Portal Home > Knowledgebase > Articles Database > Windows Virtuozzo container hacked
Windows Virtuozzo container hacked
| Posted by prashant1979, 04-09-2012, 05:47 AM |
| One of our Virtuozzo containers on Windows 2008 Hardware node was hacked recently by some unknown hacker. We found one user created with the name iis$ which appeared in the Administrators group. There was no entry in the event log for the user creation and in fact, the event logs were cleared which seems to be done by the hacker. There have been numerous virus infected files created in the container inside different directories. Some were found in the C Drive, some inside System32 and some inside SysWOW64 directory. I am not sure how the hacker got entry into the container and how do I prevent it from happening again. The good thing is that the hardware node is unaffected. However, I am worried about the security in Windows. Can anyone help me in finding the reason and solution?
|
| Posted by sufia, 04-10-2012, 09:39 AM |
| Did you use Antivirus?What is anti virus name?
I think you dont use antivirus and firewall.
Thank you
|
| Posted by prashant1979, 04-11-2012, 03:52 AM |
| I have tried install antivirus in the hardware node in the past, but faced lots of issues. However, in spite of antivirus on other Windows servers, we face this issue.
|
| Posted by network82, 04-11-2012, 04:31 AM |
| Unfortunately this is human error, either by you at the point of deployment OR by the person using the VM and modifying it's secure configuration - by default everything is turned off...
If your not already, deploy Microsoft Security Essentials, it's free to licensed Windows and isn't quite as memory hungry as other Anti-Malware agents, plus parts of it's core protection is written into the Windows Kernel and so is allot more efficient than other Anti-Malware.
Secondly, Virtuozzo integrates with WSUS which is designed to deploy Windows Updates to containers as and when your hardware host installs them - again by the nature of how Container Virtualisation shares the Host kernel, it's important you use this and keep your infrastructure up-to-date....
And Lastly, learn how to harden Windows Servers, you have likely compromised it's security trying to get something working. More often than not it's because people have played around with the file/user permissions and when an opensource website script gets exploited to run hacker code they find they have full access to the server - beyond what should be isolated, meaning at the very worst, a hacker should only be able to deface a website - nothing else..
Last edited by network82; 04-11-2012 at 04:36 AM.
|
| Posted by (Stephen), 04-11-2012, 04:50 AM |
| Windows Security Essentials will not work in a VZ VM so far as I know, it did not when I tested it about a year back.
The only ones that work are non live scanners, ClamWin, Trend Micro Housecall, BitDefender online scan, and Panda online scanners have worked in the past for helping get some infections out of client VZ based VMs when we have aided in virus or trojan removals.
|
| Posted by (Stephen), 04-11-2012, 04:52 AM |
| Did you have plesk or any panel deployed, or just raw windows?
This used to be a common issue on 2008 R2 I haven't seen it, it was very much common on 2003 and 2003 x64, what version are you running (I know a x64)
|
| Posted by network82, 04-11-2012, 04:58 AM |
| Admittedly we use Microsoft Forefront EndPoint across all our Windows Machines, including on Virtualised Containers, with quite a detailed policy in place.. WSE maybe really more for desktops, but my point was really that having something is better than nothing at all.
Before we rolled out Forefront though, we always had some kind of protection, often exclusions had to be configured to reduce problems, but again exclusions that you are aware of is better than having no protection at all..
|
| Posted by (Stephen), 04-11-2012, 05:19 AM |
| Not sure we are on the same page here, the fact is they won't run within the containers themselves fully, and some not at all. It is required to be at the node level due to the kernel-drivers for the deep integration and scanning.
If you have at the node level, fine, but it isn't going to help so much after the fact.
I have found that stopping the VE and then mounting it and scanning the root/c folder works quite well with virutozzo, but this sounds like more than just some infection, but a hack due to some software installed, default password setup, or the like.
|
| Posted by network82, 04-11-2012, 07:33 AM |
| I've just checked our forefront endpoint setup, we definitely have it installed on container VMs. Live Protection on the Hardware Node and a low resource scheduled quick scan on the container VMs during the week and a full scan on Sundays, with a group exception policy to ignore particular areas of production servers..
I've also noticed we let also have a UAC schedule with re-enforces permissions policy on machines every day.
|
Add to Favourites 
Print this Article
Also Read
SMART errors (Views: 808)