Solved

Server hijacked??

Posted on 2011-09-14
5
276 Views
Last Modified: 2012-05-12
I monitor several small Windows 2003 servers from afar.  For all but one I use Remote Desktop Connection with static IP addresses.  For one client who doesn't have, and doesn't want to pay for, a static IP, I decided to use GoToMyPC, which works fine.

However, yesterday we noticed that there were several new programs on the server and Symantec Endpoint Protection and Backup Exec were gone, as in uninstalled.  The client is the only other person with the server password, and he didn't do it.  No one else knows the credentials to access the server by GoToMyPC.

I changed the password on the server, but am at a loss as to how this could have happened.  Anything else I should do?
0
Comment
Question by:lgottlieb45
  • 2
  • 2
5 Comments
 

Expert Comment

by:MrMichaelBrownell
ID: 36537569
When was the server last restarted prior to the changes?
Are the install dirs for the symantec apps gone?
What are the new programs?
0
 

Author Comment

by:lgottlieb45
ID: 36538640
The server was last restarted about three weeks ago.  I'm not sure where the install directories would be.  Google Chrome had been installed as well as Mah jongg and some gaming network.
0
 
LVL 5

Accepted Solution

by:
warddhooghe earned 500 total points
ID: 36546902
What you definitely should do or at least consider:
- run windowsupdate, make sure its up to date, especially when it has services running accessible from the internet. Check/verify this weekly. Don't make it auto-update itselft, but schedule it weekly during a time you can reboot if needed by one of the updates.
- Make sure this machine is properly firewalled. open only the ports that are required. RDP uses 3389 TCP
- Recommendations on password security: minimum 8 digits, enforce complex passwords (C0mp!3X p4ssW0%dS), required to change password every 3 months, password history 10. This can all be set by GPO in the domain policy. If this was not done before, users will be irritated with the changes, but this is very important.  Make no exceptions, even a CEO should understand how important this is.
- Have all user accounts change their passwords. Also change accounts used by services. (if any)
- Check the Active directory and/or local accounts for any new accounts that were not there before. These kids nearly always create backdoor accounts for when their exploit doesnt work anymore.
- If not already, install an anti-virus on it, make sure its updated and then scan completely. Likely you will find a root-kit or some tools used which the AV will detect as a threat.
- GoToMyPC: I dont know this application specifically, but if it has its own password, make sure it is strong like previous recommendation. Make sure you update this software as well, since their is a chance that it has exploits. However, I would personally not use it at all. A better idea would be a no-ip.org or similar dyndns tools as a mean to find the server back with a dynamic IP and use RDP.
- last but not least, rename the "administrator" account. if the OS is in another language, the account will be different, find it and rename it. Preferably something not guessable. The administrator accounts do not lock out when they are brute force attacked.
0
 

Author Closing Comment

by:lgottlieb45
ID: 36560871
We will carefully consider all the strategies you described.  Any chance that this was some robotic process having to do with the gaming network that installed Mah Jjong?
0
 
LVL 5

Expert Comment

by:warddhooghe
ID: 36568672
Yes, very likely this was a script-kiddy passing by, infecting everything in it's path with it's botnets or whatever they feel like to abuse someone's internet and server resources. Nothing new, been happening for decades.
0

Featured Post

U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Virus On motherboard 6 85
shadow copies 7 81
What program can open a .sig file image? 6 44
reboot server with scheduled time and week base 4 35
SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
Viewers will learn how to use the Hootsuite Dashboard.
XMind Plus helps organize all details/aspects of any project from large to small in an orderly and concise manner. If you are working on a complex project, use this micro tutorial to show you how to make a basic flow chart. The software is free when…

860 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question