I have a dev server with Windows 2008R2 as OS. I keep it updated with latest patches and fixes Microsoft releases. It's only use is for data backup, testing web apps and software updates before I update live sites. The other day I logged into the server to rotate the backups to the NAS as I always do. When I was at the log in screen I noticed a new user called admin which I didn't create. After I logged in I noticed Winrar was installed. I never install any software on any server that other than what is needed to run websites and on this server I also have Visual Studio installed for development.
Red flags went up. I uninstalled Winrar, removed the admin user and isolated the server from the rest of the network. I have been monitoring the server since Friday and noticed a lot of inbound activity on various ports. I also noticed that another user was created with admin rights. The user was ASPNET. This user was also able to log in with RDP. As with all my servers the security policy for remote remote access is set up for only secure access and only to my workstation IP which is an internal 172.16.x.x IP. Access from WAN is prohibited. After investigating I found that that somehow this new admin user had accessed secpol and turned off the firewall and set all access policies to default. At this point I took the server off the network completely.
I would say the server is infected with something and while I was planning an OS upgrade to Windows 20012R2 I would like to know what it is infected with and what the attack vector was. This server is not used for anything except what I stated. I am the only one to access it. How this could have happened is beyond me.
In any I'd like to know what's going on.
Red flags went up. I uninstalled Winrar, removed the admin user and isolated the server from the rest of the network. I have been monitoring the server since Friday and noticed a lot of inbound activity on various ports. I also noticed that another user was created with admin rights. The user was ASPNET. This user was also able to log in with RDP. As with all my servers the security policy for remote remote access is set up for only secure access and only to my workstation IP which is an internal 172.16.x.x IP. Access from WAN is prohibited. After investigating I found that that somehow this new admin user had accessed secpol and turned off the firewall and set all access policies to default. At this point I took the server off the network completely.
I would say the server is infected with something and while I was planning an OS upgrade to Windows 20012R2 I would like to know what it is infected with and what the attack vector was. This server is not used for anything except what I stated. I am the only one to access it. How this could have happened is beyond me.
In any I'd like to know what's going on.