• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 5499
  • Last Modified:

DUBrute.exe help

Hi all,

Our SBS 2003 server has been getting a number of attacks recently. for example on the monitoring and reporting sections (and in the daily reports) we are getting security evets 529 (e.g. in this case 729 instances of bad logins for a user which doesn't exist on the network.) Now we have had an attack on the administrator user too (although the password is strong so thought was ok)

Now after RDPing into the server I have had number of windows report error messages for a DUBrute.exe file. After googling what this is it apears it is a brute force attack program.

Now my question is has someone managed to access the server? if so how can I check and secure everything again? Now as far as I can see here is nothing missing etc.

Thanks in advance.

Matt
0
flynny
Asked:
flynny
  • 4
  • 3
1 Solution
 
flynnyAuthor Commented:
Any Ideas on this guys?
0
 
Cris HannaCommented:
close port 3389 on your router...
you might consider installing and running malwarebytes on the server and do a complete scan.
Disable whatever AV you have on the server before you do.  I would also disable exchange services while running the scan.

And consider changing the Administrator password...needs to be complex  1 cap 1 small 1 number and 1 special character at least 7 characters long.
0
 
flynnyAuthor Commented:
Hi Chris.

Many thanks for the reply.

I immediately change the password. I found it strange because the password was very complex. So I'm amazed they managed to get in

I'll run the malewarebytes scan and update.

Regarding closing port 3389 I will still require rdp access. Is there anyway I can increase security? I have read about ssh with the login? Would you recommend this? Or is there a better alternative?

0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
Cris HannaCommented:
Since this is an SBS server you should be connecting  Remote Web Workplace using HTTPS (port80 should be closed on the firewall as well).  They probably did not gain access and thus all the 529 errors and errors with the .exe program
0
 
flynnyAuthor Commented:
Hi Chris,

sorry for the delayed response. final question, how should I close the 3389 and 80 ports? (sorry for the extremely basic question)

Can I simply remove the port forwarding of 80 and 3389 to the server?
0
 
Cris HannaCommented:
On your firewall/router you must have setup port forwarding rules for port 80 and 3389
either "uncheck" the rule ro delet the rule
0
 
flynnyAuthor Commented:
yes I have jut wanted to double check this, thanks for the help.

I'll update if theres anyprobs.

0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now