I do not see anything suspicious on the server (no netstat connections to remote 80 port), but I'm not a professional server admin (I'm a hardcore software developer). Please do not write obvious comments (hire a professional person/company) - we'll consider that after this issue is resolved. Server is running under Windows Server 2008 R2. What tools should I use to analyze this situation?

This is not an exact duplicate of multiple "what should I do if my server is hacked" as I basically need to provide evidence that my server is clean.

Basic security measures were taken since the beginning (windows firewall on, windows update pataches applied, Clamwin up and running).

Nikolay R
  • 143
  • 1
  • 7
  • 8
    It will be absolutely impossible to 'prove' that your server is clean. If the hacker did a good job all the tools you use to diagnose the problem will either have been patched or had their interfaces modified in such a way to obscure/hide the hackers resource utilization. If the evidence presented verifies that unintended traffic was generated by the machine you could take the disk out of the affected box and investigate it forensically with tools on a known good machine. But if I was running the network that box is connected to I wouldn't let it back on without a reinstall. – polynomial Aug 26 '11 at 15:54
  • 5
    This question *IS* a duplicate of "what should I do if my server is hacked": If your ISP has logs showing that your machine was performing DoS attacks, you are almost certainly compromised by a botnet. Proceed per the steps in that question. If you do not have someone who can perform the assessment & recovery you **must** seek expert assistance. Dealing with compromised systems is not something that should be attempted without either experience or expert guidance. – voretaq7 Aug 26 '11 at 16:11
  • 3
    Incident response and computer forensics are *hard*. It takes years to truly become good at them, even if you start out with the right mindset. You can't reasonably expect someone to explain how to do wat you're asking in a forum like this. However, if you want to start learning, head over to http://security.stackexchange.com to get started. – Scott Pack Aug 27 '11 at 02:19
  • @voretaq7 - I'm seeking for expert guidance. That's why I'm here. Or do you mean "paid" expert guidance? – Nikolay R Aug 27 '11 at 15:07
  • @polynomial you prove it is clean by formatting and re-installing, pretty much the only sensible choice here. – Steve-o Aug 27 '11 at 15:54
  • 1
    The expert guidance is to do at least one, preferably both of the following: Nuke and rebuild from scratch. Hire professional help to lock the system down. That might not be what you were hoping to hear but that doesn't make it incorrect. There's no magical "Unhack teh server" button that an IT security pro is going to press that we'll tell you about if you keep asking long enough, there is only stripping your system back to a known clean state, fixing the hole and restoring data and checking its integrity. If your system is part of a botnet then it *isn't your system any more*. – Rob Moir Aug 27 '11 at 17:26
  • @Robert Moir Complete rebuild is doable -I think this will be a solution. As about fixing the hole - isn't it about locking down all ports and installing all possible (automatic!) updates for cms, windows and sql server? I expect there is no magic "protect this" button either? Sorry for joking on this I'm just too disappointed to hear that I can not protect my server myself. Any comments are of great help for me. – Nikolay R Aug 28 '11 at 16:15
  • 1
    As I said in my answer to the 'my server's been hacked, emergency' question, you need to do all that plus you also need to audit all the code running on these boxes; it may be that the vulnerability is in the code being run on the system rather than the OS, apps or whatever. – Rob Moir Aug 29 '11 at 14:22
  • The answers to this question do not have one bit of technical advice. It doesn't even offer any solutions for where you would look for professional help. Formatting and reinstalling? Genius. – Inturbidus Dec 17 '13 at 01:07

5 Answers5


Please do not write obvious comments (hire a professional person/company) - we'll consider that after this issue is resolved.

I'm sorry to say that you are not managing that security incident the right way then.

If there's a fire in your house, are you waiting for it to extinguish itself before calling the fire-fighters?

If you have nobody in staff that can handle that type of incident, then you should get help from external resources that can manage security breach.

  • 3,079
  • 20
  • 28
  • +1, and also see my comment & @polynomial's comment on the main question. – voretaq7 Aug 26 '11 at 16:11
  • I'm pretty good at writing software (10+ yrs experience). Do you still think that I'll be unable to investigate it myself? System re-install is an option but I want to be sure this wont happen in future. – Nikolay R Aug 27 '11 at 15:06
  • 2
    @nikolay - IT security is a professional branch of IT/Computing in its own right, and forensic investigation of compromised systems is a deep speciality within that profession. Your comment here is akin to one of us networks and systems people saying "I totally wrote a complicated shell script once and I've been doing so for 10+ years. Do you still think I'll be able to write my own fully functional youtube clone in a weekend?". Sorry. – Rob Moir Aug 27 '11 at 17:31
  • @Robert Moir good point. No way to be an expert in all parts of IT. :( Tight staff budgets are another issue. Thanks – Nikolay R Aug 28 '11 at 16:17
  • Marking this as an answer as it seems that I have to hire someone else to do security job. – Nikolay R Sep 01 '11 at 08:53

Ask your ISP to produce logs showing your server's involvement in the incident (a suspicious traffic graph, for example, generated by data from your ISP's routers or switches). If they can produce such evidence, your system is suspect.

If your machine was in fact involved in a DoS attack and you didn't initiate such action yourself your machine is almost certainly compromised. If your system is compromised the best advice you will get is to blow it away, as in How do I deal with a compromised server? or any of the other questions similar to it.

For determining if your system was hacked, remember that you cannot rely on any tools installed on the system, and that a good attacker will leave no obvious trails (except possibly odd traffic, noted by an external system). If you have any suspicion that your system was compromised, it is still compromised until it is rebuilt with known clean media and software.

  • 79,345
  • 17
  • 128
  • 213

Our ex-hosting company gave us a bad IP address when we got a new server. They then turned around and accused us of spamming because the IP address was in a spammer blacklist somewhere on the web. After a lot of wasted time we found that it was actually a previous customer of theirs had done done the spamming from that IP address. Make them prove to you what happened, when it happened, who reported it etc. AFAIK anyone can report an ip address to most of these sites without much proof

  • 451
  • 2
  • 7

You can never be sure your system isn't compromised. You can only implement reasonable security and integrity for your system based on the importance of system uptime, reliability, integrity etc. You can't reasonably be asked to secure your system without the know how.

Stig H.
  • 21
  • 1

Just because your server isn't executing a DDoS attack now doesn't mean it hasn't done so earlier, and it certainly doesn't mean that your server isn't hacked.

If the DC has traffic logs showing your server participating in an attack, then that should be all the evidence you need. Getting a copy of the logs might help you to determine what's wrong with your server -- pay particular attention to timing.

This isn't a job for someone with average admin training. Tracking this stuff down can be hard and requires you to use every trick you know and a lot of tricks you don't. You may be looking for a very tiny needle in a very large haystack. Even experienced admins have trouble with this sort of stuff.

  • 14,885
  • 7
  • 49
  • 71