1

Possible Duplicate:
How do I deal with a compromised server?

Today I opened TCPView to see what was causing a lot of outbound network activity and could only identify svchost.exe on port 3389 (which i understand to be the port used by remote desktop).

I ended the process almost immediately.

I've searched for the IP address it was connected to, and discovered it originates in South Korea.

I have just discovered in the Windows Event Viewer under "Applications and Services Log > Microsoft > Windows > TerminalServices-RemoteConnectionManager" almost 2,000 events which read similar to:

Remote Desktop Services: User authentication succeeded:

User: administrator
Domain: 
Source Network Address: 1.214.253.235

I wanted to know if my system has indeed been compromised and whether it is at all possible for me to track any activity; such as file access.

What is the best course of action to take to prevent this happening in future. Or haven't I anything to worry about.

Community
  • 1
TerryProbert
  • 111
  • 3
  • As a home user, you are likely to get better answers geared toward a home setting at our sister site Super User. Server Fault is intended for professional settings, and often the answers which work for a business don't do so well in a home setting and vice versa. Though, this sort of question is fairly commonly asked so you may want to search there as well. – Michael Hampton Dec 23 '12 at 18:21
  • Thank you, I wasn't sure where to post this. I'll try over at Super User too – TerryProbert Dec 23 '12 at 18:23
  • If you submit the problem to SuperUser SE, please delete this message. Duplicate questions on different SEs are frowned upon. – mdpc Dec 23 '12 at 19:40
  • Have voted for deletion as super user exchange is more appropriate being a home user. – TerryProbert Dec 23 '12 at 19:45

1 Answers1

7

It says Administrator successfully logged in via Remote Desktop from somewhere in South Korea. If the administrator isn't in South Korea, you've been compromised.

Michael Hampton
  • 244,070
  • 43
  • 506
  • 972