Possible compromise of Windows Server 2003 security risk & unknown users

From: "Chris" <chris.jones@xxxxxxxxxxxxx>
Date: Wed, 7 Dec 2005 16:29:27 -0000

Hi Everyone,

I wanted to find out if anybody is aware of how a Windows Server 2003
Terminal Server out of the box environment can ever become
compromised/hacked?

We have recently received a security report stating that the server we are
running has been performing other tasks, such as the polling of websites,
and the scanning of other networks also being hosted. Our server is on the
Internet.

We noticed in our user list an unknown username named 'tsadmin' had been
created and was logging in, with full access rights just like an
administrator, they were also a member of the backup users group, however
none of us ever recall creating this user. We are careful who we create
onto the server and never allow them to have a desktop environment.

Is this a coincidence?

We have now deleted the tsadmin user.

If anybody could advise of this, or recommend any additional security checks
or security logging software then this would be ideal.

How can we check if our server has been compromised? Do we need to fix
anything? What can we do to prevent it from happening again.

We currently use an up to date version of AVG server edition scanner, but if
anybody knows of a more dedicated server security product this would be
greatly appreciated.

Thanking you in advance

Chris

.

Follow-Ups:
- Re: Possible compromise of Windows Server 2003 security risk & unknown users
  - From: Giuseppe Nacci

Prev by Date: Re: The Automatic Updates service hung on starting. This happens on bootup but the service actually does start.
Next by Date: Re: The Automatic Updates service hung on starting. This happens on bootup but the service actually does start.
Previous by thread: Re: Adding new Domain Controller
Next by thread: Re: Possible compromise of Windows Server 2003 security risk & unknown users
Index(es):
- Date
- Thread

Relevant Pages

security-basics Digest of: get.123_145
... VPN to ASP a security risk? ... Re: Multiple IPSec tunnels? ... Subject: Security NT Server ... VPN to ASP a security risk? ...
(Security-Basics)
Re: << SBS News of the week - Sept 26 >>
... > And he points to the info you need to put the file on the server in the ... > at the network perimeter. ... The Symantec Firewall/VPN and the Gateway Security ... An attacker can exploit these flaws in tandem via specially ...
(microsoft.public.backoffice.smallbiz2000)
<< SBS News of the week - Sept 26 >>
... And he points to the info you need to put the file on the server in the ... at the network perimeter. ... The Symantec Firewall/VPN and the Gateway Security ... by the firewall at risk. ...
(microsoft.public.windows.server.sbs)
Re: << SBS News of the week - Sept 26 >>
... > And he points to the info you need to put the file on the server in the ... > at the network perimeter. ... The Symantec Firewall/VPN and the Gateway Security ... An attacker can exploit these flaws in tandem via specially ...
(microsoft.public.windows.server.sbs)
<< SBS News of the week - Sept 26 >>
... And he points to the info you need to put the file on the server in the ... at the network perimeter. ... The Symantec Firewall/VPN and the Gateway Security ... by the firewall at risk. ...
(microsoft.public.backoffice.smallbiz)