We appear to have been hacked at some point in the past, although we are not able to determine when. Symptoms gradually started to appear, network becoming unavailable or server rebooting.
After investigating, found a few services that should not be there, and went through the process of identifying and killing associated processes and then stopping and deleting the services.
All was well for a few weeks and then we had the directors user account mysteriously deleted from AD Users & Computers.
At the same time the deletion occurred the event logs showed that 3389.exe had initiated a reboot of the server. From what I can find through google, the server needs to be rebooted to allow someone to take advantage of a 3389 exploit.
If this is all the result of a hack, how do I go about ensuring it is removed? or can I block 3389.exe from being initiated??