Someone is accessing my Exchange Server

Someone has access to my exchange server as I was able to see their connection through task manager.  They were using rdp I believe.  I looled at the users who were able to access my server and found 4 additional users that I did not add.  I removed all of them and left only the Administrator account in Remote access.  He showed up again.  I turned RDP totally off and have not seen him login yet.  For the past 30 minutes he has not shown up.
What other things can I do to deny access to this rogue user?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

KarlSenior Technical ConsultantCommented:
change the admin password for a secure one.  

Is the RDP session coming from the internet or has someone connected on your wireless?

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
kheaneyAuthor Commented:
I changed the name of admin.  Not sure how he was gaining access as we have wireless.  I disabled the wireless connection that may have been compromised.
I will watch for him.
Anything else I could do?

JohnBusiness Consultant (Owner)Commented:
Many people set up wireless as unsecured (I have no idea why). Go into your wireless setup, allow only WPA/PSK or better, give it a secure password and that will stop access very quickly. With a strong password, WPA takes quite a bit of effort to crack. .... Thhinkads_User
Acronis True Image 2019 just released!

Create a reliable backup. Make sure you always have dependable copies of your data so you can restore your entire system or individual files.

kheaneyAuthor Commented:
I disabled all wire-less networks om our network and will observe what happens
kheaneyAuthor Commented:
How is this remote user able to re-boot my server or is there something he has setup that will make the server re-boot?
JohnBusiness Consultant (Owner)Commented:
If you still see activity with wireless disabled, then the activity will almost certainly be internal to your network (a fellow employee). .... Thinkpads_User
JohnBusiness Consultant (Owner)Commented:
>>> How is this remote user able to re-boot my server?

If they are internal users (or got prior access wirelessly), they only need to use RDP (before you changed things) and run the shutdown command. .... Thinkpads_User
In addition to the admin account, you should check on resetting passwords for Service type accounts which may have admin level privileges.
If you don't have account logging enabled, then you should enable the account logon (success and failed), then you can have another log file to check if needed.
Also, review other account groups such as Server Operators, etc. to make sure nothing new is in there.
If you remember the names of those 4 accounts which appeared, were those created by the 'rogue' user? or are they existing valid accounts.
I would change the passwords on them and the review the security event log to see if anyone is trying to access those still.  If you deleted them, then just recreate new accounts (no admin level access) and set passwords.  You can see if they try to access those accounts still (as failed logon attempts).

kheaneyAuthor Commented:
Great thought...I will do this in 12 hours as I am away from my network...

Garry GlendownConsulting and Network/Security SpecialistCommented:
Personally, I believe you should cut your losses here - remove anything important from the machine and get going with installing a new server ... once there has been somebody on there who knows what (s)he's doing, you can never be sure you have found everything they did ...
Also, you may want to set up a transparent capture (e.g. via switch mirror port) to identify the way they came in, what they are doing, etc. on the machine ... this should help you identify the way they got into the network to start off with ... first matter of business to fix the point of intrusion ...
If your wireless has been compromised, if you can verify that, then WPA or WPA2 with PSK will get cracked by a determined and 'patient', experienced hacker.
Certificate based authentication is stronger,  use certificates with like 2048 bits (not the cheaper/lower certificates).
If you use WPA/WPA2 then use long and more complex passphrases/keys

kheaneyAuthor Commented:
Great comments...up to this point the network is stable and all wire-less access points have been disabled..if it is the wire-less is there an easy way to get the passphase/keys to the trusted users...

JohnBusiness Consultant (Owner)Commented:
I just advise uses of the new passphrase. It is just one line in the setup if all else is the same. Otherwise give new instructions - most users can manage. .... Thinkpads_User
Kerem ERSOYPresidentCommented:

> Someone has access to my exchange server as I was able to see their connection through task
> manager.  They were using rdp I believe.  I looled at the users who were able to access my server > and found 4 additional users that I did not add.  I removed all of them and left only the Administrator > account in Remote access.  He showed up again.

While you were disabling these accounts did you change the Administrator Password? Did you try to run netstat command and see what address he was using to connect to your server?

> I turned RDP totally off and have not seen him login yet.  For the past 30 minutes he has not shown > up.

So you did not come across with him after you shutdown RDP completely?

> What other things can I do to deny access to this rogue user?

First of all shutting down Wireless and RDP is not a solution. Since you don2t know how exactly he has gained access to your computer. Nor did he find a way to escalate the user privileges or accessed directly yo root account.  

You need to check your server thoroughly including the check for any root-kits that he might have left so that he can gain access as soon as he's in your network somehow.  Also doing a portscan from another machine and make sure that all the open/listening ports taht you list through netstat are the only ports that you can portscan from outside ( a difference might indicate the presence of a rootkit over your system)

You might like to check your logs and see what accounts have been accessed recently. To see so many access denied errors might indicate that he was using a bruteforce attack. May be he was using some keylogger over some personal computer that you use to access the server over the Lan / Wireless..

So far what you have done is to prevent him from accessing your server but you did not do anything to investigate how was he able to access your system. As soon as you have done nothing about it you can't be sure that he wont be coming back. I won't suggest you to feel you're done before investigating this incident thoroughly. At the moment you're not even sure that you've stopped him. May be he's some employee and understood that you've noticed his hacking and he's just stopped his activity for an indeterminate time until you close your investigation.. These are all questions that should be answered after a close inspection.

I'll also suggest you to use stronger WPA2 keys and integrate them with your Windows servers Radius service and don't  use WEP or WPA-PSK since they are easily breakable keys due to some limitations in their implementation.

David Johnson, CD, MVPOwnerCommented:
WEP is about 30 minutes to crack, WPA2 with even an 8 character passwords (non dictionary) takes several years, due both to the encryption strength and the way it is designed to work when under attack.

Image that server NOW, and save a copy of EVERY server's logs for analysis. You may want to contact the authorities.  You need a security expert there now to do a forensic analysis and to preserve any evidence. All of your router and wireless logs need to be preserved. Right now you can consider your entire network compromised. NO machine can be trusted. This is going to be a very long, expensive route. Do you store any customers credit card or credit history on your network (ANYWHERE).. examine the access logs and look for gaps or omissions. You will have to inform management and get legal advice.. I hope that you have been compliant with all regulations re the security of data and have it in writing.  you WILL be asked.  

Too bad you panicked and went into defensive mode when going on the offense would have been better or got a info security team in right away or contacted the police. You need a full security analysis and these people do not come cheap.  A penetration test is also not cheap but cheaper than what you are now faced with.

If you were lax on security updates, and this is proven to be how this person got in, and information is now in the wild (customer credit information) you or the company may be held partially liable in a civil suit.  

Did you delete the accounts or just disable them? Please say you just disabled them, and have a record of your actions (again you WILL be asked)

Does your company follow the microsoft security and best practice guidelines .. in the areas that you don't, WHY not, and what have you done to mitigate the consequences.

Right now the fox has left the chicken coop with all the virtual chickens he wants.  

You have to backtrack this attack, and follow it around and see when it started, where the attacker has gone and see what this attacker COULD have accessed (note that I did not say did access) and draw (a) what possible ramifications does this access mean and (b) what do we need to do to protect our companies interests AND our customers.

Until you know differently you can consider everything on your network as being both suspect and compromised.

I'm sorry that management at the highest level must be brought into this, same with legal, and the FBI (I see you are central standard)  (In the order that I specified.. management first, they talk with legal and then the feds are brought in.  Not going to be a good xmas/new year for you but it is a GREAT learning experience.

Now start saving those logs!
Just want to add that I saw an experienced hacker crack WEP in less than 10 minutes (a little over 5 minutes I think).  He was doing some sort of packet injection to make it faster.
He said that WPA just takes longer to crack and that a computer with good GPU's can speed that up.  He said less than 2 weeks (but was a little vague).
Even something like TLS/RDP he said that be cracked if you can sniff the initial handshake enough times (it speeds it up) he brought up some security websites that mention flaws in SSL/TLS type of connections/implementations, the gist is that if TLS is being repeated and you can sniff if repeatedly (such as an an IMAP or POP3 over SSL), then the repeated data for the login is the same every time which aids in the decryption process.
What I got out of it is that a determined hacker has time on his side if the security infrastructure is 'static' then time is even more on his side.  2048bit SSL or higher is definitely worth the extra cost over a lot of the Cheap SSL's that you can purchase.

kheaneyAuthor Commented:
Thanks for all the great comments
kheaneyAuthor Commented:
Kerem ERSOYPresidentCommented:
You're welcome.
kheaneyAuthor Commented:
Great comments!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Wireless Networking

From novice to tech pro — start learning today.