I am currently managing a SQL Server 2008 R2. I've installed programs such as McAfee Enterprise + AntiSpyware Enterprise 8.8, Kapersky TDSSKILLER and Malwarebytes 22.214.171.1240. These programs are scheduled to run/update everyday. In addition, we are using RDS w/ user CAL licensing which i hear is not secured, but we need it.
A few weeks ago, we encountered a type of malware called ransomware on our server and thought that I successfully removed it. Unfortunately that led to another issue, I noticed a Key logger program planted into my server that McAfee picked up. here is the log:
- D:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe C:\Windows\AppCompat\KAward\rsasws.exe Keylog-AwardKey (Virus)
- C:\Windows\Explorer.EXE E:\decrypterpv\dc.exe Ransom-BA (Trojan)
- C:\Users\sys\Desktop\Setup.exe C:\ProgramData\uklpr\KLKlMon.dll Keylog-Ultimate.dll (Virus)
The software ran another scan last night and picked up:
- 3:04:49 AM Deleted administrator ODS(Full Scan) c:\Documents and Settings\sys\Desktop\Setup.exe\9.nsis Keylog-Ultimate.dll (Virus)
- 3:04:59 AM Delete failed (Clean failed) administrator ODS(Full Scan) c:\Users\sys\Desktop\Setup.exe\9.nsis Keylog-Ultimate.dll (Virus)
- 4/6/2012 3:05:08 AM Deleted (Clean failed) administrator ODS(Full Scan) c:\Documents and Settings\sys\Downloads\KRyLack.Ultimate.Keylogger.Pro.v1.80.45-alzaeem2008.rar\SETUP.EXE\9.nsis Keylog-Ultimate.dll (Virus)
- 4/6/2012 3:05:18 AM Delete failed (Clean failed) administrator ODS(Full Scan) c:\Users\sys\Downloads\KRyLack.Ultimate.Keylogger.Pro.v1.80.45-alzaeem2008.rar\SETUP.EXE\9.nsis Keylog-Ultimate.dll (Virus)
How do I prevent this? are they getting in my network through a backdoor? does RDS play a big role in this case? is there another level of security I can implement? I'll appreciate your help!