Comcast Security division shut off our service yesterday without warning. I called business tech support. The nice tech did not (could not ?) tell me that it was comcast that shut off our service. Had a field service rep come outand check our equipment. *HE* could tell me it was comcast security that shut off the service because our server was under attack. He gave me a secret special phone # to call to get service restored.
I'm on hold now 3 hours and 47 minutes. While on hold I've called tech support and and customer service who could now confirm that I have to call the Securtiy Division and ONLY the Security division.
3 FREAKIN HOURS AND 47 MINUTES.
Stiil haven't talked to a human.
My conclusions: There is only one person in that department taking calls and he is playing minecraft right now. Or, there several people there but there are so many security problems you can expect to be on hold 6 or 7 hours to get your internet restored. Or, comcast really could care less about your business.
3 FREAKIN HOURS AND 57 MINUTES.
I routinely have servers attacked and have never had Comcast Security shut me off. As a veteran of the Internet script kiddie wars I would bet money you have something misconfigured on your server that is allowing a script kiddie to hijack your server and attack others.
Some of the most common and obvious things to check:
1) Open port 25 SMTP relay. There are diagnostic tools all over the Internet to check for this, here's one:
2) A Linux or Windows server that does not have all security patches loaded. You should never run a server with any ports exposed to the Internet unless that server is configured to auto-update
3) Apache webserver not patched. See #2
4) PHP not patched to latest level. See #2
5) Wordpress with a config.php file set world-writable. This is the default with Wordpress when it's first installed. There are guides all over the Internet on how to secure Wordpress. Wordpress has 50% of the webservers today
6) NTP that is not secured. All current Unix ntp servers have a hole that allows for attackers to use them as ntp reflectors. This CANNOT be closed by config file entries. You must use ipfw or iptables to close it, or not run ntpd (run ntpdate out of cron instead)
7) Exchange server not patched to latest service pack. Microsoft stopped distributing Exchange patches via Windows Updates because the automatic installations trashed Exchange servers, and these must be downloaded and installed by hand.
8) Sharepoint not patched to the latest level. It's not enough to just download and install all Microsoft security patches on a Sharepoint server. Once the server has been patched you must run a command that updates the server. Google for this information.
9) Bogus password control. Go to the website https://haveibeenpwned.com/ Insert your domain name. Change passwords on any of your user's who have email addresses listed. Instruct your users to NEVER use the same password on a public website that you give them to use on your server.
10) Security holes on router firmware. A large number of SOHO routers today are built on embedded Linux. Unless your running very new firmware code you should NOT have external management for https enabled due to the Heartbleed bug. If your router is running older firmware than consider running Openwrt or dd-wrt if it can take one of those loads, or throw it out and buy a new one. Most people do not realize that a script kiddie can hijack their older-soho-router-with-a-hole-in-it and use it to attack other people.
11) Open web proxies (socks5, http, etc.) There are well-meaning individuals out there who want to help people in China so they setup open proxies so residents of that country can surf the web and look at sites the Chinese government does not want them to see. Unless you know exactly WTF your doing, don't do this. And if you know WTF your doing, you don't need this guide.
If you server HAS been hijacked then you need to clean it. And be aware once a remote attacker gains an escalation on your server they will leave multiple back doors. If that happens, schedule the server for a nuke-and-repave, it can never be trusted again.