2

Possible Duplicate:
How do I deal with a compromised server?

I noticed some unusual network behaviour on my Windows web server 2008 R2 x64 server, when I investigated on Resource Monitor I noticed that this was related to and unknown IP being connected to "svchost.exe (termsvcs)" with a PID 3148. My connection to the service was also showing as a separate instance.

An average of 15-30 kB/sec was being sent to this IP and it seems to be in bursts every few seconds. I followed the PID to TermService - Remote Desktop Services. I restarted the service and the unknown IP seemed to disconnect and a new one shortly connected.

On the users tab of Task Manager only one user (me) is connected.

Should I be concerned? Thanks :)

It is a system that is only a few days old with not much at all installed on it:

Full windows updates

Agent Ransack (search tool by mythicsoft)

TortoiseSVN

VisualSVN

Winrar

MSSQL

Community
  • 1
Andy
  • 31
  • 1
  • 2
  • 5
  • Related: http://security.stackexchange.com/questions/142844/how-can-i-determine-whether-remote-desktop-hacking-was-successful – glenviewjeff Nov 17 '16 at 15:36

1 Answers1

8

I'm guessing that RDP is open to the world to your server (as it's probably the only way you can get in), and that you are being attacked by bots who have scanned their way to your IP.

You're saying that there are no other users than your self logged on.. the only thing that makes sense is that there are bots trying to brute-force their way in with known usernames (Administrator, Bob, Jane, John and so on..) and random passwords. Check the security event log, and you should see a flood of denied logons.

The only sane way of stopping this is to set up a firewall on the server that does not allow RDP from any client in the world. Build up a list of IP addresses or at least IP ranges that you know you'll be using when you connect to the server to manage it.

Make sure that you're not using a simple/well-known username. This is -especially- important for the local "Administrator" account. Disable it and don't ever use it.

pauska
  • 19,620
  • 5
  • 57
  • 75
  • 1
    Nice! 29k events in the past 24 hours for "An account failed to log on." with "Failure Reason: Unknown user name or bad password". All from IPs that I had recorded earlier. Thanks a lot this has put my mind at ease somewhat. So I should block Remote Desktop from everywhere except my IP? It concerns me that if my IP changes I will be locked out? Will the server company be locked out too if this happens or will they be able to unlock it for me? – Andy Dec 28 '12 at 12:22
  • @Andy talk to your server provider about how you should make sure that they also have access. They probably have some IP ranges that they use. – pauska Dec 28 '12 at 15:02
  • The logs you want to examine are described in http://superuser.com/a/409108/31240 in the "Operational" section of the RemoteConnectionManager log. The "Security" section contains no information about remote desktop attempts. – glenviewjeff Nov 17 '16 at 15:27