troubleshooting Question

RDS 2012 R2 server appears to have been hacked.  What to do next?

Avatar of pbh1978
pbh1978Flag for United States of America asked on
Remote AccessWindows Server 2012* Professional Hackers
4 Comments1 Solution186 ViewsLast Modified:
I have a client running a remote desktop server as a non-dc system in their network.  I noticed that an odd user showed up as a local (non-domain) user on the server.  I was able to change the password and log in as that user.  I found the attached program running.  Obviously, it appears their system has been compromised and used to host this Storm program.  I stopped the program via Task manager and then deleted the downloads that I found.  I then changed the password and disabled the local user and insured that it was not part of the authorized RDS users.  I've changed the domain admin's password and am having the users all change their's as well.  What recommendations does the community have for me regarding next steps.  Any input would be greatly appreciated.
precise-hack-storm.PNG
precise-hack-storm-downloads.PNG
ASKER CERTIFIED SOLUTION
David Johnson, CD
The More I know, the more I don't know
Join our community to see this answer!
Unlock 1 Answer and 4 Comments.
Start Free Trial
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 4 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros