Solved

Windows Server 2003 being hacked - RDP?

Posted on 2007-11-25
4
2,264 Views
Last Modified: 2013-11-21
I have a Windows 2003 Server that I use for web sites and email.  I access it with remote desktop (RDP).  I noticed today that someone had installed WinRar (not me).  I also found a user account that had been added (again, not me).   No other friendly party has access to this server.  

I changed the Admin password and deleted the bogus account.  However, a new bogus account and RDP login was there within a mater of a few minutes.  Unless I tie up both available RDP sessions myself, this other party is able to add users at will.  

How can I stop this?  The server is behind a firewall, but apparently they have found a crack....
0
Comment
Question by:stratton65
  • 2
4 Comments
 
LVL 29

Expert Comment

by:mass2612
ID: 20348272
Hi,

If this box has been hacked then you really can't trust it again. You may be better off backing up the data and re-building the operating system after performing a low level format of the disks. At a minimum.
Make sure the server is fully patched. Rename the Administrator account. Scan the system for viruses with an up to data package. Do you need RDP access from the Internet to this box? I would not recommend that normally and would have this blocked at the firewall.
0
 
LVL 31

Accepted Solution

by:
Cláudio Rodrigues earned 500 total points
ID: 20349703
To protect you further I recommend installing these two utilities:
- SecureRDP (freeware, http://www.2x.com). This will filter the RDP connection, allowing only certain usernames, computers, IPs, etc to connect to the machine using RDP. I recommend using the client version filter. For that you need to change the client version on your RDP client, to a 4-digit number that only you know. I explain how to do that in this article:
http://www.msterminalservices.org/articles/Customizing-Microsoft-RDP-Client-Part2.html

- RecordTS (30-day fully functional demo at http://www.tsfactory.com). Records all RDP connections to a file, in a video-like format. So basically you will be able to playback and watch any RDP connection that was made to the server and even export these to AVI or Flash. This will allow you to clearly see how they are hacking the box and what they are doing once they are in.

This will help a lot for sure. Also make sure you have Windows Defender running (free from Microsoft) and an anti-virus.

Claudio Rodrigues
Microsoft MVP
Windows Server - Terminal Services
0
 

Author Comment

by:stratton65
ID: 20350057
Which program do I download from www.2x.com?  I don't see SecureRDP.
0
 
LVL 31

Expert Comment

by:Cláudio Rodrigues
ID: 20352189
For some reason it is hidden. But you can still get it from here:
http://downloads.2x.com/securerdp/2xsecurerdp.exe

Claudio Rodrigues
Microsoft MVP
Windows Server - Terminal Services
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now