RDS 2012 R2 server appears to have been hacked.  What to do next?

pbh1978 used Ask the Experts™
I have a client running a remote desktop server as a non-dc system in their network.  I noticed that an odd user showed up as a local (non-domain) user on the server.  I was able to change the password and log in as that user.  I found the attached program running.  Obviously, it appears their system has been compromised and used to host this Storm program.  I stopped the program via Task manager and then deleted the downloads that I found.  I then changed the password and disabled the local user and insured that it was not part of the authorized RDS users.  I've changed the domain admin's password and am having the users all change their's as well.  What recommendations does the community have for me regarding next steps.  Any input would be greatly appreciated.
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Distinguished Expert 2018

Getting a local account on a machine is not a trivial thing.  It usually means someone had admin access or was able to use a system-level escalation bug to *gain* admin access.  That cannot be understated.

This was either internal and benign.  Internal and *not* benign.  Or a significant admin-level exploit from an external source.

Depending on what the server does, the sensitivity of data that it had access to, and how bad it'd be if that data was disclosed would drastically change the approach used to address the issue. There is no monolithic answer here.
Lee W, MVPTechnology and Business Process Advisor
Most Valuable Expert 2013

I would recommend evaluating your firewall security and logs, changing ALL admin passwords (and potentially renaming admin accounts).  Make sure everything is patched and up-to-date.  And the infected system, I would wipe and reload.
Top Expert 2016
storm is a brute force password cracking tool.  What probably has happened is that someone noticed that you have port 3389 open and added your external ip to the storm brute force tool.
What you should do is (a) not use port 3389 (b) disable the built in  administrator account (c) use a vpn for access (d) implement account lockout protocols i.e lock account for 30 minutes after 3 failed passwords.
pbh1978I.T. Manager


I truly appreciate the input given from all of you.  Take care and thanks again!

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial