My server is exploited by 3389.exe every couple of weeks, how do I get rid of it

We appear to have been hacked at some point in the past, although we are not able to determine when. Symptoms gradually started to appear, network becoming unavailable or server rebooting.

After investigating, found a few services that should not be there, and went through the process of identifying and killing associated processes and then stopping and deleting the services.

All was well for a few weeks and then we had the directors user account mysteriously deleted from AD Users & Computers.

At the same time the deletion occurred the event logs showed that 3389.exe had initiated a reboot of the server.  From what I can find through google, the server needs to be rebooted to allow someone to take advantage of a 3389 exploit.

If this is all the result of a hack, how do I go about ensuring it is removed?  or can I block 3389.exe from being initiated??
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

I would reinstall/rebuild from backup any infected machine. If someone has taken control once, only monitoring from off a second device could make sure you were able to clean it. As it is a domain controller, this is far from uncritical.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
I hate to see this happen but agree with McKnife.  Take this down and rebuild.  Do you have a second DC?  Have you checked your FW log to see who is attempting to initate any remote connections that could relate to when the server was rebooted?
Not only take it down, reset all passwords. You should provide any piece of data on your network as public now as the worst case scenario.
10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

provide (?!) = consider...don't know what caused that typo...
adamgabAuthor Commented:
Thanks for your comments. This is what I had thought also. I was hoping that someone had the miracle fix. It would have been good to avoid a rebuild as it is our only domain controller.

I do have another box that can be promoted in the meantime. It does however, mean that I will need to install exchange there and go through the arduous process of backing up and restoring databases.

Thanks for your input.
@McKnife, I was wondering where you were going with that.  ; )

adamgab, sorry to hear that you will be going through a rebuild.  I would use this as a good time to document your disaster recovery plans and find out what caused you to be in this place to begin with.  Was it loose security protocols, unknown access from other agencies, companies, contractors, etc..  Tighten up your security on your DC and you should be fine.  Good luck mate.  

Thanks for the points and grade!
adamgabAuthor Commented:
From what I can tell the original exploit could have been around a year ago and had just been lying dormant for some time. I was not involved with looking after this server back then, so i can't be sure how. Over the past 12 months however, security has been tightened up significantly.

DR plans will definitely be up for review !

Thanks for your help!
Great work!  You'll do fine I'm sure.  Take care.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.