Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Server hijacked??

Posted on 2011-09-14
5
Medium Priority
?
302 Views
Last Modified: 2012-05-12
I monitor several small Windows 2003 servers from afar.  For all but one I use Remote Desktop Connection with static IP addresses.  For one client who doesn't have, and doesn't want to pay for, a static IP, I decided to use GoToMyPC, which works fine.

However, yesterday we noticed that there were several new programs on the server and Symantec Endpoint Protection and Backup Exec were gone, as in uninstalled.  The client is the only other person with the server password, and he didn't do it.  No one else knows the credentials to access the server by GoToMyPC.

I changed the password on the server, but am at a loss as to how this could have happened.  Anything else I should do?
0
Comment
Question by:lgottlieb45
  • 2
  • 2
5 Comments
 

Expert Comment

by:MrMichaelBrownell
ID: 36537569
When was the server last restarted prior to the changes?
Are the install dirs for the symantec apps gone?
What are the new programs?
0
 

Author Comment

by:lgottlieb45
ID: 36538640
The server was last restarted about three weeks ago.  I'm not sure where the install directories would be.  Google Chrome had been installed as well as Mah jongg and some gaming network.
0
 
LVL 5

Accepted Solution

by:
warddhooghe earned 2000 total points
ID: 36546902
What you definitely should do or at least consider:
- run windowsupdate, make sure its up to date, especially when it has services running accessible from the internet. Check/verify this weekly. Don't make it auto-update itselft, but schedule it weekly during a time you can reboot if needed by one of the updates.
- Make sure this machine is properly firewalled. open only the ports that are required. RDP uses 3389 TCP
- Recommendations on password security: minimum 8 digits, enforce complex passwords (C0mp!3X p4ssW0%dS), required to change password every 3 months, password history 10. This can all be set by GPO in the domain policy. If this was not done before, users will be irritated with the changes, but this is very important.  Make no exceptions, even a CEO should understand how important this is.
- Have all user accounts change their passwords. Also change accounts used by services. (if any)
- Check the Active directory and/or local accounts for any new accounts that were not there before. These kids nearly always create backdoor accounts for when their exploit doesnt work anymore.
- If not already, install an anti-virus on it, make sure its updated and then scan completely. Likely you will find a root-kit or some tools used which the AV will detect as a threat.
- GoToMyPC: I dont know this application specifically, but if it has its own password, make sure it is strong like previous recommendation. Make sure you update this software as well, since their is a chance that it has exploits. However, I would personally not use it at all. A better idea would be a no-ip.org or similar dyndns tools as a mean to find the server back with a dynamic IP and use RDP.
- last but not least, rename the "administrator" account. if the OS is in another language, the account will be different, find it and rename it. Preferably something not guessable. The administrator accounts do not lock out when they are brute force attacked.
0
 

Author Closing Comment

by:lgottlieb45
ID: 36560871
We will carefully consider all the strategies you described.  Any chance that this was some robotic process having to do with the gaming network that installed Mah Jjong?
0
 
LVL 5

Expert Comment

by:warddhooghe
ID: 36568672
Yes, very likely this was a script-kiddy passing by, infecting everything in it's path with it's botnets or whatever they feel like to abuse someone's internet and server resources. Nothing new, been happening for decades.
0

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Rules and regulations were devised in order to maintain the integrity of a system. However, interpretation of rules can be quite tricky.
Want to know how to use Exchange Server Eseutil command? Go through this article as it gives you the know-how.
The viewer will learn how to successfully create a multiboot device using the SARDU utility on Windows 7. Start the SARDU utility: Change the image directory to wherever you store your ISOs, this will prevent you from having 2 copies of an ISO wit…
The viewer will learn how to successfully download and install the SARDU utility on Windows 8, without downloading adware.

972 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question