RDS 2012 R2 server appears to have been hacked. What to do next?

I have a client running a remote desktop server as a non-dc system in their network.  I noticed that an odd user showed up as a local (non-domain) user on the server.  I was able to change the password and log in as that user.  I found the attached program running.  Obviously, it appears their system has been compromised and used to host this Storm program.  I stopped the program via Task manager and then deleted the downloads that I found.  I then changed the password and disabled the local user and insured that it was not part of the authorized RDS users.  I've changed the domain admin's password and am having the users all change their's as well.  What recommendations does the community have for me regarding next steps.  Any input would be greatly appreciated.
precise-hack-storm.PNG
precise-hack-storm-downloads.PNG
pbh1978I.T. ManagerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Cliff GaliherCommented:
Getting a local account on a machine is not a trivial thing.  It usually means someone had admin access or was able to use a system-level escalation bug to *gain* admin access.  That cannot be understated.

This was either internal and benign.  Internal and *not* benign.  Or a significant admin-level exploit from an external source.

Depending on what the server does, the sensitivity of data that it had access to, and how bad it'd be if that data was disclosed would drastically change the approach used to address the issue. There is no monolithic answer here.
0
Lee W, MVPTechnology and Business Process AdvisorCommented:
I would recommend evaluating your firewall security and logs, changing ALL admin passwords (and potentially renaming admin accounts).  Make sure everything is patched and up-to-date.  And the infected system, I would wipe and reload.
0
David Johnson, CD, MVPOwnerCommented:
storm is a brute force password cracking tool.  What probably has happened is that someone noticed that you have port 3389 open and added your external ip to the storm brute force tool.
What you should do is (a) not use port 3389 (b) disable the built in  administrator account (c) use a vpn for access (d) implement account lockout protocols i.e lock account for 30 minutes after 3 failed passwords.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
pbh1978I.T. ManagerAuthor Commented:
I truly appreciate the input given from all of you.  Take care and thanks again!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Remote Access

From novice to tech pro — start learning today.