asked on RDS 2012 R2 server appears to have been hacked. What to do next?
I have a client running a remote desktop server as a non-dc system in their network. I noticed that an odd user showed up as a local (non-domain) user on the server. I was able to change the password and log in as that user. I found the attached program running. Obviously, it appears their system has been compromised and used to host this Storm program. I stopped the program via Task manager and then deleted the downloads that I found. I then changed the password and disabled the local user and insured that it was not part of the authorized RDS users. I've changed the domain admin's password and am having the users all change their's as well. What recommendations does the community have for me regarding next steps. Any input would be greatly appreciated.
precise-hack-storm.PNG
precise-hack-storm-downloads.PNG
precise-hack-storm.PNG
precise-hack-storm-downloads.PNG
Remote AccessWindows Server 2012* Professional Hackers
Last Comment
pbh1978
I would recommend evaluating your firewall security and logs, changing ALL admin passwords (and potentially renaming admin accounts). Make sure everything is patched and up-to-date. And the infected system, I would wipe and reload.
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
I truly appreciate the input given from all of you. Take care and thanks again!
This was either internal and benign. Internal and *not* benign. Or a significant admin-level exploit from an external source.
Depending on what the server does, the sensitivity of data that it had access to, and how bad it'd be if that data was disclosed would drastically change the approach used to address the issue. There is no monolithic answer here.