• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2347
  • Last Modified:

Windows Server 2003 being hacked - RDP?

I have a Windows 2003 Server that I use for web sites and email.  I access it with remote desktop (RDP).  I noticed today that someone had installed WinRar (not me).  I also found a user account that had been added (again, not me).   No other friendly party has access to this server.  

I changed the Admin password and deleted the bogus account.  However, a new bogus account and RDP login was there within a mater of a few minutes.  Unless I tie up both available RDP sessions myself, this other party is able to add users at will.  

How can I stop this?  The server is behind a firewall, but apparently they have found a crack....
0
stratton65
Asked:
stratton65
  • 2
1 Solution
 
mass2612Commented:
Hi,

If this box has been hacked then you really can't trust it again. You may be better off backing up the data and re-building the operating system after performing a low level format of the disks. At a minimum.
Make sure the server is fully patched. Rename the Administrator account. Scan the system for viruses with an up to data package. Do you need RDP access from the Internet to this box? I would not recommend that normally and would have this blocked at the firewall.
0
 
Cláudio RodriguesFounder and CEOCommented:
To protect you further I recommend installing these two utilities:
- SecureRDP (freeware, http://www.2x.com). This will filter the RDP connection, allowing only certain usernames, computers, IPs, etc to connect to the machine using RDP. I recommend using the client version filter. For that you need to change the client version on your RDP client, to a 4-digit number that only you know. I explain how to do that in this article:
http://www.msterminalservices.org/articles/Customizing-Microsoft-RDP-Client-Part2.html

- RecordTS (30-day fully functional demo at http://www.tsfactory.com). Records all RDP connections to a file, in a video-like format. So basically you will be able to playback and watch any RDP connection that was made to the server and even export these to AVI or Flash. This will allow you to clearly see how they are hacking the box and what they are doing once they are in.

This will help a lot for sure. Also make sure you have Windows Defender running (free from Microsoft) and an anti-virus.

Claudio Rodrigues
Microsoft MVP
Windows Server - Terminal Services
0
 
stratton65Author Commented:
Which program do I download from www.2x.com?  I don't see SecureRDP.
0
 
Cláudio RodriguesFounder and CEOCommented:
For some reason it is hidden. But you can still get it from here:
http://downloads.2x.com/securerdp/2xsecurerdp.exe

Claudio Rodrigues
Microsoft MVP
Windows Server - Terminal Services
0

Featured Post

The eGuide to Automating Firewall Change Control

Today’s IT environment is constantly changing, which affects security policies and firewall rules. Discover tips to help you embrace this change through process improvement & identify areas where automation & actionable intelligence can enhance both security and business agility.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now