Hacker attack

This is a multi-part message in MIME format.

------=_NextPart_000_0014_01C3B67C.CCBD16D0
Content-Type: text/plain;
charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable

Today morning when my staff started work in the hospital, they were not =
able to access the SQL Server on my SBS 2000 because of log on failure =
for user "sa". Detailed analysis revealed the following:
1. Using 2 NIC - one for the local LAN and other for the internet
2. A new user `SSSSS' created with administrator rights
3. Winzip programme not seen and instead WinRRR created

I had to uninstall my SQL and re-install it for work to start.

Now, my queries are:
1. Has my firewall and ISA failed me?
2. What remedial measures should I take?
Your kind attention is drawn to another thread in this newsgroup which I =
had started on the Packet Filter namely " ISA Server Packet Filtering ".

Rajiv Khandelwal
------------------------------------
www.vardaan.net
------=_NextPart_000_0014_01C3B67C.CCBD16D0
Content-Type: text/html;
charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Dwindows-1252"><BASE=20
href=3D"file://C:\Program Files\Common Files\Microsoft =
Shared\Stationery\">
<STYLE>BODY {
BACKGROUND-POSITION: left top; FONT-SIZE: 12pt; COLOR: #000000; =
BACKGROUND-REPEAT: no-repeat; FONT-FAMILY: Arial
}
</STYLE>

<META content=3D"MSHTML 6.00.2800.1264" name=3DGENERATOR></HEAD>
<BODY bgColor=3D#ffffff>
<DIV>Today morning when my staff started work in the hospital, they were =
not=20
able to access the SQL Server on my SBS 2000 because of log on failure =
for user=20
"sa". Detailed analysis revealed the following:</DIV>
<DIV>1.&nbsp;&nbsp;&nbsp; Using 2 NIC - one for the local LAN and other =
for the=20
internet</DIV>
<DIV>2.&nbsp;&nbsp;&nbsp; A new user `SSSSS' created with administrator=20
rights</DIV>
<DIV>3.&nbsp;&nbsp;&nbsp; Winzip programme not seen and instead WinRRR=20
created</DIV>
<DIV>&nbsp;</DIV>
<DIV>I had to uninstall my SQL and re-install it for work to =
start.</DIV>
<DIV>&nbsp;</DIV>
<DIV>Now, my queries are:</DIV>
<DIV>1.&nbsp;&nbsp;&nbsp; Has my firewall and ISA failed me?</DIV>
<DIV>2.&nbsp;&nbsp;&nbsp; What remedial measures should I take?</DIV>
<DIV>Your kind attention is drawn to another thread in this newsgroup =
which I=20
had started on the Packet Filter namely " <FONT size=3D3>ISA Server =
Packet=20
Filtering ".</FONT></DIV>
<DIV><BR>Rajiv Khandelwal<BR>------------------------------------<BR><A=20
href=3D"http://www.vardaan.net">www.vardaan.net</A></DIV></BODY></HTML>

------=_NextPart_000_0014_01C3B67C.CCBD16D0--

Susan
Sat Nov 29 03:31:09 CST 2003

If you had packet filtering turned off and no other hardware firewall
out there, ISA didn't fail you because it wasn't protecting you in the
first place.

Did you load up ISA feature pack or something?

1. What ports are currently open. Go to grc.com and click on shields
up. Do a port test. You MUST know what it open and seen from the
outside to know how to protect what is exposed.



Rajiv Khandelwal, M. D. wrote:

> Today morning when my staff started work in the hospital, they were not
> able to access the SQL Server on my SBS 2000 because of log on failure
> for user "sa". Detailed analysis revealed the following:
> 1. Using 2 NIC - one for the local LAN and other for the internet
> 2. A new user `SSSSS' created with administrator rights
> 3. Winzip programme not seen and instead WinRRR created
>
> I had to uninstall my SQL and re-install it for work to start.
>
> Now, my queries are:
> 1. Has my firewall and ISA failed me?
> 2. What remedial measures should I take?
> Your kind attention is drawn to another thread in this newsgroup which I
> had started on the Packet Filter namely " ISA Server Packet Filtering ".
>
> Rajiv Khandelwal
> ------------------------------------
> www.vardaan.net <http://www.vardaan.net>

--
http://www.sbslinks.com/really.htm

Henry
Sat Nov 29 07:40:06 CST 2003

Lort Elfus !
You disabled the firewalls and have users logging onto SQL server with
the SA Account :-(

As Susan points out, as you disabled the firewall and ISA they didn't
fail you. You failed yourself, and the hospitals staff and patients (
depending upon what data was being stored on the Network. ) I guess it's
too much to hope that it was only Bedpan counts and laundry schedules. If
any confidential patient or staff data was on the system you have a duty
to inform everyone of the breach and possible compromise of the data, as
well as any relevant regulatory authorities.

All the data on the Network is of course suspect, and you should
immediately disable any external connection to the Network, rebuild the
server and ensure that it and the network are not compromised, lock it
all down, and roll back all data to a known good state ( prior to your
disabling Security ). - ( was there ever such a state ? )

If you had patient records on there you -cannot- rely on them. The risk
that Mrs x may after all be allergic to antibiotics but her records were
tampered with is too great.

If any patient/staff/hospital data, it must be assumed to be compromised;
so Names, Addresses, contact details, Account details etc could all be in
the hands of thieves so all need to be informed and all accounts etc. by
patients/staff/hospital/suppliers need to be changed or re-secured.

Above all.
Pull the plug on the network, and hire a competent and suitably qualified
IT person to Setup and Overseer the network.

A network for a hospital is not a hobby or a toy. The repercussions can
be serious and even deadly.
( I doubt you'd let an IT person ( qualified or not ) play with the
ventilator during an operation in your OR. )

... while this may be overstating the situation in your case ( depending
on what you actually store and use on the network ), I hope I've made my
point.

--
Henry Craven.

========= Post It Appropriately: ============
SBS 4/4.5 : microsoft.public.backoffice.smallbiz
SBS 2000 : microsoft.public.backoffice.smallbiz2000
SBS 2003 : microsoft.public.windows.server.sbs
=====================================
"Rajiv Khandelwal, M. D." <rajiv@vardaan.net> wrote in message
news:O%23NsA7ktDHA.2244@TK2MSFTNGP09.phx.gbl...
Today morning when my staff started work in the hospital, they were not
able to access the SQL Server on my SBS 2000 because of log on failure
for user "sa". Detailed analysis revealed the following:
1. Using 2 NIC - one for the local LAN and other for the internet
2. A new user `SSSSS' created with administrator rights
3. Winzip programme not seen and instead WinRRR created

I had to uninstall my SQL and re-install it for work to start.

Now, my queries are:
1. Has my firewall and ISA failed me?
2. What remedial measures should I take?
Your kind attention is drawn to another thread in this newsgroup which I
had started on the Packet Filter namely " ISA Server Packet Filtering ".

Rajiv Khandelwal
------------------------------------
www.vardaan.net

Rajiv
Sat Nov 29 08:37:34 CST 2003

Susan,

Thanks for the link. I ran the test and observed the following:
20 Ports Open
623 Ports Closed
413 Ports Stealth

I wonder whether the 'Stealth' is good or not. Any action that I need to
take on this?

Rajiv Khandelwal
------------------------------------
www.vardaan.net
"Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]" <sbradcpa@pacbell.net>
wrote in message news:O6e8GultDHA.2236@TK2MSFTNGP10.phx.gbl...
> If you had packet filtering turned off and no other hardware firewall
> out there, ISA didn't fail you because it wasn't protecting you in the
> first place.
>
> Did you load up ISA feature pack or something?
>
> 1. What ports are currently open. Go to grc.com and click on shields
> up. Do a port test. You MUST know what it open and seen from the
> outside to know how to protect what is exposed.
>
>
>
> Rajiv Khandelwal, M. D. wrote:
>
> > Today morning when my staff started work in the hospital, they were not
> > able to access the SQL Server on my SBS 2000 because of log on failure
> > for user "sa". Detailed analysis revealed the following:
> > 1. Using 2 NIC - one for the local LAN and other for the internet
> > 2. A new user `SSSSS' created with administrator rights
> > 3. Winzip programme not seen and instead WinRRR created
> >
> > I had to uninstall my SQL and re-install it for work to start.
> >
> > Now, my queries are:
> > 1. Has my firewall and ISA failed me?
> > 2. What remedial measures should I take?
> > Your kind attention is drawn to another thread in this newsgroup which I
> > had started on the Packet Filter namely " ISA Server Packet Filtering ".
> >
> > Rajiv Khandelwal
> > ------------------------------------
> > www.vardaan.net <http://www.vardaan.net>
>
> --
> http://www.sbslinks.com/really.htm
>

Rajiv
Sat Nov 29 08:44:15 CST 2003

Henry,

Thanks for your posting. I appreciate your concern but your attention is
drawn to your posting to my posting on ISA Server Packet Filtering and you
seemed to agree to the observations of Craig Iedema.

Rajiv Khandelwal
------------------------------------
www.vardaan.net
"Henry Craven" <IUnknown@d.com> wrote in message
news:%23D04i3ntDHA.2236@TK2MSFTNGP10.phx.gbl...
> Lort Elfus !
> You disabled the firewalls and have users logging onto SQL server with
> the SA Account :-(
>
> As Susan points out, as you disabled the firewall and ISA they didn't
> fail you. You failed yourself, and the hospitals staff and patients (
> depending upon what data was being stored on the Network. ) I guess it's
> too much to hope that it was only Bedpan counts and laundry schedules. If
> any confidential patient or staff data was on the system you have a duty
> to inform everyone of the breach and possible compromise of the data, as
> well as any relevant regulatory authorities.
>
> All the data on the Network is of course suspect, and you should
> immediately disable any external connection to the Network, rebuild the
> server and ensure that it and the network are not compromised, lock it
> all down, and roll back all data to a known good state ( prior to your
> disabling Security ). - ( was there ever such a state ? )
>
> If you had patient records on there you -cannot- rely on them. The risk
> that Mrs x may after all be allergic to antibiotics but her records were
> tampered with is too great.
>
> If any patient/staff/hospital data, it must be assumed to be compromised;
> so Names, Addresses, contact details, Account details etc could all be in
> the hands of thieves so all need to be informed and all accounts etc. by
> patients/staff/hospital/suppliers need to be changed or re-secured.
>
> Above all.
> Pull the plug on the network, and hire a competent and suitably qualified
> IT person to Setup and Overseer the network.
>
> A network for a hospital is not a hobby or a toy. The repercussions can
> be serious and even deadly.
> ( I doubt you'd let an IT person ( qualified or not ) play with the
> ventilator during an operation in your OR. )
>
> ... while this may be overstating the situation in your case ( depending
> on what you actually store and use on the network ), I hope I've made my
> point.
>
> --
> Henry Craven.
>
> ========= Post It Appropriately: ============
> SBS 4/4.5 : microsoft.public.backoffice.smallbiz
> SBS 2000 : microsoft.public.backoffice.smallbiz2000
> SBS 2003 : microsoft.public.windows.server.sbs
> =====================================
> "Rajiv Khandelwal, M. D." <rajiv@vardaan.net> wrote in message
> news:O%23NsA7ktDHA.2244@TK2MSFTNGP09.phx.gbl...
> Today morning when my staff started work in the hospital, they were not
> able to access the SQL Server on my SBS 2000 because of log on failure
> for user "sa". Detailed analysis revealed the following:
> 1. Using 2 NIC - one for the local LAN and other for the internet
> 2. A new user `SSSSS' created with administrator rights
> 3. Winzip programme not seen and instead WinRRR created
>
> I had to uninstall my SQL and re-install it for work to start.
>
> Now, my queries are:
> 1. Has my firewall and ISA failed me?
> 2. What remedial measures should I take?
> Your kind attention is drawn to another thread in this newsgroup which I
> had started on the Packet Filter namely " ISA Server Packet Filtering ".
>
> Rajiv Khandelwal
> ------------------------------------
> www.vardaan.net
>
>

Kevin
Sat Nov 29 08:53:39 CST 2003

Stealth is the best (it means that no one from the outside can even detect
that that port exists)
Closed means that someone form the outside can see that the port exists, but
since it's closed they can't use it.
Open means it's unlocked and asking for someone to walk in and do damage.

Port 20 & 21 are used for FTP (File Transfer) -- if it's open =, it should
be closed immediately!

-kw


"Rajiv Khandelwal, M. D." <rajiv@vardaan.net> wrote in message
news:%23Qg9fZotDHA.1884@TK2MSFTNGP10.phx.gbl...
> Susan,
>
> Thanks for the link. I ran the test and observed the following:
> 20 Ports Open
> 623 Ports Closed
> 413 Ports Stealth
>
> I wonder whether the 'Stealth' is good or not. Any action that I need to
> take on this?
>
> Rajiv Khandelwal
> ------------------------------------
> www.vardaan.net
> "Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]" <sbradcpa@pacbell.net>
> wrote in message news:O6e8GultDHA.2236@TK2MSFTNGP10.phx.gbl...
> > If you had packet filtering turned off and no other hardware firewall
> > out there, ISA didn't fail you because it wasn't protecting you in the
> > first place.
> >
> > Did you load up ISA feature pack or something?
> >
> > 1. What ports are currently open. Go to grc.com and click on shields
> > up. Do a port test. You MUST know what it open and seen from the
> > outside to know how to protect what is exposed.
> >
> >
> >
> > Rajiv Khandelwal, M. D. wrote:
> >
> > > Today morning when my staff started work in the hospital, they were
not
> > > able to access the SQL Server on my SBS 2000 because of log on failure
> > > for user "sa". Detailed analysis revealed the following:
> > > 1. Using 2 NIC - one for the local LAN and other for the internet
> > > 2. A new user `SSSSS' created with administrator rights
> > > 3. Winzip programme not seen and instead WinRRR created
> > >
> > > I had to uninstall my SQL and re-install it for work to start.
> > >
> > > Now, my queries are:
> > > 1. Has my firewall and ISA failed me?
> > > 2. What remedial measures should I take?
> > > Your kind attention is drawn to another thread in this newsgroup which
I
> > > had started on the Packet Filter namely " ISA Server Packet Filtering
".
> > >
> > > Rajiv Khandelwal
> > > ------------------------------------
> > > www.vardaan.net <http://www.vardaan.net>
> >
> > --
> > http://www.sbslinks.com/really.htm
> >
>
>

Susan
Sat Nov 29 10:08:38 CST 2003

I think he means "20" ports open not port 20...

Kevin Weilbacher wrote:

> Stealth is the best (it means that no one from the outside can even detect
> that that port exists)
> Closed means that someone form the outside can see that the port exists, but
> since it's closed they can't use it.
> Open means it's unlocked and asking for someone to walk in and do damage.
>
> Port 20 & 21 are used for FTP (File Transfer) -- if it's open =, it should
> be closed immediately!
>
> -kw
>
>
> "Rajiv Khandelwal, M. D." <rajiv@vardaan.net> wrote in message
> news:%23Qg9fZotDHA.1884@TK2MSFTNGP10.phx.gbl...
>
>>Susan,
>>
>>Thanks for the link. I ran the test and observed the following:
>> 20 Ports Open
>>623 Ports Closed
>>413 Ports Stealth
>>
>>I wonder whether the 'Stealth' is good or not. Any action that I need to
>>take on this?
>>
>>Rajiv Khandelwal
>>------------------------------------
>>www.vardaan.net
>>"Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]" <sbradcpa@pacbell.net>
>>wrote in message news:O6e8GultDHA.2236@TK2MSFTNGP10.phx.gbl...
>>
>>>If you had packet filtering turned off and no other hardware firewall
>>>out there, ISA didn't fail you because it wasn't protecting you in the
>>>first place.
>>>
>>>Did you load up ISA feature pack or something?
>>>
>>>1. What ports are currently open. Go to grc.com and click on shields
>>>up. Do a port test. You MUST know what it open and seen from the
>>>outside to know how to protect what is exposed.
>>>
>>>
>>>
>>>Rajiv Khandelwal, M. D. wrote:
>>>
>>>
>>>>Today morning when my staff started work in the hospital, they were
>
> not
>
>>>>able to access the SQL Server on my SBS 2000 because of log on failure
>>>>for user "sa". Detailed analysis revealed the following:
>>>>1. Using 2 NIC - one for the local LAN and other for the internet
>>>>2. A new user `SSSSS' created with administrator rights
>>>>3. Winzip programme not seen and instead WinRRR created
>>>>
>>>>I had to uninstall my SQL and re-install it for work to start.
>>>>
>>>>Now, my queries are:
>>>>1. Has my firewall and ISA failed me?
>>>>2. What remedial measures should I take?
>>>>Your kind attention is drawn to another thread in this newsgroup which
>
> I
>
>>>>had started on the Packet Filter namely " ISA Server Packet Filtering
>
> ".
>
>>>>Rajiv Khandelwal
>>>>------------------------------------
>>>>www.vardaan.net <http://www.vardaan.net>
>>>
>>>--
>>>http://www.sbslinks.com/really.htm
>>>
>>
>>
>
>

--
http://www.sbslinks.com/really.htm

Kevin
Sat Nov 29 10:14:29 CST 2003

duh ....

"Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]" <sbradcpa@pacbell.net>
wrote in message news:u6GmNMptDHA.1088@tk2msftngp13.phx.gbl...
> I think he means "20" ports open not port 20...
>
> Kevin Weilbacher wrote:
>
> > Stealth is the best (it means that no one from the outside can even
detect
> > that that port exists)
> > Closed means that someone form the outside can see that the port exists,
but
> > since it's closed they can't use it.
> > Open means it's unlocked and asking for someone to walk in and do
damage.
> >
> > Port 20 & 21 are used for FTP (File Transfer) -- if it's open =, it
should
> > be closed immediately!
> >
> > -kw
> >
> >
> > "Rajiv Khandelwal, M. D." <rajiv@vardaan.net> wrote in message
> > news:%23Qg9fZotDHA.1884@TK2MSFTNGP10.phx.gbl...
> >
> >>Susan,
> >>
> >>Thanks for the link. I ran the test and observed the following:
> >> 20 Ports Open
> >>623 Ports Closed
> >>413 Ports Stealth
> >>
> >>I wonder whether the 'Stealth' is good or not. Any action that I need to
> >>take on this?
> >>
> >>Rajiv Khandelwal
> >>------------------------------------
> >>www.vardaan.net
> >>"Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]" <sbradcpa@pacbell.net>
> >>wrote in message news:O6e8GultDHA.2236@TK2MSFTNGP10.phx.gbl...
> >>
> >>>If you had packet filtering turned off and no other hardware firewall
> >>>out there, ISA didn't fail you because it wasn't protecting you in the
> >>>first place.
> >>>
> >>>Did you load up ISA feature pack or something?
> >>>
> >>>1. What ports are currently open. Go to grc.com and click on shields
> >>>up. Do a port test. You MUST know what it open and seen from the
> >>>outside to know how to protect what is exposed.
> >>>
> >>>
> >>>
> >>>Rajiv Khandelwal, M. D. wrote:
> >>>
> >>>
> >>>>Today morning when my staff started work in the hospital, they were
> >
> > not
> >
> >>>>able to access the SQL Server on my SBS 2000 because of log on failure
> >>>>for user "sa". Detailed analysis revealed the following:
> >>>>1. Using 2 NIC - one for the local LAN and other for the internet
> >>>>2. A new user `SSSSS' created with administrator rights
> >>>>3. Winzip programme not seen and instead WinRRR created
> >>>>
> >>>>I had to uninstall my SQL and re-install it for work to start.
> >>>>
> >>>>Now, my queries are:
> >>>>1. Has my firewall and ISA failed me?
> >>>>2. What remedial measures should I take?
> >>>>Your kind attention is drawn to another thread in this newsgroup which
> >
> > I
> >
> >>>>had started on the Packet Filter namely " ISA Server Packet Filtering
> >
> > ".
> >
> >>>>Rajiv Khandelwal
> >>>>------------------------------------
> >>>>www.vardaan.net <http://www.vardaan.net>
> >>>
> >>>--
> >>>http://www.sbslinks.com/really.htm
> >>>
> >>
> >>
> >
> >
>
> --
> http://www.sbslinks.com/really.htm
>

Susan
Sat Nov 29 10:16:09 CST 2003

No unfortunately they got sort of sidetracked into a side conversation.
If you have "20" ports open... unplug your RJ45 connection from the
wall right now.

His comments are spot on. You need to realize how serious this is. If
this was my office, I'd be required to call the authorities and starting
to pull client lists to begin to contact people and tell them they may
have identity theft problems.


Rajiv Khandelwal, M. D. wrote:

> Henry,
>
> Thanks for your posting. I appreciate your concern but your attention is
> drawn to your posting to my posting on ISA Server Packet Filtering and you
> seemed to agree to the observations of Craig Iedema.
>
> Rajiv Khandelwal
> ------------------------------------
> www.vardaan.net
> "Henry Craven" <IUnknown@d.com> wrote in message
> news:%23D04i3ntDHA.2236@TK2MSFTNGP10.phx.gbl...
>
>>Lort Elfus !
>>You disabled the firewalls and have users logging onto SQL server with
>>the SA Account :-(
>>
>>As Susan points out, as you disabled the firewall and ISA they didn't
>>fail you. You failed yourself, and the hospitals staff and patients (
>>depending upon what data was being stored on the Network. ) I guess it's
>>too much to hope that it was only Bedpan counts and laundry schedules. If
>>any confidential patient or staff data was on the system you have a duty
>>to inform everyone of the breach and possible compromise of the data, as
>>well as any relevant regulatory authorities.
>>
>>All the data on the Network is of course suspect, and you should
>>immediately disable any external connection to the Network, rebuild the
>>server and ensure that it and the network are not compromised, lock it
>>all down, and roll back all data to a known good state ( prior to your
>>disabling Security ). - ( was there ever such a state ? )
>>
>>If you had patient records on there you -cannot- rely on them. The risk
>>that Mrs x may after all be allergic to antibiotics but her records were
>>tampered with is too great.
>>
>>If any patient/staff/hospital data, it must be assumed to be compromised;
>>so Names, Addresses, contact details, Account details etc could all be in
>>the hands of thieves so all need to be informed and all accounts etc. by
>>patients/staff/hospital/suppliers need to be changed or re-secured.
>>
>>Above all.
>>Pull the plug on the network, and hire a competent and suitably qualified
>>IT person to Setup and Overseer the network.
>>
>>A network for a hospital is not a hobby or a toy. The repercussions can
>>be serious and even deadly.
>>( I doubt you'd let an IT person ( qualified or not ) play with the
>>ventilator during an operation in your OR. )
>>
>>... while this may be overstating the situation in your case ( depending
>>on what you actually store and use on the network ), I hope I've made my
>>point.
>>
>>--
>>Henry Craven.
>>
>>========= Post It Appropriately: ============
>>SBS 4/4.5 : microsoft.public.backoffice.smallbiz
>>SBS 2000 : microsoft.public.backoffice.smallbiz2000
>>SBS 2003 : microsoft.public.windows.server.sbs
>>=====================================
>>"Rajiv Khandelwal, M. D." <rajiv@vardaan.net> wrote in message
>>news:O%23NsA7ktDHA.2244@TK2MSFTNGP09.phx.gbl...
>>Today morning when my staff started work in the hospital, they were not
>>able to access the SQL Server on my SBS 2000 because of log on failure
>>for user "sa". Detailed analysis revealed the following:
>>1. Using 2 NIC - one for the local LAN and other for the internet
>>2. A new user `SSSSS' created with administrator rights
>>3. Winzip programme not seen and instead WinRRR created
>>
>>I had to uninstall my SQL and re-install it for work to start.
>>
>>Now, my queries are:
>>1. Has my firewall and ISA failed me?
>>2. What remedial measures should I take?
>>Your kind attention is drawn to another thread in this newsgroup which I
>>had started on the Packet Filter namely " ISA Server Packet Filtering ".
>>
>>Rajiv Khandelwal
>>------------------------------------
>>www.vardaan.net
>>
>>
>
>
>

--
http://www.sbslinks.com/really.htm

Henry
Sat Nov 29 17:30:07 CST 2003

My exact words were:
========================
The solution is really to find out why you're not able to browse the
Internet with ISA enabled as enabling ISA in the ICW should not block
Internet Access.

I certainly wouldn't disable it unless you have a Firewall Router in
place.
========================

Craig made -no- suggestion, of disabling or working without ISA or a
Firewall of some sort.

In fact, he said:
========================
Rajiv do you the firewall client installed on the XP machine? If not you
need to as Outlook express is unable to pass authentication information
to the proxy server.
Does your internet access work from a browser? If not you the proxy
settings setup for IE.
==========================

This -definitely- implies that ISA is installed and -running- on the
server. ( otherwise the firewall client would not be able to talk to it )

With due respect, you are probably a great M.D. but I believe you are
totally out of your depth here, in an environment with serious and
potentially disastrous consequences.

Set up a test network and learn all about SBS by all means, and everyone
here will be more than pleased to help you
along the way; but please, do -not- do so "on the job", particularly
where the repercussions are so serious.

I know that there are qualified and capable IT persons in New Delhi who
you could hire to come out and set the system up for you properly. have
the person one-on-one mentor you if you wish. The cost is just a business
expense like any other ( and what cost a Child or Mothers life ? ) and
I'm sure that staff, paediatrician and gynaecologist team would insist on
it once they found their personal and account details in the hands of
hackers.

--
Henry Craven.

========= Post It Appropriately: ============
SBS 4/4.5 : microsoft.public.backoffice.smallbiz
SBS 2000 : microsoft.public.backoffice.smallbiz2000
SBS 2003 : microsoft.public.windows.server.sbs
=====================================.

"Rajiv Khandelwal, M. D." <rajiv@vardaan.net> wrote in message
news:O0$1UdotDHA.3436@tk2msftngp13.phx.gbl...
> Henry,
>
> Thanks for your posting. I appreciate your concern but your attention
is
> drawn to your posting to my posting on ISA Server Packet Filtering and
you
> seemed to agree to the observations of Craig Iedema.
>
> Rajiv Khandelwal
> ------------------------------------
> www.vardaan.net
> "Henry Craven" <IUnknown@d.com> wrote in message
> news:%23D04i3ntDHA.2236@TK2MSFTNGP10.phx.gbl...
> > Lort Elfus !
> > You disabled the firewalls and have users logging onto SQL server
with
> > the SA Account :-(
> >
> > As Susan points out, as you disabled the firewall and ISA they didn't
> > fail you. You failed yourself, and the hospitals staff and patients (
> > depending upon what data was being stored on the Network. ) I guess
it's
> > too much to hope that it was only Bedpan counts and laundry
schedules. If
> > any confidential patient or staff data was on the system you have a
duty
> > to inform everyone of the breach and possible compromise of the data,
as
> > well as any relevant regulatory authorities.
> >
> > All the data on the Network is of course suspect, and you should
> > immediately disable any external connection to the Network, rebuild
the
> > server and ensure that it and the network are not compromised, lock
it
> > all down, and roll back all data to a known good state ( prior to
your
> > disabling Security ). - ( was there ever such a state ? )
> >
> > If you had patient records on there you -cannot- rely on them. The
risk
> > that Mrs x may after all be allergic to antibiotics but her records
were
> > tampered with is too great.
> >
> > If any patient/staff/hospital data, it must be assumed to be
compromised;
> > so Names, Addresses, contact details, Account details etc could all
be in
> > the hands of thieves so all need to be informed and all accounts etc.
by
> > patients/staff/hospital/suppliers need to be changed or re-secured.
> >
> > Above all.
> > Pull the plug on the network, and hire a competent and suitably
qualified
> > IT person to Setup and Overseer the network.
> >
> > A network for a hospital is not a hobby or a toy. The repercussions
can
> > be serious and even deadly.
> > ( I doubt you'd let an IT person ( qualified or not ) play with the
> > ventilator during an operation in your OR. )
> >
> > ... while this may be overstating the situation in your case (
depending
> > on what you actually store and use on the network ), I hope I've made
my
> > point.
> >
> > --
> > Henry Craven.
> >
> > ========= Post It Appropriately: ============
> > SBS 4/4.5 : microsoft.public.backoffice.smallbiz
> > SBS 2000 : microsoft.public.backoffice.smallbiz2000
> > SBS 2003 : microsoft.public.windows.server.sbs
> > =====================================
> > "Rajiv Khandelwal, M. D." <rajiv@vardaan.net> wrote in message
> > news:O%23NsA7ktDHA.2244@TK2MSFTNGP09.phx.gbl...
> > Today morning when my staff started work in the hospital, they were
not
> > able to access the SQL Server on my SBS 2000 because of log on
failure
> > for user "sa". Detailed analysis revealed the following:
> > 1. Using 2 NIC - one for the local LAN and other for the internet
> > 2. A new user `SSSSS' created with administrator rights
> > 3. Winzip programme not seen and instead WinRRR created
> >
> > I had to uninstall my SQL and re-install it for work to start.
> >
> > Now, my queries are:
> > 1. Has my firewall and ISA failed me?
> > 2. What remedial measures should I take?
> > Your kind attention is drawn to another thread in this newsgroup
which I
> > had started on the Packet Filter namely " ISA Server Packet Filtering
".
> >
> > Rajiv Khandelwal
> > ------------------------------------
> > www.vardaan.net
> >
> >
>
>

Susan
Sat Nov 29 18:13:39 CST 2003

Rajiv we don't mean to be mean to you but this is serious.

Re-enable those packet filters now or get a natting firewall in front of
you. You should not have 20 ports open. 5 or 6 at the most maybe but
20 open ports means that you are sitting out there exposed.

First off what laws do you have in your country regarding medical
records? We have HIPAA that covers how we have to protect our medical data.

I know that THE pied piper of SBS, Harry Brelsford was just in India
giving presentations on SBS so contact your local MS office.

Let's do damage control. What damage has been done... if were my
network I'd be flattening it and restoring data from before the
intrusion. Get some help on this one... restoring isn't easy period and
if you need to call in legal authorities, you need to get them in soon
so that they can gather forensic evidence.

If you were here in the US I'd be sending you the phone numbers of the
FBI/High Tech Crime units. Not sure what you have in your country.

Susan

Rajiv Khandelwal, M. D. wrote:

> Henry,
>
> Thanks for your posting. I appreciate your concern but your attention is
> drawn to your posting to my posting on ISA Server Packet Filtering and you
> seemed to agree to the observations of Craig Iedema.
>
> Rajiv Khandelwal
> ------------------------------------
> www.vardaan.net
> "Henry Craven" <IUnknown@d.com> wrote in message
> news:%23D04i3ntDHA.2236@TK2MSFTNGP10.phx.gbl...
>
>>Lort Elfus !
>>You disabled the firewalls and have users logging onto SQL server with
>>the SA Account :-(
>>
>>As Susan points out, as you disabled the firewall and ISA they didn't
>>fail you. You failed yourself, and the hospitals staff and patients (
>>depending upon what data was being stored on the Network. ) I guess it's
>>too much to hope that it was only Bedpan counts and laundry schedules. If
>>any confidential patient or staff data was on the system you have a duty
>>to inform everyone of the breach and possible compromise of the data, as
>>well as any relevant regulatory authorities.
>>
>>All the data on the Network is of course suspect, and you should
>>immediately disable any external connection to the Network, rebuild the
>>server and ensure that it and the network are not compromised, lock it
>>all down, and roll back all data to a known good state ( prior to your
>>disabling Security ). - ( was there ever such a state ? )
>>
>>If you had patient records on there you -cannot- rely on them. The risk
>>that Mrs x may after all be allergic to antibiotics but her records were
>>tampered with is too great.
>>
>>If any patient/staff/hospital data, it must be assumed to be compromised;
>>so Names, Addresses, contact details, Account details etc could all be in
>>the hands of thieves so all need to be informed and all accounts etc. by
>>patients/staff/hospital/suppliers need to be changed or re-secured.
>>
>>Above all.
>>Pull the plug on the network, and hire a competent and suitably qualified
>>IT person to Setup and Overseer the network.
>>
>>A network for a hospital is not a hobby or a toy. The repercussions can
>>be serious and even deadly.
>>( I doubt you'd let an IT person ( qualified or not ) play with the
>>ventilator during an operation in your OR. )
>>
>>... while this may be overstating the situation in your case ( depending
>>on what you actually store and use on the network ), I hope I've made my
>>point.
>>
>>--
>>Henry Craven.
>>
>>========= Post It Appropriately: ============
>>SBS 4/4.5 : microsoft.public.backoffice.smallbiz
>>SBS 2000 : microsoft.public.backoffice.smallbiz2000
>>SBS 2003 : microsoft.public.windows.server.sbs
>>=====================================
>>"Rajiv Khandelwal, M. D." <rajiv@vardaan.net> wrote in message
>>news:O%23NsA7ktDHA.2244@TK2MSFTNGP09.phx.gbl...
>>Today morning when my staff started work in the hospital, they were not
>>able to access the SQL Server on my SBS 2000 because of log on failure
>>for user "sa". Detailed analysis revealed the following:
>>1. Using 2 NIC - one for the local LAN and other for the internet
>>2. A new user `SSSSS' created with administrator rights
>>3. Winzip programme not seen and instead WinRRR created
>>
>>I had to uninstall my SQL and re-install it for work to start.
>>
>>Now, my queries are:
>>1. Has my firewall and ISA failed me?
>>2. What remedial measures should I take?
>>Your kind attention is drawn to another thread in this newsgroup which I
>>had started on the Packet Filter namely " ISA Server Packet Filtering ".
>>
>>Rajiv Khandelwal
>>------------------------------------
>>www.vardaan.net
>>
>>
>
>
>

--
http://www.sbslinks.com/really.htm

Rajiv
Sat Nov 29 23:51:13 CST 2003

Thanks Susan and Henry for your valuable advice. I shall ensure a
professional advice is sort immediately on this matter but let me confess
that these newsgroups have taught me a lot and given some good friends.

Rajiv Khandelwal
------------------------------------
www.vardaan.net
"Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]" <sbradcpa@pacbell.net>
wrote in message news:%23gQ$MbttDHA.4056@TK2MSFTNGP11.phx.gbl...
> Rajiv we don't mean to be mean to you but this is serious.
>
> Re-enable those packet filters now or get a natting firewall in front of
> you. You should not have 20 ports open. 5 or 6 at the most maybe but
> 20 open ports means that you are sitting out there exposed.
>
> First off what laws do you have in your country regarding medical
> records? We have HIPAA that covers how we have to protect our medical
data.
>
> I know that THE pied piper of SBS, Harry Brelsford was just in India
> giving presentations on SBS so contact your local MS office.
>
> Let's do damage control. What damage has been done... if were my
> network I'd be flattening it and restoring data from before the
> intrusion. Get some help on this one... restoring isn't easy period and
> if you need to call in legal authorities, you need to get them in soon
> so that they can gather forensic evidence.
>
> If you were here in the US I'd be sending you the phone numbers of the
> FBI/High Tech Crime units. Not sure what you have in your country.
>
> Susan
>
> Rajiv Khandelwal, M. D. wrote:
>
> > Henry,
> >
> > Thanks for your posting. I appreciate your concern but your attention is
> > drawn to your posting to my posting on ISA Server Packet Filtering and
you
> > seemed to agree to the observations of Craig Iedema.
> >
> > Rajiv Khandelwal
> > ------------------------------------
> > www.vardaan.net
> > "Henry Craven" <IUnknown@d.com> wrote in message
> > news:%23D04i3ntDHA.2236@TK2MSFTNGP10.phx.gbl...
> >
> >>Lort Elfus !
> >>You disabled the firewalls and have users logging onto SQL server with
> >>the SA Account :-(
> >>
> >>As Susan points out, as you disabled the firewall and ISA they didn't
> >>fail you. You failed yourself, and the hospitals staff and patients (
> >>depending upon what data was being stored on the Network. ) I guess it's
> >>too much to hope that it was only Bedpan counts and laundry schedules.
If
> >>any confidential patient or staff data was on the system you have a duty
> >>to inform everyone of the breach and possible compromise of the data, as
> >>well as any relevant regulatory authorities.
> >>
> >>All the data on the Network is of course suspect, and you should
> >>immediately disable any external connection to the Network, rebuild the
> >>server and ensure that it and the network are not compromised, lock it
> >>all down, and roll back all data to a known good state ( prior to your
> >>disabling Security ). - ( was there ever such a state ? )
> >>
> >>If you had patient records on there you -cannot- rely on them. The risk
> >>that Mrs x may after all be allergic to antibiotics but her records were
> >>tampered with is too great.
> >>
> >>If any patient/staff/hospital data, it must be assumed to be
compromised;
> >>so Names, Addresses, contact details, Account details etc could all be
in
> >>the hands of thieves so all need to be informed and all accounts etc. by
> >>patients/staff/hospital/suppliers need to be changed or re-secured.
> >>
> >>Above all.
> >>Pull the plug on the network, and hire a competent and suitably
qualified
> >>IT person to Setup and Overseer the network.
> >>
> >>A network for a hospital is not a hobby or a toy. The repercussions can
> >>be serious and even deadly.
> >>( I doubt you'd let an IT person ( qualified or not ) play with the
> >>ventilator during an operation in your OR. )
> >>
> >>... while this may be overstating the situation in your case ( depending
> >>on what you actually store and use on the network ), I hope I've made my
> >>point.
> >>
> >>--
> >>Henry Craven.
> >>
> >>========= Post It Appropriately: ============
> >>SBS 4/4.5 : microsoft.public.backoffice.smallbiz
> >>SBS 2000 : microsoft.public.backoffice.smallbiz2000
> >>SBS 2003 : microsoft.public.windows.server.sbs
> >>=====================================
> >>"Rajiv Khandelwal, M. D." <rajiv@vardaan.net> wrote in message
> >>news:O%23NsA7ktDHA.2244@TK2MSFTNGP09.phx.gbl...
> >>Today morning when my staff started work in the hospital, they were not
> >>able to access the SQL Server on my SBS 2000 because of log on failure
> >>for user "sa". Detailed analysis revealed the following:
> >>1. Using 2 NIC - one for the local LAN and other for the internet
> >>2. A new user `SSSSS' created with administrator rights
> >>3. Winzip programme not seen and instead WinRRR created
> >>
> >>I had to uninstall my SQL and re-install it for work to start.
> >>
> >>Now, my queries are:
> >>1. Has my firewall and ISA failed me?
> >>2. What remedial measures should I take?
> >>Your kind attention is drawn to another thread in this newsgroup which I
> >>had started on the Packet Filter namely " ISA Server Packet Filtering ".
> >>
> >>Rajiv Khandelwal
> >>------------------------------------
> >>www.vardaan.net
> >>
> >>
> >
> >
> >
>
> --
> http://www.sbslinks.com/really.htm
>

Susan
Sun Nov 30 00:45:38 CST 2003

This is one for legal purposes that you do want to look for expert help.
I'll admit we're pretty good around here if we do pat ourselves on the
back, but when it comes to legal issues, you need local guidance.

Hang in there and report back.

Rajiv Khandelwal, M. D. wrote:

> Thanks Susan and Henry for your valuable advice. I shall ensure a
> professional advice is sort immediately on this matter but let me confess
> that these newsgroups have taught me a lot and given some good friends.
>
> Rajiv Khandelwal
> ------------------------------------
> www.vardaan.net
> "Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]" <sbradcpa@pacbell.net>
> wrote in message news:%23gQ$MbttDHA.4056@TK2MSFTNGP11.phx.gbl...
>
>>Rajiv we don't mean to be mean to you but this is serious.
>>
>>Re-enable those packet filters now or get a natting firewall in front of
>>you. You should not have 20 ports open. 5 or 6 at the most maybe but
>>20 open ports means that you are sitting out there exposed.
>>
>>First off what laws do you have in your country regarding medical
>>records? We have HIPAA that covers how we have to protect our medical
>
> data.
>
>>I know that THE pied piper of SBS, Harry Brelsford was just in India
>>giving presentations on SBS so contact your local MS office.
>>
>>Let's do damage control. What damage has been done... if were my
>>network I'd be flattening it and restoring data from before the
>>intrusion. Get some help on this one... restoring isn't easy period and
>>if you need to call in legal authorities, you need to get them in soon
>>so that they can gather forensic evidence.
>>
>>If you were here in the US I'd be sending you the phone numbers of the
>>FBI/High Tech Crime units. Not sure what you have in your country.
>>
>>Susan
>>
>>Rajiv Khandelwal, M. D. wrote:
>>
>>
>>>Henry,
>>>
>>>Thanks for your posting. I appreciate your concern but your attention is
>>>drawn to your posting to my posting on ISA Server Packet Filtering and
>
> you
>
>>>seemed to agree to the observations of Craig Iedema.
>>>
>>>Rajiv Khandelwal
>>>------------------------------------
>>>www.vardaan.net
>>>"Henry Craven" <IUnknown@d.com> wrote in message
>>>news:%23D04i3ntDHA.2236@TK2MSFTNGP10.phx.gbl...
>>>
>>>
>>>>Lort Elfus !
>>>>You disabled the firewalls and have users logging onto SQL server with
>>>>the SA Account :-(
>>>>
>>>>As Susan points out, as you disabled the firewall and ISA they didn't
>>>>fail you. You failed yourself, and the hospitals staff and patients (
>>>>depending upon what data was being stored on the Network. ) I guess it's
>>>>too much to hope that it was only Bedpan counts and laundry schedules.
>
> If
>
>>>>any confidential patient or staff data was on the system you have a duty
>>>>to inform everyone of the breach and possible compromise of the data, as
>>>>well as any relevant regulatory authorities.
>>>>
>>>>All the data on the Network is of course suspect, and you should
>>>>immediately disable any external connection to the Network, rebuild the
>>>>server and ensure that it and the network are not compromised, lock it
>>>>all down, and roll back all data to a known good state ( prior to your
>>>>disabling Security ). - ( was there ever such a state ? )
>>>>
>>>>If you had patient records on there you -cannot- rely on them. The risk
>>>>that Mrs x may after all be allergic to antibiotics but her records were
>>>>tampered with is too great.
>>>>
>>>>If any patient/staff/hospital data, it must be assumed to be
>
> compromised;
>
>>>>so Names, Addresses, contact details, Account details etc could all be
>
> in
>
>>>>the hands of thieves so all need to be informed and all accounts etc. by
>>>>patients/staff/hospital/suppliers need to be changed or re-secured.
>>>>
>>>>Above all.
>>>>Pull the plug on the network, and hire a competent and suitably
>
> qualified
>
>>>>IT person to Setup and Overseer the network.
>>>>
>>>>A network for a hospital is not a hobby or a toy. The repercussions can
>>>>be serious and even deadly.
>>>>( I doubt you'd let an IT person ( qualified or not ) play with the
>>>>ventilator during an operation in your OR. )
>>>>
>>>>... while this may be overstating the situation in your case ( depending
>>>>on what you actually store and use on the network ), I hope I've made my
>>>>point.
>>>>
>>>>--
>>>>Henry Craven.
>>>>
>>>>========= Post It Appropriately: ============
>>>>SBS 4/4.5 : microsoft.public.backoffice.smallbiz
>>>>SBS 2000 : microsoft.public.backoffice.smallbiz2000
>>>>SBS 2003 : microsoft.public.windows.server.sbs
>>>>=====================================
>>>>"Rajiv Khandelwal, M. D." <rajiv@vardaan.net> wrote in message
>>>>news:O%23NsA7ktDHA.2244@TK2MSFTNGP09.phx.gbl...
>>>>Today morning when my staff started work in the hospital, they were not
>>>>able to access the SQL Server on my SBS 2000 because of log on failure
>>>>for user "sa". Detailed analysis revealed the following:
>>>>1. Using 2 NIC - one for the local LAN and other for the internet
>>>>2. A new user `SSSSS' created with administrator rights
>>>>3. Winzip programme not seen and instead WinRRR created
>>>>
>>>>I had to uninstall my SQL and re-install it for work to start.
>>>>
>>>>Now, my queries are:
>>>>1. Has my firewall and ISA failed me?
>>>>2. What remedial measures should I take?
>>>>Your kind attention is drawn to another thread in this newsgroup which I
>>>>had started on the Packet Filter namely " ISA Server Packet Filtering ".
>>>>
>>>>Rajiv Khandelwal
>>>>------------------------------------
>>>>www.vardaan.net
>>>>
>>>>
>>>
>>>
>>>
>>--
>>http://www.sbslinks.com/really.htm
>>
>
>
>

--
http://www.sbslinks.com/really.htm

Henry
Sun Nov 30 17:46:05 CST 2003

I hope that the repercussions of the intrusion prove not to be too
serious.
( ...it's a sad inditement on human society that you have to be 100%
Secure before you can plug that WAN cable into the wall. )

Keep in touch with the groups; either for future help, or just as a
reader. You can lean a lot just by reading other peoples issues and
solutions. I certainly do.

Wishing you well.
--
Henry Craven.

========= Post It Appropriately: ============
SBS 4/4.5 : microsoft.public.backoffice.smallbiz
SBS 2000 : microsoft.public.backoffice.smallbiz2000
SBS 2003 : microsoft.public.windows.server.sbs
=====================================

"Rajiv Khandelwal, M. D." <rajiv@vardaan.net> wrote in message
news:%23$$y0YwtDHA.2408@tk2msftngp13.phx.gbl...
> Thanks Susan and Henry for your valuable advice. I shall ensure a
> professional advice is sort immediately on this matter but let me
confess
> that these newsgroups have taught me a lot and given some good friends.
>
> Rajiv Khandelwal
> ------------------------------------

Craig
Sun Nov 30 18:25:11 CST 2003

Hi Rajiv,

Just catching up on things (been out of the office for a few days). I was
surprised to find my name on this thread. Just a quick sorry if you thought
I was agreeing with you on having the ISA server with all packet filters
disabled, that is certainly not I what I meant. In our office we have 2
levels of firewall protection. A hardware firewall that port forwards only
the traffic I want in and blocks everything else and then ISA which blocks
also blocks everything expect for these ports.

I certainly concur with the others, get someone in to at least set up ISA
for you. I have 10+ years in the IT industry (as a developer and network
admin) and I still learn new things all the time. It is difficult for
someone to this part time without any outside/professional assistance.

I wish you all the best with this and that you get your network functioning
well.

Craig



"Henry Craven" <IUnknown@d.com> wrote in message
news:O3cRvu5tDHA.2520@TK2MSFTNGP10.phx.gbl...
> I hope that the repercussions of the intrusion prove not to be too
> serious.
> ( ...it's a sad inditement on human society that you have to be 100%
> Secure before you can plug that WAN cable into the wall. )
>
> Keep in touch with the groups; either for future help, or just as a
> reader. You can lean a lot just by reading other peoples issues and
> solutions. I certainly do.
>
> Wishing you well.
> --
> Henry Craven.
>
> ========= Post It Appropriately: ============
> SBS 4/4.5 : microsoft.public.backoffice.smallbiz
> SBS 2000 : microsoft.public.backoffice.smallbiz2000
> SBS 2003 : microsoft.public.windows.server.sbs
> =====================================
>
> "Rajiv Khandelwal, M. D." <rajiv@vardaan.net> wrote in message
> news:%23$$y0YwtDHA.2408@tk2msftngp13.phx.gbl...
> > Thanks Susan and Henry for your valuable advice. I shall ensure a
> > professional advice is sort immediately on this matter but let me
> confess
> > that these newsgroups have taught me a lot and given some good friends.
> >
> > Rajiv Khandelwal
> > ------------------------------------
>
>