Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2371
  • Last Modified:

Windows Server 2003 being hacked - RDP?

I have a Windows 2003 Server that I use for web sites and email.  I access it with remote desktop (RDP).  I noticed today that someone had installed WinRar (not me).  I also found a user account that had been added (again, not me).   No other friendly party has access to this server.  

I changed the Admin password and deleted the bogus account.  However, a new bogus account and RDP login was there within a mater of a few minutes.  Unless I tie up both available RDP sessions myself, this other party is able to add users at will.  

How can I stop this?  The server is behind a firewall, but apparently they have found a crack....
0
stratton65
Asked:
stratton65
  • 2
1 Solution
 
mass2612Commented:
Hi,

If this box has been hacked then you really can't trust it again. You may be better off backing up the data and re-building the operating system after performing a low level format of the disks. At a minimum.
Make sure the server is fully patched. Rename the Administrator account. Scan the system for viruses with an up to data package. Do you need RDP access from the Internet to this box? I would not recommend that normally and would have this blocked at the firewall.
0
 
Cláudio RodriguesFounder and CEOCommented:
To protect you further I recommend installing these two utilities:
- SecureRDP (freeware, http://www.2x.com). This will filter the RDP connection, allowing only certain usernames, computers, IPs, etc to connect to the machine using RDP. I recommend using the client version filter. For that you need to change the client version on your RDP client, to a 4-digit number that only you know. I explain how to do that in this article:
http://www.msterminalservices.org/articles/Customizing-Microsoft-RDP-Client-Part2.html

- RecordTS (30-day fully functional demo at http://www.tsfactory.com). Records all RDP connections to a file, in a video-like format. So basically you will be able to playback and watch any RDP connection that was made to the server and even export these to AVI or Flash. This will allow you to clearly see how they are hacking the box and what they are doing once they are in.

This will help a lot for sure. Also make sure you have Windows Defender running (free from Microsoft) and an anti-virus.

Claudio Rodrigues
Microsoft MVP
Windows Server - Terminal Services
0
 
stratton65Author Commented:
Which program do I download from www.2x.com?  I don't see SecureRDP.
0
 
Cláudio RodriguesFounder and CEOCommented:
For some reason it is hidden. But you can still get it from here:
http://downloads.2x.com/securerdp/2xsecurerdp.exe

Claudio Rodrigues
Microsoft MVP
Windows Server - Terminal Services
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Get 10% Off Your First Squarespace Website

Ready to showcase your work, publish content or promote your business online? With Squarespace’s award-winning templates and 24/7 customer service, getting started is simple. Head to Squarespace.com and use offer code ‘EXPERTS’ to get 10% off your first purchase.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now