Home


A lesson about passwords.

You may think it will never happen to you however there is a chance it might

This story here is what happened when i didnt set a stong enough password for a second account on my server.

The account was used for uploading big videos to youtube, make use of the server being on all the time however i set the password to this account only thinking it was going to be accessed from inside the network forgetting that it would be accessible from the outside too due to the remote desktop port being open for the main account.

Months ago i could tell something was up with the server, there were random lockups but it hadnt totally locked up there was no responce from the keyboard or mouse so the next thing was rebooting it however i noticed pressing the power button make it display for 5 or so seconds then it would stop during the time the display was on i still had no control. This happened 10ish times not enough to start a big investigation. Also around the time it was doing this there would be random shutdowns and bluescreens some nights it would just turn off and i would find out later that day again this didnt happen enough for me to invesigate.

This was all happening months after the account was created and the family had stopped using it letting all this go unnoticed.

At some point in febuary maybe early march, the internet started going horribley slow sometimes breaking completly. Knowing how ISPs are and genrally how easy it is to break a connection i let it go on for afew days 4 days pass and it hadnt fixed so i start to think "is this somthing inside the network slowing us down" so i disconnect every pc in the house execpt for 1. after running a speed test it was all fixed it was something in the network so i plug everything back in one at a time running a speed test after every one its all okay... up until the server. The internet becomes fulley loaded again so i look on resource manager on the server... Its connecting to loads of random IP addresses this is when i first thought something was up but it confused me i hadnt downloaded on the server how did that get on there?

Up untill the 17th of march everything was all okay nothing had gone funny all was good but really it wasnt lurking in the background people were connecting dropping off files makeing my server do their work be it email spamming and a whole number of other things i wasnt really able to check what it had been doing due to the crushing amout of work it was doing for all these people.

I found out this was all going on on the 17th i was with Callum and I was about edit afew things on my website so i go on the the drive with the site on it. All the files were there but had been changed to "FILENAME3412SOMEONESEMAIL.WALLET" and none of them were viewable in any program just a mess of words. At this point it pops into my head that it might of effected the other files on the server... It had. They were all like this. All broken.

I remote in to the server it was horribly slow so that grabs my attention whats causing this looking on task manager it was showing a program called "payload(2).exe" using 89% cpu but it had been opened by the user "ytupload" After killing the payload process I connect to the youtube upload account there it was loads of files only 2 worked but from what i could see it confirmed the email spam. there was also loads of images on the desktop i couldnt see these thought as they had been hit by the "payload" looking on the taskbar i saw firefox had been installed now i know i wouldnt do that so i try and open it to see if I can find any internet history upon hovering over it it showed me the date of creation 10th December 2016 these people had been connecting for months maybe more they could and probbaly did look through all the personal files on one of the network shares photos of me and my family our CV's even a bank statement of mine.

Now from what it seems people were just using brute force to guess the password and seeming as it wasnt too great it must of been a matter of minutes before they were in. When i say "they" that does mean many of them I dont have any idea on how many people had got in nor what they had looked at but from the servers broken state there were 2 images open, One of a guys driving licence who lived in Texas quite an odd looking fellow. The next picture was of a whole american family posign for the photo. I would of saved these images but I was worried about moving anything off the server and spreading the many viruses and other payloads they had put on the server.

There were no backups of all the files on the network shares that covered every from websites to documents. After the whole server got attacked the only thing left to do was start fresh...



Special code

Enter password: