Vi har et stort problem, vores server er blevet hacket og kan nu ikke vise websites ud til hverden omkring den, ej heller kan man komme på serveren via fjernskrivebord og lignende.
Vi har gennem en KVM boks eller lignende, fået adgang til serveren, her kan vi se at den sagtens kan køre de websites der er på den, i browseren lokalt, men det er ikke muligt at se noget som helst ude fra.
Hurtigt tjekkede jeg lige windows firewall men denne skriver at ipnat.sys bruges af et andet program og kan derfor ikke åbne firewall?!
Desuden virker event viewer nu heller ikke?!
Vi vil gøre alt for at få denne online, da en umiddelbar flytning til en anden server vil være næsten umulig på kort tid.
Håber der sidder en som virkeligt kan sit kram imellem jer her! Det skal siges at en teknikker i vores hostingcenter allerede har brugt 3 timer på at løse problemet uden held. Læg dog mærke til at dette ikke betyder at det er umuligt. SFC /scantool er også kørt for at se om der manglede noget som skulle installeres eller lignende, uden held.
Found this tidbit while researching this problem: Can't enable windows Firewall on a RRAS server - Windows firewall cannot run because another program or service is running that might use the network address translation component (Ipnat.sys) Situation: one of our clients could not get the windows Firewall to work. Whenever they tried to start the Windows Firewall, they received the following message: "Windows firewall cannot run because another program or service is running that might use the network address translation component (Ipnat.sys).
What they tried:
They event tried to stop the RRAS but got the same result. They finally make it work by disabling the RRAS.
Recommendation: It is not recommended to use Windows Firewall on a RRAS server. If you use the server as a router, you should enable NAT; if you use the server as VPN, you should have another firewall. If, for some reasons, you do want to enable Windows Firewall in the Windows 2003, you may need to disable the RRAS. To do that, right-click on My Computer>Manager>Services and Applications>Services. Disable Routing and Remote Access service
When I disabled RRAS, I could get into my Firewall settings. I then shut off my firewall and re-configured RRAS.
Having recently recovered a SBS 2003 server, we noticed that while the server was able to ping all devices on the network, none of the workstations could ping the server. When trying to get into the Windows Firewall, we got the following MSG:
"Windows Firewall cannot run because another program or service is running that might use the network address translation component (Ipnat.sys)."
We disabled RRAS and rebooted and tried to enter WF but got the same msg.
So, we ran the command NET STOP IPNAT.SYS and voila, the server is accessible on the network. However, everytime we reboot the server, we have to NET STOP the ipnat.sys in order to having it pingable. ------------------------------------------------------- Go to Device Manager, choose Show Hidden Devices, and open "Non-Plug and Play Drivers". Open "IP Network Address Translator" and go to the details page. You can start ot stop it and change the startup type to disabled, which I have done.
I'm still unclear whether it's required for SP2 firewall to run. It sounds like an optional hook into the firewall. ------------------------------------------------------------------------------------------------- other way that work, crate un RRAS (Routing and Remote Access Service ) and after creating one dont delete, disabled that will stop the services include the ipnat.sys and will let you configure the firewall. ------------------------------------------------------------------- I uninstalled ISA server on SBS and after that same situation occured.
So I have disabled routing and remote acces. Then I was able to start Firewall service again and everything works fine -----------------------------------------------------------------------
or basically you should not go and stop RRAS from SERVICES..you should right click My Computer -> Manage -> Services and Applications -> RRAS! you'll find it with a red box next to it, right click and click on DISABLE! it will tell you will have to reconfigure later on which is ok!
jeg har fundet IPNAT.SYS eller rettere "IP Network Address Translator" og den er disabelt. Det har dog ikke virket, jeg sidder nu på 3 dagen og er godt igang med at flytte tingene til en anden server, så dette fortsætter jeg med. Jeg tror desværre ikke problemet kan løses har som sagt prøvet alt næsten.
Hvis i virkelig er blevet hakket og det er et DK site, så kontakt DK CERT som er specialister på dette område. Ved ikke hvad deres hjælp koster, men det er jo heller ikke dit problem lige nu. https://www.cert.dk/
Principielt skal en hacket server geninstalleres, idet man aldrig kan stole på den igen. Det lyder jo også til at der er installeret rootkit osv på den.
Du har formentlig fået sites genopbygget på en anden server nu? Jeg er klar på en udfordring hvis jeg kan få remote adgang til den. Hvis det stadig er interessant så skriv til mig på netwarrior at gmail.
Synes godt om
Ny brugerNybegynder
Din løsning...
Tilladte BB-code-tags: [b]fed[/b] [i]kursiv[/i] [u]understreget[/u] Web- og emailadresser omdannes automatisk til links. Der sættes "nofollow" på alle links.
