David Logan
asked on
Sbs2011 has been hacked. Foreign users in AD
Hi, I am no expert but I think our server has been hacke. I noticed that windows firewall had been disabled and that a unknown username was logged on to the server
AD and found 5 users I didn't know. Have disabled all vpn ports, and rdp ports. Removed the users and Ann folder related.
Is there a starting point to try and trace how they accessed the network to help remove the threat,? Server is up to date
Thanks
David
AD and found 5 users I didn't know. Have disabled all vpn ports, and rdp ports. Removed the users and Ann folder related.
Is there a starting point to try and trace how they accessed the network to help remove the threat,? Server is up to date
Thanks
David
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Check the security logs it will report who's accessing the server, if they fail gain access and the remote IP address they attempt to connect from.
Run sysinternal tools that check for admin account, if you're not 100% certain what the admin account is disable it. Many times hackers will create an account that looks legit give it admin permissions and it's overlooked.
Run sysinternal tools that check for admin account, if you're not 100% certain what the admin account is disable it. Many times hackers will create an account that looks legit give it admin permissions and it's overlooked.
Please install a firewall in front of the server. never connect a windows server directly to the internet. youre not the first one and wont be the last one with this problem.
also never open remote desktop services to the outside world to anybody use an vpn connection. you can use the vpn of a profesional firewall or use the internal pptp/ipsec vpn of windows.
also look for strange installed problems, and look in every ou in the AD for strange users accounts.
if youre going to use. only allow the users that need this.
force a password change for all users on youre network, just in case
also never open remote desktop services to the outside world to anybody use an vpn connection. you can use the vpn of a profesional firewall or use the internal pptp/ipsec vpn of windows.
also look for strange installed problems, and look in every ou in the AD for strange users accounts.
if youre going to use. only allow the users that need this.
force a password change for all users on youre network, just in case
Benjamin Van Ditmars,
Just an FYI
I noticed that windows firewall had been disabled and that a unknown username was logged on to the serverWindows firewall not the actual firewall.
Just an FYI
ASKER
Thanks for the advice. We use a programe to manage emails and store them under project numbers. Upgraded our virus scanner to AVG Suite, now have all users and servers protected fully. Found an email with virus stored in a project folder and a few exe's that made no sense, 111.exe etc. Have cleaned out the AD and user folders, seems to be ok now.
Will look at security logs now to try and find IP.
Benjamin, We are a small company and i do what I can so forgive the stupid question, When you say firewall in front of server do you mean software or hardware?.
Will look at security logs now to try and find IP.
Benjamin, We are a small company and i do what I can so forgive the stupid question, When you say firewall in front of server do you mean software or hardware?.
david,
youre question is not stupid.
and yes i mean a hardware firewall. or you an use one of the opensource projects.
but i read in youre awser that youre machine was victom from an inside ghost client.
and yes you did exactly what you had to do. with youre antivirus
youre question is not stupid.
and yes i mean a hardware firewall. or you an use one of the opensource projects.
but i read in youre awser that youre machine was victom from an inside ghost client.
and yes you did exactly what you had to do. with youre antivirus
There are a few built in user and groups in SBS that are used by things like Sharepoint etc. You need to make sure you're not disabling these.