Server hijacked??

I monitor several small Windows 2003 servers from afar.  For all but one I use Remote Desktop Connection with static IP addresses.  For one client who doesn't have, and doesn't want to pay for, a static IP, I decided to use GoToMyPC, which works fine.

However, yesterday we noticed that there were several new programs on the server and Symantec Endpoint Protection and Backup Exec were gone, as in uninstalled.  The client is the only other person with the server password, and he didn't do it.  No one else knows the credentials to access the server by GoToMyPC.

I changed the password on the server, but am at a loss as to how this could have happened.  Anything else I should do?
lgottlieb45Asked:
Who is Participating?
 
warddhoogheConnect With a Mentor Commented:
What you definitely should do or at least consider:
- run windowsupdate, make sure its up to date, especially when it has services running accessible from the internet. Check/verify this weekly. Don't make it auto-update itselft, but schedule it weekly during a time you can reboot if needed by one of the updates.
- Make sure this machine is properly firewalled. open only the ports that are required. RDP uses 3389 TCP
- Recommendations on password security: minimum 8 digits, enforce complex passwords (C0mp!3X p4ssW0%dS), required to change password every 3 months, password history 10. This can all be set by GPO in the domain policy. If this was not done before, users will be irritated with the changes, but this is very important.  Make no exceptions, even a CEO should understand how important this is.
- Have all user accounts change their passwords. Also change accounts used by services. (if any)
- Check the Active directory and/or local accounts for any new accounts that were not there before. These kids nearly always create backdoor accounts for when their exploit doesnt work anymore.
- If not already, install an anti-virus on it, make sure its updated and then scan completely. Likely you will find a root-kit or some tools used which the AV will detect as a threat.
- GoToMyPC: I dont know this application specifically, but if it has its own password, make sure it is strong like previous recommendation. Make sure you update this software as well, since their is a chance that it has exploits. However, I would personally not use it at all. A better idea would be a no-ip.org or similar dyndns tools as a mean to find the server back with a dynamic IP and use RDP.
- last but not least, rename the "administrator" account. if the OS is in another language, the account will be different, find it and rename it. Preferably something not guessable. The administrator accounts do not lock out when they are brute force attacked.
0
 
MrMichaelBrownellCommented:
When was the server last restarted prior to the changes?
Are the install dirs for the symantec apps gone?
What are the new programs?
0
 
lgottlieb45Author Commented:
The server was last restarted about three weeks ago.  I'm not sure where the install directories would be.  Google Chrome had been installed as well as Mah jongg and some gaming network.
0
 
lgottlieb45Author Commented:
We will carefully consider all the strategies you described.  Any chance that this was some robotic process having to do with the gaming network that installed Mah Jjong?
0
 
warddhoogheCommented:
Yes, very likely this was a script-kiddy passing by, infecting everything in it's path with it's botnets or whatever they feel like to abuse someone's internet and server resources. Nothing new, been happening for decades.
0
All Courses

From novice to tech pro — start learning today.