adamgab
asked on
My server is exploited by 3389.exe every couple of weeks, how do I get rid of it
We appear to have been hacked at some point in the past, although we are not able to determine when. Symptoms gradually started to appear, network becoming unavailable or server rebooting.
After investigating, found a few services that should not be there, and went through the process of identifying and killing associated processes and then stopping and deleting the services.
All was well for a few weeks and then we had the directors user account mysteriously deleted from AD Users & Computers.
At the same time the deletion occurred the event logs showed that 3389.exe had initiated a reboot of the server. From what I can find through google, the server needs to be rebooted to allow someone to take advantage of a 3389 exploit.
If this is all the result of a hack, how do I go about ensuring it is removed? or can I block 3389.exe from being initiated??
After investigating, found a few services that should not be there, and went through the process of identifying and killing associated processes and then stopping and deleting the services.
All was well for a few weeks and then we had the directors user account mysteriously deleted from AD Users & Computers.
At the same time the deletion occurred the event logs showed that 3389.exe had initiated a reboot of the server. From what I can find through google, the server needs to be rebooted to allow someone to take advantage of a 3389 exploit.
If this is all the result of a hack, how do I go about ensuring it is removed? or can I block 3389.exe from being initiated??
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
@McKnife, I was wondering where you were going with that. ; )
adamgab, sorry to hear that you will be going through a rebuild. I would use this as a good time to document your disaster recovery plans and find out what caused you to be in this place to begin with. Was it loose security protocols, unknown access from other agencies, companies, contractors, etc.. Tighten up your security on your DC and you should be fine. Good luck mate.
Thanks for the points and grade!
adamgab, sorry to hear that you will be going through a rebuild. I would use this as a good time to document your disaster recovery plans and find out what caused you to be in this place to begin with. Was it loose security protocols, unknown access from other agencies, companies, contractors, etc.. Tighten up your security on your DC and you should be fine. Good luck mate.
Thanks for the points and grade!
ASKER
From what I can tell the original exploit could have been around a year ago and had just been lying dormant for some time. I was not involved with looking after this server back then, so i can't be sure how. Over the past 12 months however, security has been tightened up significantly.
DR plans will definitely be up for review !
Thanks for your help!
DR plans will definitely be up for review !
Thanks for your help!
Great work! You'll do fine I'm sure. Take care.
ASKER
I do have another box that can be promoted in the meantime. It does however, mean that I will need to install exchange there and go through the arduous process of backing up and restoring databases.
Thanks for your input.