacked that would be a huge plus as I have been struggling with that as well.

How is the server setted up? You have two game servers on there, so are those services exposed to the internet? What else is exposed or deployed running on the server?

[Applefreak]

24 minutes ago, HomeAdmin247 said:

Hello Everyone,

 

As of September 8th my main server has been hacked. I live in a house-hold. I run this server for 2 different gaming servers. I am asking for some serious help. I don't know what to do. I have Windows Server 2022 Datacenter(Desktop Experience) installed. I was using PC Manager the free edition from Microsoft. I guess it didn't help because the server got hacked and they changed the Login and I was unable to access my server. I had to actually take the hard drive out and put it into another server as a secondary drive to browse the files on it. Finding in the "Downloads" Directory there were some files downloaded that I never downloaded. It was on September 8th. That is how I know that it got hacked.

 

I am un-sure what Antivirus/Firewall to use. My home desktop uses ESET Smart Security. I would use ESET Server Security but I don't want to pay an arm and leg for their service so I need something open source that is free right now if that is even possible. I have tried to Google my way around to finding a Antivirus/Firewall for my server but I have had no luck.

 

I am also un-sure how the hacker even hacked my server. If anyone might know of a way to figure out how I can check to see how my server got hacked that would be a huge plus as I have been struggling with that as well.

 

Much help is applied right now.

 

Thanks so much,

-HomeAdmin247.

I'm assuming you've set your server up to be on the internet, meaning you share your ip to the world. That way your server and your entire network becomes a target. Now either someone used a list of vulnerable routers to go in (scripted attack) or more likely someone connecting to your game used your ip to get access to your system, maybe a revenge plot because you kicked a player or for some other reason. That is why you do not want your home ip to be shared publicly. You can lock out everyone except for certain ip ranges you trust in your basic windows firewall. However if your modem / router is compromised, that opens the attacker up to use all unpatched vulnerabilities on your server, which there are many of but again, that would be the outcome of a targeted attack on you specifically. There is also the possibility someone on the client side downloaded something or opened an attachment with a backdoor trojan. As for ruling out future attacks, well that depends on how you set it up in the first place. If the server is only used locally, make sure it cannot be reached from the outside world. If you use stuff like plex to access your media while on the go, you open yourself up to a number of possible attacks, especially on windows. Depending on what infrastructure you currently deploy in your home, check all the access logs. If you had your account linked to MS you can ask for your password to be reset within in minutes. Should give you full access. Replacing the OS will do the same thing (you need an install media). However please check if your MS account has been compromised as well and change all your other passwords you used on that system for safety reasons.

[HomeAdmin247]

Just now, FinOxy said:

Hello

Sorry, some of the things you posted was a little unclear, to me atleast.

1. What is the actual deployment you are running? 
Did I understand correctly, that you have a physical computer hosting 2 different game servers. If I understood correctly, this is running some sort of windows server. 

 

How is the server setted up? You have two game servers on there, so are those services exposed to the internet? What else is exposed or deployed running on the server?

 

I put in the description what OS I have installed. Windows Server 2022 Datacenter (Desktop Experience).

It is a Server, Not a physical computer. It is a Dell PowerEdge server.

I worded it perfectly what I have unless you skimmed through what I wrote.

 

I installed Windows Server 2022 Datacenter (Desktop Experience) through a USB Drive. Onto a intel 2.5 SSD.

[HomeAdmin247]

48 minutes ago, Applefreak said:

I'm assuming you've set your server up to be on the internet, meaning you share your ip to the world. That way your server and your entire network becomes a target. Now either someone used a list of vulnerable routers to go in (scripted attack) or more likely someone connecting to your game used your ip to get access to your system, maybe a revenge plot because you kicked a player or for some other reason. That is why you do not want your home ip to be shared publicly. You can lock out everyone except for certain ip ranges you trust in your basic windows firewall. However if your modem / router is compromised, that opens the attacker up to use all unpatched vulnerabilities on your server, which there are many of but again, that would be the outcome of a targeted attack on you specifically. There is also the possibility someone on the client side downloaded something or opened an attachment with a backdoor trojan. As for ruling out future attacks, well that depends on how you set it up in the first place. If the server is only used locally, make sure it cannot be reached from the outside world. If you use stuff like plex to access your media while on the go, you open yourself up to a number of possible attacks, especially on windows. Depending on what infrastructure you currently deploy in your home, check all the access logs. If you had your account linked to MS you can ask for your password to be reset within in minutes. Should give you full access. Replacing the OS will do the same thing (you need an install media). However please check if your MS account has been compromised as well and change all your other passwords you used on that system for safety reasons.

 

Everything you wrote makes complete sense. Sounds like I need to get a VPN ASAP on my server.

I actually ended up installing a fresh copy of Windows Server 2022 on a new SSD for my server. Was intended until my server got hacked.

Also, I don't have a Microsoft account on my server it's on a local account. The login is also encrypted.

 

*Edit* If someone knows a good Antivirus/Firewall to put on my server let me know. Please and thank you.

 

-HomeAdmin247.

[Needfuldoer]

What services and ports do you have exposed to the outside world?

[m9x3mos]

7 hours ago, HomeAdmin247 said:

Hello Everyone,

 

As of September 8th my main server has been hacked. I live in a house-hold. I run this server for 2 different gaming servers. I am asking for some serious help. I don't know what to do. I have Windows Server 2022 Datacenter(Desktop Experience) installed. I was using PC Manager the free edition from Microsoft. I guess it didn't help because the server got hacked and they changed the Login and I was unable to access my server. I had to actually take the hard drive out and put it into another server as a secondary drive to browse the files on it. Finding in the "Downloads" Directory there were some files downloaded that I never downloaded. It was on September 8th. That is how I know that it got hacked.

 

I am un-sure what Antivirus/Firewall to use. My home desktop uses ESET Smart Security. I would use ESET Server Security but I don't want to pay an arm and leg for their service so I need something open source that is free right now if that is even possible. I have tried to Google my way around to finding a Antivirus/Firewall for my server but I have had no luck.

 

I am also un-sure how the hacker even hacked my server. If anyone might know of a way to figure out how I can check to see how my server got hacked that would be a huge plus as I have been struggling with that as well.

 

Much help is applied right now.

 

Thanks so much,

-HomeAdmin247.

Did you make the server as your dmz from your router?

It is going to be more how much of the internet you open the machine to and how you protect your network. 

When running a server, only the needed ports should be open. 

Also going through a reverse proxy helps with security. 

If you are going to run a server, you will also want to put in protections as to what ip addresses that are allowed to access it to prevent issues and ensure that services that are hosting are kept up to date as possible. 

Maybe consider switching to a router that can also do dnsbl, intrusion detection, and geo blocking. 

[Electronics Wizardy]

Typically an antivirus or firewall isn't helping you here, but we don't know what really happend.

 

But normally do the normal security pratices to lower this risk.

 

Run difference services on different vms so if one is breached the rest of the server is fine. 

Use secure passwords and 2fa. 

Keep the system updated.

Limt network access using your firewall and seperate subnets.

 

Also make backups so its easy to restore to a good state.