Re: Compromised Server? Anyone recognize the suspect Services?

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

I would be surprised if default local security policy was wide open.

The villain may not be trying to log in - could be trying to establish
credentials for a scheduled task or a service - rename the task/service after
each failure and this might reset the lockout count.

What does Event Viewer reveal in the Security log?
--
Newell White


"John Kotuby" wrote:

Big thanks on the response Newell!

I will apply your suggestions immediately.
Maybe I will create 2 Login Accounts with Admin/RDP priviledges, just in
case one of them gets locked out.
For some reason I thought that Local Machine policy already defaulted to
lockouts after 3 tries. Obviously that is not the case after what I have
experienced.

"Newell White" <NewellWhite@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:412A3FB5-1FF5-4668-866E-5AACDC213C36@xxxxxxxxxxxxxxxx

"John Kotuby" wrote:

Hi all,

Note: this is cross-posted on the Server.Security group but there is
little
action there.

We lease a non-managed Web Server running AV software but no IDS. It is
Windows 2003 STD which receives automatic nightly Windows Security
patches
at
3AM.

When I logged into the RDP console on Monday I saw what looked like a
Password Cracking software running with the name at the top of the window
E-Security. It looks like it had gone through 69,914,496 permutations
already.

Apparently somebody hacked in through a nearly wide open front door,
Remote
Desktop on a standard port. Also installed were 2 network packet sniffing
programs PacketX and WinPcap.
I went into Task Manager and killed a program I did not recognize
netman24.exe. I killed it and also saw about 12 instances of
CheckingThread.exe disappear.

I did not want to click the Close button in the program because who knows
what that might have done.

Looking in Services, right under Network Connections there were 3 other
similar services all claiming to be Microsoft.
Network Connections 24
Network Connections 32
Network Connections 64

Doing a search on Microsoft for netman24.exe brought up nothing.
Doing a similar search on Google brought up nothing.
Same for Symantec.

I changed the Startup Option on Network Connections 24 from Automatic to
Manual. I have not gotten rid of those services or programs yet in case
they
are valid.

Maybe the connection between netman24.exe being killed and
CheckingThread.exe instances disappearing was coincidental but I don't
think
so.

Anyone else seen anything like this or recognize these programs as valid?
I
have not yet removed them from the server.

I have since made some changes to re-secure the server. I need to learn
how
to quickly set up VPN access using only a remote connection...such that I
can configure it first and then still have access to to the desktop after
it
is activated, if that is possible. I don't need an article steeped in
theory
and we are not talking active directory, just a standalone Win2003 STD
remote server. So I am looking for a setup that uses only 1 server for
both
VPN and Remote Desktop Access. If someone can point me to such an article
or
tutorial I will be grateful. I am a software developer under a very tight
schedule, not a trained server manager.



Thanks for any input...

--
"Building a better mouse trap doesn''''t necessarily make it better for
the
mouse."


Can't help you on VPN, but two steps you have probably already taken are:

1) Don't allow built-in Administrator accounts to use Remote Desktop or
Terminal Services. Create an administrator-privileged account with
arbitrary
name and strong password to access the server in this way.

2) Use Admin Tools, Local security settings, Account lockout policy to
lockout for 30mins after 7 login failures

--
Regards,
Newell White




.

Relevant Pages

  • Re: Compromised Server? Anyone recognize the suspect Services?
    ... Maybe I will create 2 Login Accounts with Admin/RDP priviledges, ... We lease a non-managed Web Server running AV software but no IDS. ... right under Network Connections there were 3 other ... to quickly set up VPN access using only a remote connection...such that I ...
    (microsoft.public.windows.server.networking)
  • Compromised Web Server? Anybody recognize these programs?
    ... We lease a non-managed Web Server running AV software but no IDS. ... Windows 2003 STD which receives automatic nightly Windows Security patches ... Apparently somebody hacked in through a nearly wide open front door, Remote ... right under Network Connections there were 3 other ...
    (microsoft.public.windows.server.security)
  • Re: Compromised Server? Anyone recognize the suspect Services?
    ... Also installed were 2 network packet sniffing ... I have since made some changes to re-secure the server. ... right under Network Connections there were 3 other ... to quickly set up VPN access using only a remote connection...such that I ...
    (microsoft.public.windows.server.networking)
  • RE: Compromised Server? Anyone recognize the suspect Services?
    ... We lease a non-managed Web Server running AV software but no IDS. ... Apparently somebody hacked in through a nearly wide open front door, Remote ... right under Network Connections there were 3 other ... VPN and Remote Desktop Access. ...
    (microsoft.public.windows.server.networking)
  • Re: Compromised Server? Anyone recognize the suspect Services?
    ... We lease a non-managed Web Server running AV software but no IDS. ... Windows 2003 STD which receives automatic nightly Windows Security ... right under Network Connections there were 3 other ... to quickly set up VPN access using only a remote connection...such that I ...
    (microsoft.public.windows.server.networking)