Link to home
Start Free TrialLog in
Avatar of pbh1978
pbh1978Flag for United States of America

asked on

RDS 2012 R2 server appears to have been hacked. What to do next?

I have a client running a remote desktop server as a non-dc system in their network.  I noticed that an odd user showed up as a local (non-domain) user on the server.  I was able to change the password and log in as that user.  I found the attached program running.  Obviously, it appears their system has been compromised and used to host this Storm program.  I stopped the program via Task manager and then deleted the downloads that I found.  I then changed the password and disabled the local user and insured that it was not part of the authorized RDS users.  I've changed the domain admin's password and am having the users all change their's as well.  What recommendations does the community have for me regarding next steps.  Any input would be greatly appreciated.
precise-hack-storm.PNG
precise-hack-storm-downloads.PNG
Avatar of Cliff Galiher
Cliff Galiher
Flag of United States of America image

Getting a local account on a machine is not a trivial thing.  It usually means someone had admin access or was able to use a system-level escalation bug to *gain* admin access.  That cannot be understated.

This was either internal and benign.  Internal and *not* benign.  Or a significant admin-level exploit from an external source.

Depending on what the server does, the sensitivity of data that it had access to, and how bad it'd be if that data was disclosed would drastically change the approach used to address the issue. There is no monolithic answer here.
I would recommend evaluating your firewall security and logs, changing ALL admin passwords (and potentially renaming admin accounts).  Make sure everything is patched and up-to-date.  And the infected system, I would wipe and reload.
ASKER CERTIFIED SOLUTION
Avatar of David Johnson, CD
David Johnson, CD
Flag of Canada image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of pbh1978

ASKER

I truly appreciate the input given from all of you.  Take care and thanks again!