Solved

Hacker or Automated Process?

Posted on 2013-10-27
2
213 Views
Last Modified: 2013-11-05
I was working on my network all this week using remote desktop from several machines as I went back and forth making various updates. I went home and logged into my terminal server from remote desktop and to my horror someone logged in under my credentials and booted me off. I logged back in and booted him off. I shut down my terminal server.

I was using my main active directory administrator password. My firewall has a different password. So i think that is in tact.

I changed my password. It turns out my virus scanner was expired on the terminal server. I updated it and it found 33 viruses and I ran a trojen horse scanner. It appears the server is now clean.

Three ays went by and I am at home again and BOOM it happened again! Iwas booted off by another login using same credentials.

Could this be a hacker or is it an open rdp session that I may have left on at work and it just retries and logs back in?

I changed my admin password before I ran the virus scan. Could it have already broadcasted my new password to whomever may be tracking.

I don't know what to do at this point. Any help would be greatly appreciated. I'm worried other servers could be compromised.
0
Comment
Question by:MEATBALLHERO
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 24

Accepted Solution

by:
Dirk Kotte earned 250 total points
ID: 39604230
first, disable external access to the server.

next, you should rebuild your server!
it is not possible to find and clean all viruses, trojan horses or intruder installed programs if the hacker knows what he do.

you should prevent using the the "domain\administrator" account for external logins, because this account is never locked out ... so the hacker has unrestricted attempts to gain the password.

you should use a ssl-/webgateway to preauthenticate the user before he reach the rdp-server / RDP over VPN is a option also.

sorry, but i see no simple solution.
0
 
LVL 15

Assisted Solution

by:cwstad2
cwstad2 earned 250 total points
ID: 39604231
you can try this

http://gallery.technet.microsoft.com/scriptcenter/PowerShell-script-to-Find-d2ba4252

also if you have an account password lockout policy and you have changed your password, it should lock you out if there are any old RDP sessions logging you on with old password. If you're unsure copy the old profile, create a new one and disable the one you suspect of being compromised.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Always backup Domain, SYSVOL etc.using processes according to Microsoft Best Practices. This is meant as a disaster recovery process for small environments that did not implement backup processes and did not run a secondary domain controller that ne…
Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

729 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question