Solved

Server hijacked??

Posted on 2011-09-14
5
263 Views
Last Modified: 2012-05-12
I monitor several small Windows 2003 servers from afar.  For all but one I use Remote Desktop Connection with static IP addresses.  For one client who doesn't have, and doesn't want to pay for, a static IP, I decided to use GoToMyPC, which works fine.

However, yesterday we noticed that there were several new programs on the server and Symantec Endpoint Protection and Backup Exec were gone, as in uninstalled.  The client is the only other person with the server password, and he didn't do it.  No one else knows the credentials to access the server by GoToMyPC.

I changed the password on the server, but am at a loss as to how this could have happened.  Anything else I should do?
0
Comment
Question by:lgottlieb45
  • 2
  • 2
5 Comments
 

Expert Comment

by:MrMichaelBrownell
ID: 36537569
When was the server last restarted prior to the changes?
Are the install dirs for the symantec apps gone?
What are the new programs?
0
 

Author Comment

by:lgottlieb45
ID: 36538640
The server was last restarted about three weeks ago.  I'm not sure where the install directories would be.  Google Chrome had been installed as well as Mah jongg and some gaming network.
0
 
LVL 5

Accepted Solution

by:
warddhooghe earned 500 total points
ID: 36546902
What you definitely should do or at least consider:
- run windowsupdate, make sure its up to date, especially when it has services running accessible from the internet. Check/verify this weekly. Don't make it auto-update itselft, but schedule it weekly during a time you can reboot if needed by one of the updates.
- Make sure this machine is properly firewalled. open only the ports that are required. RDP uses 3389 TCP
- Recommendations on password security: minimum 8 digits, enforce complex passwords (C0mp!3X p4ssW0%dS), required to change password every 3 months, password history 10. This can all be set by GPO in the domain policy. If this was not done before, users will be irritated with the changes, but this is very important.  Make no exceptions, even a CEO should understand how important this is.
- Have all user accounts change their passwords. Also change accounts used by services. (if any)
- Check the Active directory and/or local accounts for any new accounts that were not there before. These kids nearly always create backdoor accounts for when their exploit doesnt work anymore.
- If not already, install an anti-virus on it, make sure its updated and then scan completely. Likely you will find a root-kit or some tools used which the AV will detect as a threat.
- GoToMyPC: I dont know this application specifically, but if it has its own password, make sure it is strong like previous recommendation. Make sure you update this software as well, since their is a chance that it has exploits. However, I would personally not use it at all. A better idea would be a no-ip.org or similar dyndns tools as a mean to find the server back with a dynamic IP and use RDP.
- last but not least, rename the "administrator" account. if the OS is in another language, the account will be different, find it and rename it. Preferably something not guessable. The administrator accounts do not lock out when they are brute force attacked.
0
 

Author Closing Comment

by:lgottlieb45
ID: 36560871
We will carefully consider all the strategies you described.  Any chance that this was some robotic process having to do with the gaming network that installed Mah Jjong?
0
 
LVL 5

Expert Comment

by:warddhooghe
ID: 36568672
Yes, very likely this was a script-kiddy passing by, infecting everything in it's path with it's botnets or whatever they feel like to abuse someone's internet and server resources. Nothing new, been happening for decades.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

The article will include the best Data Recovery Tools along with their Features, Capabilities, and their Download Links. Hope you’ll enjoy it and will choose the one as required by you.
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
The viewer will learn how to successfully create a multiboot device using the SARDU utility on Windows 7. Start the SARDU utility: Change the image directory to wherever you store your ISOs, this will prevent you from having 2 copies of an ISO wit…
XMind Plus helps organize all details/aspects of any project from large to small in an orderly and concise manner. If you are working on a complex project, use this micro tutorial to show you how to make a basic flow chart. The software is free when…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now