[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

Unknown User Account with Administrative Privilege!

Posted on 2006-10-21
8
Medium Priority
?
472 Views
Last Modified: 2012-08-14
I just found an unknown user account called admin belongs to the administrative group. Seems like some one has got into my server and created the account.

I am the only user and i use remote desktop to access to my server most of the time. The password i use were quite lengthy about 15 alpha numeric characters.

My questions is,

1) How did he break into my server and created a new user?
2) I have deleted the unknown account, changed my password and restarted the server. What should i do to further secure the server?
0
Comment
Question by:edwardkoo
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 10

Expert Comment

by:victornegri
ID: 17780740
You can enable logging to track Account Management Successes and Failures to see if someone creates another account without your knowledge. You should also check for Logon Events to see if someone is attempting to crack a password.
0
 
LVL 9

Expert Comment

by:binary_1001010
ID: 17780755
you should reset your passowrd to a more complex one, a non-dictionary word with combination of small case, big case and number.

you should install all the latest patches.

you should also at least install anti-virus/firewall software if you dont have  a budget to purchase a   hardware one.
0
 
LVL 5

Expert Comment

by:hbz
ID: 17781022

You should at least try to do some virus / trojan /rootkit scans, examining the registry, etc, but...

VERY IMPORTANT: You will never be able to be sure that the server is clean.  Some attacks can be completely hidden.  From here on out, you must assume that your machine has been hacked.  

If you are uncomfortable with this fact, move all data off the server, and set up a new one.  Then do forensics on the old hard drive (same scans as above, but anything that was hidden before will be more likely to show up).

I have gone through this scenario before, unfortunately.  The attacker likely got in through other unpatched / vulnerable services running on your machine (IIS, SQL, mail, etc).

-- hbz
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 17782828
there isnt much more that you can do.....if you have deleted the account and changed your passwords then thats it. the account may have been created from years ago.....enable auditing and download teh account lockout tools from MS.
0
 
LVL 5

Expert Comment

by:Christophermagee
ID: 17786401
Another possibility is that it was created when you were not at your desk, You might have already been logged into the server so your password would not be needed, or they could have loaded something like a keylogger to obtain the password.
0
 

Author Comment

by:edwardkoo
ID: 17786678
I have done the virus / trojan /rootkit scans and found nothing so far.

The server is a rented dedicated server where i only access it via remote desktop occasionally like when a new windows patch is available and etc. It runs apache, php, mysql, mailenable, encrypted-ftp and that's it.

The password i use is 15 alpha numeric characters so i don't think he manage to crack it can he? And the keylogger has to be loaded at the pc that i use remote desktop right? Is typical windows server too vulnerable or hackers are too good nowadays? And i can't figure why a good hacker will want to hack my server in the first place.

It frustrates me that i don't know which part of the server having security holes now...
0
 
LVL 5

Accepted Solution

by:
hbz earned 1500 total points
ID: 17790174

It's unlikely that it's your password.  I bet it's MailEnable. Are you running Professional or Enterprise?  Which version.  If you look on their site, you'll see some recent vulnerabilities (and hotfixes).  Some of these are exploited by automated tools.

-- hbz
0
 

Author Comment

by:edwardkoo
ID: 17800799
Yea seems MailEnable is the most likely.
Thank you all for the comments.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A quick step-by-step overview of installing and configuring Carbonite Server Backup.
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
This tutorial will teach you the special effect of super speed similar to the fictional character Wally West aka "The Flash" After Shake : http://www.videocopilot.net/presets/after_shake/ All lightning effects with instructions : http://www.mediaf…
Are you ready to place your question in front of subject-matter experts for more timely responses? With the release of Priority Question, Premium Members, Team Accounts and Qualified Experts can now identify the emergent level of their issue, signal…
Suggested Courses

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question