RDS 2012 R2 server appears to have been hacked. What to do next?
I have a client running a remote desktop server as a non-dc system in their network. I noticed that an odd user showed up as a local (non-domain) user on the server. I was able to change the password and log in as that user. I found the attached program running. Obviously, it appears their system has been compromised and used to host this Storm program. I stopped the program via Task manager and then deleted the downloads that I found. I then changed the password and disabled the local user and insured that it was not part of the authorized RDS users. I've changed the domain admin's password and am having the users all change their's as well. What recommendations does the community have for me regarding next steps. Any input would be greatly appreciated.
precise-hack-storm.PNG
precise-hack-storm-downloads.PNG
precise-hack-storm.PNG
precise-hack-storm-downloads.PNG
Do more with
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Getting a local account on a machine is not a trivial thing. It usually means someone had admin access or was able to use a system-level escalation bug to *gain* admin access. That cannot be understated.
This was either internal and benign. Internal and *not* benign. Or a significant admin-level exploit from an external source.
Depending on what the server does, the sensitivity of data that it had access to, and how bad it'd be if that data was disclosed would drastically change the approach used to address the issue. There is no monolithic answer here.
This was either internal and benign. Internal and *not* benign. Or a significant admin-level exploit from an external source.
Depending on what the server does, the sensitivity of data that it had access to, and how bad it'd be if that data was disclosed would drastically change the approach used to address the issue. There is no monolithic answer here.
I would recommend evaluating your firewall security and logs, changing ALL admin passwords (and potentially renaming admin accounts). Make sure everything is patched and up-to-date. And the infected system, I would wipe and reload.
storm is a brute force password cracking tool. What probably has happened is that someone noticed that you have port 3389 open and added your external ip to the storm brute force tool.
What you should do is (a) not use port 3389 (b) disable the built in administrator account (c) use a vpn for access (d) implement account lockout protocols i.e lock account for 30 minutes after 3 failed passwords.
What you should do is (a) not use port 3389 (b) disable the built in administrator account (c) use a vpn for access (d) implement account lockout protocols i.e lock account for 30 minutes after 3 failed passwords.
Premium Content
You need an Expert Office subscription to comment.Start Free Trial