Unknown User Account with Administrative Privilege!

I just found an unknown user account called admin belongs to the administrative group. Seems like some one has got into my server and created the account.

I am the only user and i use remote desktop to access to my server most of the time. The password i use were quite lengthy about 15 alpha numeric characters.

My questions is,

1) How did he break into my server and created a new user?
2) I have deleted the unknown account, changed my password and restarted the server. What should i do to further secure the server?
edwardkooAsked:
Who is Participating?
 
hbzCommented:

It's unlikely that it's your password.  I bet it's MailEnable. Are you running Professional or Enterprise?  Which version.  If you look on their site, you'll see some recent vulnerabilities (and hotfixes).  Some of these are exploited by automated tools.

-- hbz
0
 
victornegriCommented:
You can enable logging to track Account Management Successes and Failures to see if someone creates another account without your knowledge. You should also check for Logon Events to see if someone is attempting to crack a password.
0
 
binary_1001010Commented:
you should reset your passowrd to a more complex one, a non-dictionary word with combination of small case, big case and number.

you should install all the latest patches.

you should also at least install anti-virus/firewall software if you dont have  a budget to purchase a   hardware one.
0
Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

 
hbzCommented:

You should at least try to do some virus / trojan /rootkit scans, examining the registry, etc, but...

VERY IMPORTANT: You will never be able to be sure that the server is clean.  Some attacks can be completely hidden.  From here on out, you must assume that your machine has been hacked.  

If you are uncomfortable with this fact, move all data off the server, and set up a new one.  Then do forensics on the old hard drive (same scans as above, but anything that was hidden before will be more likely to show up).

I have gone through this scenario before, unfortunately.  The attacker likely got in through other unpatched / vulnerable services running on your machine (IIS, SQL, mail, etc).

-- hbz
0
 
Jay_Jay70Commented:
there isnt much more that you can do.....if you have deleted the account and changed your passwords then thats it. the account may have been created from years ago.....enable auditing and download teh account lockout tools from MS.
0
 
ChristophermageeCommented:
Another possibility is that it was created when you were not at your desk, You might have already been logged into the server so your password would not be needed, or they could have loaded something like a keylogger to obtain the password.
0
 
edwardkooAuthor Commented:
I have done the virus / trojan /rootkit scans and found nothing so far.

The server is a rented dedicated server where i only access it via remote desktop occasionally like when a new windows patch is available and etc. It runs apache, php, mysql, mailenable, encrypted-ftp and that's it.

The password i use is 15 alpha numeric characters so i don't think he manage to crack it can he? And the keylogger has to be loaded at the pc that i use remote desktop right? Is typical windows server too vulnerable or hackers are too good nowadays? And i can't figure why a good hacker will want to hack my server in the first place.

It frustrates me that i don't know which part of the server having security holes now...
0
 
edwardkooAuthor Commented:
Yea seems MailEnable is the most likely.
Thank you all for the comments.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.