Possible Duplicate:
How do I deal with a compromised server?
Today I opened TCPView to see what was causing a lot of outbound network activity and could only identify svchost.exe on port 3389 (which i understand to be the port used by remote desktop).
I ended the process almost immediately.
I've searched for the IP address it was connected to, and discovered it originates in South Korea.
I have just discovered in the Windows Event Viewer under "Applications and Services Log > Microsoft > Windows > TerminalServices-RemoteConnectionManager" almost 2,000 events which read similar to:
Remote Desktop Services: User authentication succeeded:
User: administrator
Domain:
Source Network Address: 1.214.253.235
I wanted to know if my system has indeed been compromised and whether it is at all possible for me to track any activity; such as file access.
What is the best course of action to take to prevent this happening in future. Or haven't I anything to worry about.
