Hi All,
So this is one of those things that you hear, but never think it will ever happen to you... UNTIL IT DOES. Today I was leaving work and I noticed the monitor in our server room on. As I walked to it, I was then blown away. Someone was remotely logged into our system. They had about 6 different websites up (using IE) and the sites were all in Chinese (my guess is it was someone in China). I watched what they were doing for about 30 seconds until they started downloading a file, then I shut the system down.
I guess my question is three fold:
1) Is there a way I can login to see everything they were doing? I.E. Check what IP address they were using, check what user account, etc...
2) What tools would you recoomend I run to get rid of anything they had done? I already have symantec Antivirus and will run a scan. I can also run a spyware scan to get anything else off.
3) How can I secure it down! ?
I think now that this is related somehow to my previous post...
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_23049472.html At this point I have no idea the damage they caused (luckily all our data is OK). My thinking now is that I should completely start over (re-format and re-install windows). Whats your thoughts?
I also am thinking about setting up a linux box for a buffer. i.e. the linux box would be connected to the internet (instead of the windows as it is now), and then the main windows domain will just connect to the linux box. Whats your thoughts on that?
Basically I just need to get this fixed. And if its going to need a complete clean (which it probably will) then I want to get the best setup and most secure one as possible.
Thanks
Start Free Trial
