troubleshooting Question
RDS 2012 R2 server appears to have been hacked. What to do next?
asked on
I have a client running a remote desktop server as a non-dc system in their network. I noticed that an odd user showed up as a local (non-domain) user on the server. I was able to change the password and log in as that user. I found the attached program running. Obviously, it appears their system has been compromised and used to host this Storm program. I stopped the program via Task manager and then deleted the downloads that I found. I then changed the password and disabled the local user and insured that it was not part of the authorized RDS users. I've changed the domain admin's password and am having the users all change their's as well. What recommendations does the community have for me regarding next steps. Any input would be greatly appreciated.
precise-hack-storm.PNG
precise-hack-storm-downloads.PNG
precise-hack-storm.PNG
precise-hack-storm-downloads.PNG
Learn from the best
Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.
Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 4 Comments.
Try for 7 days”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.
Our community of experts have been thoroughly vetted for their expertise and industry experience.
The Distinguished Expert awards are presented to the top veteran and rookie experts to earn the most points in the top 50 topics.