Avatar of pbh1978
pbh1978
Flag for United States of America asked on

RDS 2012 R2 server appears to have been hacked. What to do next?

I have a client running a remote desktop server as a non-dc system in their network.  I noticed that an odd user showed up as a local (non-domain) user on the server.  I was able to change the password and log in as that user.  I found the attached program running.  Obviously, it appears their system has been compromised and used to host this Storm program.  I stopped the program via Task manager and then deleted the downloads that I found.  I then changed the password and disabled the local user and insured that it was not part of the authorized RDS users.  I've changed the domain admin's password and am having the users all change their's as well.  What recommendations does the community have for me regarding next steps.  Any input would be greatly appreciated.
precise-hack-storm.PNG
precise-hack-storm-downloads.PNG
Remote AccessWindows Server 2012* Professional Hackers

Avatar of undefined
Last Comment
pbh1978

8/22/2022 - Mon
Cliff Galiher

Getting a local account on a machine is not a trivial thing.  It usually means someone had admin access or was able to use a system-level escalation bug to *gain* admin access.  That cannot be understated.

This was either internal and benign.  Internal and *not* benign.  Or a significant admin-level exploit from an external source.

Depending on what the server does, the sensitivity of data that it had access to, and how bad it'd be if that data was disclosed would drastically change the approach used to address the issue. There is no monolithic answer here.
Lee W, MVP

I would recommend evaluating your firewall security and logs, changing ALL admin passwords (and potentially renaming admin accounts).  Make sure everything is patched and up-to-date.  And the infected system, I would wipe and reload.
ASKER CERTIFIED SOLUTION
David Johnson, CD

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
pbh1978

ASKER
I truly appreciate the input given from all of you.  Take care and thanks again!
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck