Solved

Server hijacked??

Posted on 2011-09-14
5
284 Views
Last Modified: 2012-05-12
I monitor several small Windows 2003 servers from afar.  For all but one I use Remote Desktop Connection with static IP addresses.  For one client who doesn't have, and doesn't want to pay for, a static IP, I decided to use GoToMyPC, which works fine.

However, yesterday we noticed that there were several new programs on the server and Symantec Endpoint Protection and Backup Exec were gone, as in uninstalled.  The client is the only other person with the server password, and he didn't do it.  No one else knows the credentials to access the server by GoToMyPC.

I changed the password on the server, but am at a loss as to how this could have happened.  Anything else I should do?
0
Comment
Question by:lgottlieb45
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 

Expert Comment

by:MrMichaelBrownell
ID: 36537569
When was the server last restarted prior to the changes?
Are the install dirs for the symantec apps gone?
What are the new programs?
0
 

Author Comment

by:lgottlieb45
ID: 36538640
The server was last restarted about three weeks ago.  I'm not sure where the install directories would be.  Google Chrome had been installed as well as Mah jongg and some gaming network.
0
 
LVL 5

Accepted Solution

by:
warddhooghe earned 500 total points
ID: 36546902
What you definitely should do or at least consider:
- run windowsupdate, make sure its up to date, especially when it has services running accessible from the internet. Check/verify this weekly. Don't make it auto-update itselft, but schedule it weekly during a time you can reboot if needed by one of the updates.
- Make sure this machine is properly firewalled. open only the ports that are required. RDP uses 3389 TCP
- Recommendations on password security: minimum 8 digits, enforce complex passwords (C0mp!3X p4ssW0%dS), required to change password every 3 months, password history 10. This can all be set by GPO in the domain policy. If this was not done before, users will be irritated with the changes, but this is very important.  Make no exceptions, even a CEO should understand how important this is.
- Have all user accounts change their passwords. Also change accounts used by services. (if any)
- Check the Active directory and/or local accounts for any new accounts that were not there before. These kids nearly always create backdoor accounts for when their exploit doesnt work anymore.
- If not already, install an anti-virus on it, make sure its updated and then scan completely. Likely you will find a root-kit or some tools used which the AV will detect as a threat.
- GoToMyPC: I dont know this application specifically, but if it has its own password, make sure it is strong like previous recommendation. Make sure you update this software as well, since their is a chance that it has exploits. However, I would personally not use it at all. A better idea would be a no-ip.org or similar dyndns tools as a mean to find the server back with a dynamic IP and use RDP.
- last but not least, rename the "administrator" account. if the OS is in another language, the account will be different, find it and rename it. Preferably something not guessable. The administrator accounts do not lock out when they are brute force attacked.
0
 

Author Closing Comment

by:lgottlieb45
ID: 36560871
We will carefully consider all the strategies you described.  Any chance that this was some robotic process having to do with the gaming network that installed Mah Jjong?
0
 
LVL 5

Expert Comment

by:warddhooghe
ID: 36568672
Yes, very likely this was a script-kiddy passing by, infecting everything in it's path with it's botnets or whatever they feel like to abuse someone's internet and server resources. Nothing new, been happening for decades.
0

Featured Post

Is Your DevOps Pipeline Leaking?

Is your CI/CD pipeline a hodge-podge of randomly connected tools? You’ve likely got a tool to fix one problem & then a different tool to fix another, resulting in a cluster of tools with overlapping functionality. Learn how to optimize your pipeline with Gartner's recommendations

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I've been an avid user and supporter of Malwarebytes Premium Version 2.x for years. It's an excellent product that runs alongside just about any Anti-Virus application without issues. It seems to have an uncanny ability to pick up many things that A…
Developer portfolios can be a bit of an enigma—how do you present yourself to employers without burying them in lines of code?  A modern portfolio is more than just work samples, it’s also a statement of how you work.
This video shows how use content aware, what it’s used for, and when to use it over other tools.
Viewers will learn how to use the Hootsuite Dashboard.

751 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question