Server hacked or not?

***Corey*** · 08-09-2005, 03:30 PM

Sometime late Saturday night our gaming server got hacked we believe by changing our log in password.
Andy and I use Windows XP Remote Desktop to connect to it to config or add game files, stop and start the games, ect.

Andy tried logging in late Saturday night and could not.
Both UT 2004 and Counter Strike Source were both running along with TeamSpeak just fine.

Andy and the server maintenance dude went down Sunday and stopped and restarted it, but could not get in.
Today the guy tried to load XP but got tons of errors, so the hard drive is toast.

What we are wondering is if indeed someone hacked us and changed the password and put a boot sector virus or something on to crash the drive.
Or...if the hard drive was going out on its own but the games continued to run perfectly, would a bad drive prevent us from logging in somehow?

We are very baffled on this.
New hd and OS should be on it tonight, then the long fun begins of us installing the games and recovering stuff we lost all the way.

This ad is not displayed to registered members.
Register your free account today and become a member on Yotatech!

WATRD · 08-09-2005, 03:42 PM

Quote:

Originally Posted by Corey

...would a bad drive prevent us from logging in somehow?

I am a betting man and although what you are describing is in the realm of possiblilty, I would bet against it. The odds of a sudden failure that allows everything but your log in to work perfectly, but denies you access are remote enough that it gives me a headache to think about it.

data · 08-09-2005, 05:09 PM

sounds like a hardware issue....but you never know.

MeinPappa · 08-09-2005, 11:30 PM

I'll second that. The only way to tell HW vs SW issue is to reinstall the OS and see how long the system stays up or chkdsk the drive and see if it finds problems (not always a proper indicator). I can't tell you the number of servers I've had fail on me during boot up due to disk problems even though the system exhibited no problems before the reboot.

A possible reason the system could have not failed (or at least, not exhibited failure) before boot and prevented you from logging in is the applications were running previous to any disk failure and therefore memory resident (or, at least, enough of them hadn't been paged to bad disk space yet) to cause their failure. Also, the majority of OS components (TCP/IP stack, the HAL, etc) stays memory resident (though portions will page to disk). What isn't cached in memory (and for good reason) is your security accounts database and your profile data. A problem in either of these could have denied you the capability of logging in on your system.

The possible scenario, as I see it, is that your system was running fine, suffered a disk failure in one or more sectors, affecting not just the SAM but OS files as well, and died on reboot.

The sure-fire way to tell is to run a disk check after a format/OS install (if you can, do an FDISK /MBR to rebuild the master boot record) and see what happens. Boot sector viruses don't trash the drive physically, just, potentially, data.

If you can get into the event logs (mount the existing drive behind another operable one) it will give you more information. A HW failure may have been seen by the OS and reported in the logs (page file errors, lazy write failures, read errors, etc). Depending on your systems auditing settings (and the possible activity of any intruders) you may or may not see anything in your security logs.

MeinPappa · 08-09-2005, 11:37 PM

On your new system, try and install Microsoft's new buffer overrun protection patch (if it will allow your applications to function, some don't). This will help prevent one of the more common exploits. Another way you can help yourself (this being a gaming server you may not be able to do this) is to limit the ports to which people connect (at least eliminate 445 and 139 for file sharing and netbios sessions) via TCP/IP security or any firewall.

***Corey*** · 08-10-2005, 02:32 AM

Thanks for the replies guy's.

Allen, the server guy will not have time to do all of those tests, as he works on tons of servers throughout the day.
The HD will just go in the trash can.

I thought he would have everything loaded up by now, but I can not even get the remote screen to come up, so this tells me he has not got around yet to putting the OS on yet.

Once he gets that on, Andy will do the MS updates via remote, install Counter Strike, and I will connect via remote to get UT 2004 back on.

We do not have actual access to the server being it is located in Seattle's Westin Hotel, one of the main hubs for servers here in the PNW.

It is driving me nuts though, as I want to play the game.
Connecting to other UT servers is not the same, as I have this configed just perfect for the types I play, and the ping rocks since the server is only 20 to 25 miles from me.

MvCrash · 08-20-2005, 04:51 AM

I ran into a problem a few weeks ago that was similar. The machine had been running fine for several months. On reboot for upgrades, it failed to start(safe or boot to dos). Ran disk diagnostics (from another machine) and found a bad sector right in the middle of the System file area. Used the diagnostics to delete the sector then re-installed the system files. All was well.
Sounds like your problem too. Just a guess however. Don't ya hate computers that do things and don't let you know why?.........

***Corey*** · 08-20-2005, 05:30 AM

Yes, PCs can be a PITA sometimes.

I set up Andy on the server with Cute FTP so he can upload his gaming config files to a Comcast account from the gaming server.

He lost quite a bit during that crash.

MvCrash · 08-20-2005, 06:01 AM

If you still have the drive, you can probably get everything off of it. Just don't boot to it.
If you have Linux, it would be even easier.

***Corey*** · 08-20-2005, 06:51 AM

We do not even have access to the machine.
It is behind many caged enclosures with security cameras, and you need a key card to access the vaults at the hotel where the servers are hosted.
http://www.forona.com/

I am sure the owner threw the drive in the trash when he put the new on in.

MvCrash · 08-20-2005, 09:16 AM

Oh,,,,,,,,well, just trying to help out. I had dug up the Linux software that scrubs info of the disk incase you needed it. I'll throw it back in the "disk collection"

08-09-2005, 05:09 PM	#3 (permalink)
data Senior Member Join Date: Jun 2002 Location: Arkansas Posts: 1,915	sounds like a hardware issue....but you never know. __________________ 98 Limited 4x4, Rockstomper skid, Rockware Front bumper, Warn HS9500i, 1" RB BL, Tundra coils front & OME HD rear, Nuke quick discos, diff drop'd, 305/70/16 Baja Claws, Electric Locker, couple of battle scars, but nothing major :)

08-09-2005, 11:30 PM	#4 (permalink)
MeinPappa Registered User Join Date: Aug 2004 Location: Long Beach Posts: 298	I'll second that. The only way to tell HW vs SW issue is to reinstall the OS and see how long the system stays up or chkdsk the drive and see if it finds problems (not always a proper indicator). I can't tell you the number of servers I've had fail on me during boot up due to disk problems even though the system exhibited no problems before the reboot. A possible reason the system could have not failed (or at least, not exhibited failure) before boot and prevented you from logging in is the applications were running previous to any disk failure and therefore memory resident (or, at least, enough of them hadn't been paged to bad disk space yet) to cause their failure. Also, the majority of OS components (TCP/IP stack, the HAL, etc) stays memory resident (though portions will page to disk). What isn't cached in memory (and for good reason) is your security accounts database and your profile data. A problem in either of these could have denied you the capability of logging in on your system. The possible scenario, as I see it, is that your system was running fine, suffered a disk failure in one or more sectors, affecting not just the SAM but OS files as well, and died on reboot. The sure-fire way to tell is to run a disk check after a format/OS install (if you can, do an FDISK /MBR to rebuild the master boot record) and see what happens. Boot sector viruses don't trash the drive physically, just, potentially, data. If you can get into the event logs (mount the existing drive behind another operable one) it will give you more information. A HW failure may have been seen by the OS and reported in the logs (page file errors, lazy write failures, read errors, etc). Depending on your systems auditing settings (and the possible activity of any intruders) you may or may not see anything in your security logs. __________________ --Allen LOAD "",8,1 Last edited by MeinPappa; 08-09-2005 at 11:40 PM.*

08-09-2005, 11:37 PM	#5 (permalink)
MeinPappa Registered User Join Date: Aug 2004 Location: Long Beach Posts: 298	On your new system, try and install Microsoft's new buffer overrun protection patch (if it will allow your applications to function, some don't). This will help prevent one of the more common exploits. Another way you can help yourself (this being a gaming server you may not be able to do this) is to limit the ports to which people connect (at least eliminate 445 and 139 for file sharing and netbios sessions) via TCP/IP security or any firewall. __________________ --Allen LOAD "*",8,1

08-10-2005, 02:32 AM	#6 (permalink)
*Corey* Co-Founder/Administrator Staff Join Date: May 2002 Location: Auburn, Washington Posts: 26,071	Thanks for the replies guy's. Allen, the server guy will not have time to do all of those tests, as he works on tons of servers throughout the day. The HD will just go in the trash can. I thought he would have everything loaded up by now, but I can not even get the remote screen to come up, so this tells me he has not got around yet to putting the OS on yet. Once he gets that on, Andy will do the MS updates via remote, install Counter Strike, and I will connect via remote to get UT 2004 back on. We do not have actual access to the server being it is located in Seattle's Westin Hotel, one of the main hubs for servers here in the PNW. It is driving me nuts though, as I want to play the game. Connecting to other UT servers is not the same, as I have this configed just perfect for the types I play, and the ping rocks since the server is only 20 to 25 miles from me. __________________ Corey 2007 FJ Cruiser Built for 4wheelin', expedition, camping, and overlanding use PNW FJ Cruisers ☺ Detailing 101 ☺ Join Topsites ☺ Muffler Comparisons ☺ Maggiolinas In The Wild FJ Cruiser Buildup ☺ New Roof Top Tent ☺ Video Of My Penthouse Part II ☺ Rehinge Your ARB/Engel Fridge Blog About Roof Top Tents ☺ FJC Magazines Online Review Of My Tent ☺ 2009 Specialized Rockhopper Pro

08-20-2005, 04:51 AM	#7 (permalink)
MvCrash Contributing Member Join Date: Jul 2004 Location: Northern NJ Posts: 342	I ran into a problem a few weeks ago that was similar. The machine had been running fine for several months. On reboot for upgrades, it failed to start(safe or boot to dos). Ran disk diagnostics (from another machine) and found a bad sector right in the middle of the System file area. Used the diagnostics to delete the sector then re-installed the system files. All was well. Sounds like your problem too. Just a guess however. Don't ya hate computers that do things and don't let you know why?......... __________________ MvCrash 2005 Rav4L Stock for now 2003 Mustang Mach 1, 4.6 DOHC V8. Cold air intake,magnaflow cross over and cat back, Custom tune by Predator SOLD:2001 Tacoma XCab, Michelin LTX, AmeraGuard Spray in Liner, Access Roll-Up Tonneau Cover, Synthetic Oils

08-20-2005, 05:30 AM	#8 (permalink)
*Corey* Co-Founder/Administrator Staff Join Date: May 2002 Location: Auburn, Washington Posts: 26,071	Yes, PCs can be a PITA sometimes. I set up Andy on the server with Cute FTP so he can upload his gaming config files to a Comcast account from the gaming server. He lost quite a bit during that crash. __________________ Corey 2007 FJ Cruiser Built for 4wheelin', expedition, camping, and overlanding use PNW FJ Cruisers ☺ Detailing 101 ☺ Join Topsites ☺ Muffler Comparisons ☺ Maggiolinas In The Wild FJ Cruiser Buildup ☺ New Roof Top Tent ☺ Video Of My Penthouse Part II ☺ Rehinge Your ARB/Engel Fridge Blog About Roof Top Tents ☺ FJC Magazines Online Review Of My Tent ☺ 2009 Specialized Rockhopper Pro

08-20-2005, 06:01 AM	#9 (permalink)
MvCrash Contributing Member Join Date: Jul 2004 Location: Northern NJ Posts: 342	If you still have the drive, you can probably get everything off of it. Just don't boot to it. If you have Linux, it would be even easier. __________________ MvCrash 2005 Rav4L Stock for now 2003 Mustang Mach 1, 4.6 DOHC V8. Cold air intake,magnaflow cross over and cat back, Custom tune by Predator SOLD:2001 Tacoma XCab, Michelin LTX, AmeraGuard Spray in Liner, Access Roll-Up Tonneau Cover, Synthetic Oils

08-20-2005, 06:51 AM	#10 (permalink)
*Corey* Co-Founder/Administrator Staff Join Date: May 2002 Location: Auburn, Washington Posts: 26,071	We do not even have access to the machine. It is behind many caged enclosures with security cameras, and you need a key card to access the vaults at the hotel where the servers are hosted. http://www.forona.com/ I am sure the owner threw the drive in the trash when he put the new on in. __________________ Corey 2007 FJ Cruiser Built for 4wheelin', expedition, camping, and overlanding use PNW FJ Cruisers ☺ Detailing 101 ☺ Join Topsites ☺ Muffler Comparisons ☺ Maggiolinas In The Wild FJ Cruiser Buildup ☺ New Roof Top Tent ☺ Video Of My Penthouse Part II ☺ Rehinge Your ARB/Engel Fridge Blog About Roof Top Tents ☺ FJC Magazines Online Review Of My Tent ☺ 2009 Specialized Rockhopper Pro

08-20-2005, 09:16 AM	#11 (permalink)
MvCrash Contributing Member Join Date: Jul 2004 Location: Northern NJ Posts: 342	Oh,,,,,,,,well, just trying to help out. I had dug up the Linux software that scrubs info of the disk incase you needed it. I'll throw it back in the "disk collection" __________________ MvCrash 2005 Rav4L Stock for now 2003 Mustang Mach 1, 4.6 DOHC V8. Cold air intake,magnaflow cross over and cat back, Custom tune by Predator SOLD:2001 Tacoma XCab, Michelin LTX, AmeraGuard Spray in Liner, Access Roll-Up Tonneau Cover, Synthetic Oils

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Is my pc hacked?	4RocRunner92	Off Topic Talk	10	09-23-2005 09:29 PM
Wild Yoats Site HACKEd	4Hummer	Off Topic Talk	16	06-15-2005 01:49 PM