We help IT Professionals succeed at work.

RDS 2012 R2 server appears to have been hacked.  What to do next?

178 Views
Last Modified: 2018-09-11
I have a client running a remote desktop server as a non-dc system in their network.  I noticed that an odd user showed up as a local (non-domain) user on the server.  I was able to change the password and log in as that user.  I found the attached program running.  Obviously, it appears their system has been compromised and used to host this Storm program.  I stopped the program via Task manager and then deleted the downloads that I found.  I then changed the password and disabled the local user and insured that it was not part of the authorized RDS users.  I've changed the domain admin's password and am having the users all change their's as well.  What recommendations does the community have for me regarding next steps.  Any input would be greatly appreciated.
precise-hack-storm.PNG
precise-hack-storm-downloads.PNG
Comment
Watch Question

CERTIFIED EXPERT
Distinguished Expert 2018

Commented:
Getting a local account on a machine is not a trivial thing.  It usually means someone had admin access or was able to use a system-level escalation bug to *gain* admin access.  That cannot be understated.

This was either internal and benign.  Internal and *not* benign.  Or a significant admin-level exploit from an external source.

Depending on what the server does, the sensitivity of data that it had access to, and how bad it'd be if that data was disclosed would drastically change the approach used to address the issue. There is no monolithic answer here.
Lee W, MVPTechnology and Business Process Advisor
CERTIFIED EXPERT
Most Valuable Expert 2013

Commented:
I would recommend evaluating your firewall security and logs, changing ALL admin passwords (and potentially renaming admin accounts).  Make sure everything is patched and up-to-date.  And the infected system, I would wipe and reload.
Simple Geek from the '70s
CERTIFIED EXPERT
Distinguished Expert 2019
Commented:
This problem has been solved!
(Unlock this solution with a 7-day Free Trial)
UNLOCK SOLUTION
pbh1978I.T. Manager

Author

Commented:
I truly appreciate the input given from all of you.  Take care and thanks again!