Have I been Hacked?

Posted on 2009-02-18
Last Modified: 2012-05-06
I think my SBS server has just been hacked...

Yesterday I set up Outlook Web Access and enabled Remote Administration.  I also bought and installed a new Router.  Now being fairly security conscious I decided that user A could only connect to Computer A, user B to Computer B and User C could not connect to anything.  So, basically I had disabled Outlook Web Access for some users within one group policy.  Checking this I learn't that during and after a remote login, the original user of the machine will be confronted with a Windows msg box saying Computer Locked, CTRL ALT DELETE to Login etc.

I asked one of the 'enabled' users to check their mail last night by remotely logging in.  Everyone else had checked theres with no issue except him.  This morning he reported that he could not access because he could not get beyond the login screen.  Either the username or password was wrong.
Username was fine and I double checked he wasn't typing in false data i.e. bad password.  Nothing.

Today the accounts department had just finished their work using the server for the day.  The familiar Windows Update shield was in the far right corner.  No obvious problems except historically the server has around 500meg of space which is far too little I accept.
I suddenly noticed my Outlook losing then lost connection with the server.  Checking others in the office it all started to go very wrong indeed.  Could not use Remote Access, could not bring up another Radmin service (PCAnywhere) to try and log in to it.  Plugging in a VGA screen to the server revealed that while everyone could still use the Internet - my SBS box is the DNS (I think) - it was completely unresponsive and would not even recognise a usb keyboard plugged in.
It then went black screen and rebooted.  I used the server username & password to access the desktop.

15 mins later when all was calm again I checked the server using the Radmin tools with the view of checking the Event log to try and work out the problem.  On connecting it had told me the computer was locked.  It cant be unless someone Remotely accessed it, surely!!

The event viewer only gives me a slight indication of an error.  One service had been attempting to 'connect'/download or other for 88000 seconds.  Other than that a few emails stored for a little too long and a pop3 mailbox playing up.  Nothing else.

I want to know what you think about this and how you would of reacted given the situation.
The large amount of points available suggests that changes might have to be made to the way the IT integrates with the rest of the business as it continues to have more of an effect.  I want to know Bandwidth, I want to know about Routers, I want to know about the possibility I've been victim to a Brute Force attack or that one of the 'higher up' users has mistakenly entered the Server username and password in to a false website, not our subdomain.
Question by:chriscounter07
    LVL 38

    Accepted Solution

    I suggest you look at the GPO changes you made to "disable OWA" for certain users. Make sure those policy changes will not impact the server and its services too.

    How could your users have the admin account name and password?!?!? No one should know that username/password combination except the one that manages the server and the owner of the business.

    Are any of the "users" given domain admin rights?


    Author Comment

    3 users know the admin rights.  Server owner (myself), business owner & one chief exec.  It is a relatively small business so trust is not an issue here.  Noted nonetheless.

    AFAIK no users have been given domain admin rights.

    Is there perhaps some specifc things I should be looking for in the server logs.  There is one System message displaying an unexpected shutdown.  I will check hardware issues tonight
    LVL 3

    Expert Comment

    I would recommend all of you using standard user rights for all things except administrative tasks. Then having a second administrative account each of you uses for necessary administration that has a more complicated password.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    Suggested Solutions

    This is a guide to the following problem (not exclusive but here) on Windows: Users need our support and we supporters often use global administrative accounts to do this. Using these accounts safely is a real challenge. Any admin who takes se…
    The term "Bad USB" is a buzz word that is usually used when talking about attacks on computer systems that involve USB devices. In this article, I will show what possibilities modern windows systems (win8.x and win10) offer to fight these attacks wi…
    Internet Business Fax to Email Made Easy - With eFax Corporate (, you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
    Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

    737 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    20 Experts available now in Live!

    Get 1:1 Help Now