Hacker or Automated Process?
Posted on 2013-10-27
I was working on my network all this week using remote desktop from several machines as I went back and forth making various updates. I went home and logged into my terminal server from remote desktop and to my horror someone logged in under my credentials and booted me off. I logged back in and booted him off. I shut down my terminal server.
I was using my main active directory administrator password. My firewall has a different password. So i think that is in tact.
I changed my password. It turns out my virus scanner was expired on the terminal server. I updated it and it found 33 viruses and I ran a trojen horse scanner. It appears the server is now clean.
Three ays went by and I am at home again and BOOM it happened again! Iwas booted off by another login using same credentials.
Could this be a hacker or is it an open rdp session that I may have left on at work and it just retries and logs back in?
I changed my admin password before I ran the virus scan. Could it have already broadcasted my new password to whomever may be tracking.
I don't know what to do at this point. Any help would be greatly appreciated. I'm worried other servers could be compromised.