Solved

Windows Server 2003 being hacked - RDP?

Posted on 2007-11-25
4
2,276 Views
Last Modified: 2013-11-21
I have a Windows 2003 Server that I use for web sites and email.  I access it with remote desktop (RDP).  I noticed today that someone had installed WinRar (not me).  I also found a user account that had been added (again, not me).   No other friendly party has access to this server.  

I changed the Admin password and deleted the bogus account.  However, a new bogus account and RDP login was there within a mater of a few minutes.  Unless I tie up both available RDP sessions myself, this other party is able to add users at will.  

How can I stop this?  The server is behind a firewall, but apparently they have found a crack....
0
Comment
Question by:stratton65
  • 2
4 Comments
 
LVL 29

Expert Comment

by:mass2612
ID: 20348272
Hi,

If this box has been hacked then you really can't trust it again. You may be better off backing up the data and re-building the operating system after performing a low level format of the disks. At a minimum.
Make sure the server is fully patched. Rename the Administrator account. Scan the system for viruses with an up to data package. Do you need RDP access from the Internet to this box? I would not recommend that normally and would have this blocked at the firewall.
0
 
LVL 31

Accepted Solution

by:
Cláudio Rodrigues earned 500 total points
ID: 20349703
To protect you further I recommend installing these two utilities:
- SecureRDP (freeware, http://www.2x.com). This will filter the RDP connection, allowing only certain usernames, computers, IPs, etc to connect to the machine using RDP. I recommend using the client version filter. For that you need to change the client version on your RDP client, to a 4-digit number that only you know. I explain how to do that in this article:
http://www.msterminalservices.org/articles/Customizing-Microsoft-RDP-Client-Part2.html

- RecordTS (30-day fully functional demo at http://www.tsfactory.com). Records all RDP connections to a file, in a video-like format. So basically you will be able to playback and watch any RDP connection that was made to the server and even export these to AVI or Flash. This will allow you to clearly see how they are hacking the box and what they are doing once they are in.

This will help a lot for sure. Also make sure you have Windows Defender running (free from Microsoft) and an anti-virus.

Claudio Rodrigues
Microsoft MVP
Windows Server - Terminal Services
0
 

Author Comment

by:stratton65
ID: 20350057
Which program do I download from www.2x.com?  I don't see SecureRDP.
0
 
LVL 31

Expert Comment

by:Cláudio Rodrigues
ID: 20352189
For some reason it is hidden. But you can still get it from here:
http://downloads.2x.com/securerdp/2xsecurerdp.exe

Claudio Rodrigues
Microsoft MVP
Windows Server - Terminal Services
0

Featured Post

Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The 21st century solution to antiquated pagers.
February 24, 2017 — On February 23, Travis Ormandy, a vulnerability researcher at Google, reported on Twitter (https://twitter.com/taviso/status/834900838837411840) that massive stores of data have been leaked by CloudFlare, a company that provide…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question