• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 372
  • Last Modified:

server 2008 hacked

I have a hyper-v setup and leave a vm running server 2008 always on.  Today I tried to login and it said that my clock and the clock on the remote computer were out of sync and I could not login.  I logged into the hyper-v server then connected to the vm that way.  I saw that there were three users logged in, one was mydomain\david.  I only have two or three users that I created, none of which are David.

Is there any way to figure out how this happened?  When it happened?  What David did?  And how to stop this from happening again?

When I saw this, I just shut down the vm.
0
jackjohnson44
Asked:
jackjohnson44
  • 8
  • 4
  • 2
1 Solution
 
bigbigpigCommented:
Just start going through the logs.  Find what account created the account 'david' and when it was created.  Look for event ID 4720.
0
 
netcmhCommented:
Assess your situation, offline.
- Go through your logs, especially access logs
- Check your services
- Check your startup, processes and your server directories.

Alternatively, if you can back your data out, I would say nuke it and start from scratch making sure that you have adequate protection on your server and network, opening up only the necessary and patched services that you'd like this server to host.
0
 
jackjohnson44Author Commented:
Thanks, I unplugged the network cable to the internet and went into my server and connected.  When I try to login I get a "Please wait for the User Profile Service" message that doesn't go away.

I also, disabled all accounts on my host except one and changed the password for it before turning this on.  I am not sure if that matters.
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell┬« is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
netcmhCommented:
Could be for any of these reasons:

Is the IPv6 disabled on the host machine?

Could be DNS related.

Try disabling the WebClient service
0
 
jackjohnson44Author Commented:
after a long time, it says applying user settings and just hangs
0
 
jackjohnson44Author Commented:
I finally got in.

When you say go though the logs, what do you mean?

I went in the event viewer, but don't know which area to look in, or where to find 4720.
0
 
jackjohnson44Author Commented:
I found an entry for 4720.

I have a logon with security id "NULL SID", then they added themselves to the admin group, enabled the local admin,  then created a user david and gave themselves permissions.
0
 
jackjohnson44Author Commented:
It looks like David downloaded a file called gamma28.zip to his desktop, which contains mmail.zip and mpatch.zip.

I am really scared to put this back on the network.  I deleted his account and reset the admin password.  I am not sure how he could have got into my system.
0
 
bigbigpigCommented:
Is this system accessible from outside your LAN?  Do you see a lot of failed logon attempts?  A lot of times hackers will go through a password dictionary until something works.  Make sure you have strong passwords and good password policy like account lockouts after failed attempts.  For now change passwords for all user accounts with admin or elevated privileges.
0
 
jackjohnson44Author Commented:
It is accessible outside my lan.  I remote into it.  I see a ton of login attempts but I can't find the login name that they tried.  Is there any way to determine that?  I changed all passwords.

How can I set the account lockout policy?
0
 
bigbigpigCommented:
Either group policy or local security policy.  I'll give you more detail when I get back to my desk.
0
 
jackjohnson44Author Commented:
thanks, this SUCKS!!!

Is there any way to determine what account they used to login?  It says terminal services.  I assume that is remote desktop.  I really need remote desktop, but that is about it. Basically this is my desktop away from home so I can drp into it while at a client and do my dev work there.  It has visual studio and a lot of tools.

The network is just me at home.  Again, I am a developer and have little to no idea about any sort of security or network stuff.  This is usually setup for me at work.  I have had this system at home for years without issue.
0
 
bigbigpigCommented:
To see who's logging on to your system go to the Event Viewer and create a custom view.  Filter on event 4624, those are logons.  However, it includes type 3 which is network logon (authentication) and there will be zillions in there.  But create the custom view anyway.  After you create the custom view right-click on it and click Properties.  In the Properties box click "Edit Filter".  Check the box to Edit the query manually and paste this in there.  This will make it so only type 2 and type 10 show up (console logon and remote desktop logon).  This way you can see who's logging on, where from, and how frequently.

<QueryList>
  <Query Id="0" Path="Security">
    <Select Path="Security">*[System[(EventID=4624)]] and *[EventData[Data[@Name='LogonType'] and (Data=2 or Data=10)]]</Select>
  </Query>
</QueryList>

Open in new window

0
 
jackjohnson44Author Commented:
Thanks for all your help.  I haven't been able to test this out yet, but I can over the weekend.  I didn't want to leave the question open because EE is telling me to close it.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

  • 8
  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now