Security is important!

By Donnie Bachan | Published: January 30, 2009

I am guilty of an unforgiveable crime. I deployed an unsecured webserver and in IT that is THE ULTIMATE IN STUPIDITY! I am sorry and will not let it happen again. As a result the server was infected and became a zombie covertly attacking other servers. 

The machine was infected with the Downandup/Conficker trojan. This attacks unpatched Windows servers deploys software that prevents the machine from visiting security related websites and running security software. The software also disabled automatic updates on the server, which is a big deal! It was very difficult to remove. In the end tools from McAfee, Norton, Microsoft got rid of the infection. See a list of software that was used to clean the machine below.

So here is a little information on securing a webserver on the cheap. Even though this is not the idea solution it will prevent all but the most determined attacks. All of these solutions are software based. I would recommend a hardware firewall but again, this is the el cheapo solution.

  • Ensure that automatic updates are enabled and that the machine is currently updated with the latest OS patches.
  • Install a firewall. I've reviewed a few options but chose the Outpost Pro Firewall (http://www.agnitum.com/products/outpost/) which was easy to set up, extremely intuitive, had a very good learning mode and was very affordable. It also includes an antispy and web protect component. The web component is used for web surfing, since this is for a web server, no one should be browsing the net from this machine! One configuration setting that is important is to set the firewall to run in stealth mode so it makes it look like the computer simply isn't there.
  • Install an antivirus program. This is optional in my opinion, if you are starting with a clean machine and have sufficiently protected it. However, it is a good idea to periodically run virus scans on the machine.
These are very simple steps to help protect the machine but is by no means a perfect solution. Other things that need to be considered is web application security, which I will cover in another post. 

A list of the software used to remove the infection:

  • http://download.microsoft.com/download/4/A/A/4AA524C6-239D-47FF-860B-5B397199CBF8/windows-kb890830-v2.6.exe (Microsoft Malicious Software Removal Tool)
  • http://www.symantec.com/security_response/writeup.jsp?docid=2008-112203-2408-99
  • CSI Prevx - This is a paid for tool, however, it detects an EXE file that is related to the infection that the above tools did not detect. In the free mode you can detect the file and manually delete it once you have run the products listed above.
Be Sociable, Share!

Related Posts

This entry was posted in Antivirus, Security, Server, Windows and tagged , , , , , . Bookmark the permalink. Post a comment or leave a trackback: Trackback URL.