• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 843
  • Last Modified:

My server is exploited by 3389.exe every couple of weeks, how do I get rid of it

We appear to have been hacked at some point in the past, although we are not able to determine when. Symptoms gradually started to appear, network becoming unavailable or server rebooting.

After investigating, found a few services that should not be there, and went through the process of identifying and killing associated processes and then stopping and deleting the services.

All was well for a few weeks and then we had the directors user account mysteriously deleted from AD Users & Computers.

At the same time the deletion occurred the event logs showed that 3389.exe had initiated a reboot of the server.  From what I can find through google, the server needs to be rebooted to allow someone to take advantage of a 3389 exploit.

If this is all the result of a hack, how do I go about ensuring it is removed?  or can I block 3389.exe from being initiated??
0
adamgab
Asked:
adamgab
  • 3
  • 3
  • 2
4 Solutions
 
McKnifeCommented:
I would reinstall/rebuild from backup any infected machine. If someone has taken control once, only monitoring from off a second device could make sure you were able to clean it. As it is a domain controller, this is far from uncritical.
0
 
samiam41Commented:
I hate to see this happen but agree with McKnife.  Take this down and rebuild.  Do you have a second DC?  Have you checked your FW log to see who is attempting to initate any remote connections that could relate to when the server was rebooted?
0
 
McKnifeCommented:
Not only take it down, reset all passwords. You should provide any piece of data on your network as public now as the worst case scenario.
0
NEW Veeam Backup for Microsoft Office 365 1.5

With Office 365, it’s your data and your responsibility to protect it. NEW Veeam Backup for Microsoft Office 365 eliminates the risk of losing access to your Office 365 data.

 
McKnifeCommented:
provide (?!) = consider...don't know what caused that typo...
0
 
adamgabAuthor Commented:
Thanks for your comments. This is what I had thought also. I was hoping that someone had the miracle fix. It would have been good to avoid a rebuild as it is our only domain controller.

I do have another box that can be promoted in the meantime. It does however, mean that I will need to install exchange there and go through the arduous process of backing up and restoring databases.

Thanks for your input.
0
 
samiam41Commented:
@McKnife, I was wondering where you were going with that.  ; )

adamgab, sorry to hear that you will be going through a rebuild.  I would use this as a good time to document your disaster recovery plans and find out what caused you to be in this place to begin with.  Was it loose security protocols, unknown access from other agencies, companies, contractors, etc..  Tighten up your security on your DC and you should be fine.  Good luck mate.  

Thanks for the points and grade!
0
 
adamgabAuthor Commented:
From what I can tell the original exploit could have been around a year ago and had just been lying dormant for some time. I was not involved with looking after this server back then, so i can't be sure how. Over the past 12 months however, security has been tightened up significantly.

DR plans will definitely be up for review !

Thanks for your help!
0
 
samiam41Commented:
Great work!  You'll do fine I'm sure.  Take care.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 3
  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now