Wonder if you could help!!
We had an out of date symantec corp V10 running on a 2003 sp2 terminal server. This was updated and it found a program x-scan V3.3 installed on it. It dealt with it but whilst checking the system out, I found that the local guest account had been enabled and made a member of administrators & remote desktop users!! I disabled the account, removed the rights and set a secure password (could not delete the user as it is a built in account). Ran a full scan and it came up clean. Installed Windows Defender and after a full scan it says "No unwanted or harmful software detected. Your computer is running normally". Installed baseline security analyzer and it came back as ok bar a few "important" office updates which I didn't download at the time. I changed the administrator password and got all users to reset theirs.
Checked the server the next day and the guest account had been re-enabled with the same permissions!! This time, a task manager showed a disconnected guest session and a program named masssender.exe. Installed programs listed Advance Mass Sender V4.3 as being installed which promptly got removed!! Documents and settings for guest user contains install files for the program and x-scan plus a number of txt files containing email addresses for mass mailing :(
The server is open to RDP connections but it does sit behind a Sonicwall 1260 Firewall that has the comprehensive gateway suite installed (gateway antivirus, antispyware and intrusion prevention)!!!
The security log on the server shows these entries
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 528
User Name: Guest
Logon ID: (0x0,0x22F7DF3)
Logon Type: 10
Logon Process: User32
Authentication Package: Negotiate
Workstation Name: TS2K3
Logon GUID: -
Caller User Name: TS2K3$
Caller Domain: domainname
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 3608
Transited Services: -
Source Network Address: 220.127.116.11
Source Port: 15762
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp
I've reported the Ip to the ISP via their abuse@ email.
I can clean the server up again and I will be placing a deny rule for that IP on the firewall but can anyone suggest how he is getting in if all my scans are coming up clean?
Thanks in advance