2

Possible Duplicate:
How do I deal with a compromised server?

I noticed some unusual network behaviour on my Windows web server 2008 R2 x64 server, when I investigated on Resource Monitor I noticed that this was related to and unknown IP being connected to "svchost.exe (termsvcs)" with a PID 3148. My connection to the service was also showing as a separate instance.

An average of 15-30 kB/sec was being sent to this IP and it seems to be in bursts every few seconds. I followed the PID to TermService - Remote Desktop Services. I restarted the service and the unknown IP seemed to disconnect and a new one shortly connected.

On the users tab of Task Manager only one user (me) is connected.

Should I be concerned? Thanks :)

It is a system that is only a few days old with not much at all installed on it:

Full windows updates

Agent Ransack (search tool by mythicsoft)

TortoiseSVN

VisualSVN

Winrar

MSSQL

Community
  • 1
Andy
  • 31

1 Answers1

8

I'm guessing that RDP is open to the world to your server (as it's probably the only way you can get in), and that you are being attacked by bots who have scanned their way to your IP.

You're saying that there are no other users than your self logged on.. the only thing that makes sense is that there are bots trying to brute-force their way in with known usernames (Administrator, Bob, Jane, John and so on..) and random passwords. Check the security event log, and you should see a flood of denied logons.

The only sane way of stopping this is to set up a firewall on the server that does not allow RDP from any client in the world. Build up a list of IP addresses or at least IP ranges that you know you'll be using when you connect to the server to manage it.

Make sure that you're not using a simple/well-known username. This is -especially- important for the local "Administrator" account. Disable it and don't ever use it.

pauska
  • 19,766