flynny
asked on
DUBrute.exe help
Hi all,
Our SBS 2003 server has been getting a number of attacks recently. for example on the monitoring and reporting sections (and in the daily reports) we are getting security evets 529 (e.g. in this case 729 instances of bad logins for a user which doesn't exist on the network.) Now we have had an attack on the administrator user too (although the password is strong so thought was ok)
Now after RDPing into the server I have had number of windows report error messages for a DUBrute.exe file. After googling what this is it apears it is a brute force attack program.
Now my question is has someone managed to access the server? if so how can I check and secure everything again? Now as far as I can see here is nothing missing etc.
Thanks in advance.
Matt
Our SBS 2003 server has been getting a number of attacks recently. for example on the monitoring and reporting sections (and in the daily reports) we are getting security evets 529 (e.g. in this case 729 instances of bad logins for a user which doesn't exist on the network.) Now we have had an attack on the administrator user too (although the password is strong so thought was ok)
Now after RDPing into the server I have had number of windows report error messages for a DUBrute.exe file. After googling what this is it apears it is a brute force attack program.
Now my question is has someone managed to access the server? if so how can I check and secure everything again? Now as far as I can see here is nothing missing etc.
Thanks in advance.
Matt
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi Chris.
Many thanks for the reply.
I immediately change the password. I found it strange because the password was very complex. So I'm amazed they managed to get in
I'll run the malewarebytes scan and update.
Regarding closing port 3389 I will still require rdp access. Is there anyway I can increase security? I have read about ssh with the login? Would you recommend this? Or is there a better alternative?
Many thanks for the reply.
I immediately change the password. I found it strange because the password was very complex. So I'm amazed they managed to get in
I'll run the malewarebytes scan and update.
Regarding closing port 3389 I will still require rdp access. Is there anyway I can increase security? I have read about ssh with the login? Would you recommend this? Or is there a better alternative?
Since this is an SBS server you should be connecting Remote Web Workplace using HTTPS (port80 should be closed on the firewall as well). They probably did not gain access and thus all the 529 errors and errors with the .exe program
ASKER
Hi Chris,
sorry for the delayed response. final question, how should I close the 3389 and 80 ports? (sorry for the extremely basic question)
Can I simply remove the port forwarding of 80 and 3389 to the server?
sorry for the delayed response. final question, how should I close the 3389 and 80 ports? (sorry for the extremely basic question)
Can I simply remove the port forwarding of 80 and 3389 to the server?
On your firewall/router you must have setup port forwarding rules for port 80 and 3389
either "uncheck" the rule ro delet the rule
either "uncheck" the rule ro delet the rule
ASKER
yes I have jut wanted to double check this, thanks for the help.
I'll update if theres anyprobs.
I'll update if theres anyprobs.
ASKER