Sbs2011 has been hacked. Foreign users in AD

Hi, I am no expert but I think our server has been hacke. I noticed that windows firewall had been disabled and that a unknown username was logged on to the server
AD and found 5 users I didn't know. Have disabled all vpn ports, and rdp ports. Removed the users and Ann folder related.

Is there a starting point to try and trace how they accessed the network to help remove the threat,? Server is up to date

David LoganDirectorAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Kash2nd Line EngineerCommented:
This is what I would do.

1. Unplug from network.
2. Change the admin user passwords.
3. Change the passwords for all users.
4. Enable Firewall Back on.
5. Run an AV scan.
6. If server is doing RRAS then go through logs to find out what happened.
7. On the internet router, change the admin password and external access port to some other. don't use common 80,81,8080,8081.
8. If logging is enabled on the router, analyze the logs.

Good luck

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
David AtkinTechnical DirectorCommented:
Do the user names look like they are a persons name?

There are a few built in user and groups in SBS that are used by things like Sharepoint etc.  You need to make sure you're not disabling these.
WORKS2011Austin Tech CompanyCommented:
Check the security logs it will report who's accessing the server, if they fail gain access and the remote IP address they attempt to connect from.

Run sysinternal tools that check for admin account, if you're not 100% certain what the admin account is disable it. Many times hackers will create an account that looks legit give it admin permissions and it's overlooked.
SolarWinds® VoIP and Network Quality Manager(VNQM)

WAN and VoIP monitoring tools that can help with troubleshooting via an intuitive web interface. Review quality of service data, including jitter, latency, packet loss, and MOS. Troubleshoot call performance and correlate call issues with WAN performance for Cisco and Avaya calls

Benjamin Van DitmarsSr Network EngineerCommented:
Please install a firewall in front of the server. never connect a windows server directly to the internet. youre not the first one and wont be the last one with this problem.

also never open remote desktop services to the outside world to anybody use an vpn connection. you can use the vpn of a profesional firewall or use the internal pptp/ipsec vpn of windows.

also look for strange installed problems, and look in every ou in the AD for strange users accounts.

if youre going to use. only allow the users that need this.
force a password change for all users on youre network, just in case
WORKS2011Austin Tech CompanyCommented:
Benjamin Van Ditmars,
I noticed that windows firewall had been disabled and that a unknown username was logged on to the server
Windows firewall not the actual firewall.

Just an FYI
David LoganDirectorAuthor Commented:
Thanks for the advice. We use a programe to manage emails and store them under project numbers. Upgraded our virus scanner to AVG Suite, now have all users and servers protected fully. Found an email with virus stored in a project folder and a few exe's that made no sense, 111.exe etc. Have cleaned out the AD and user folders, seems to be ok now.

Will look at security logs now to try and find IP.

Benjamin, We are a small company and i do what I can so forgive the stupid question, When you say firewall in front of server do you mean software or hardware?.
Benjamin Van DitmarsSr Network EngineerCommented:

youre question is not stupid.
and yes i mean a hardware firewall. or you an use one of the opensource projects.
but i read in youre awser that youre machine was victom from an inside ghost client.

and yes you did exactly what you had to do. with youre antivirus
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.