Somebody tried to hack my SBS2003 server?!? How?!?

[JaffaB]

Hi all,

I have a problem. This morning, somebody tried to hack my SBS2003 server.

Somehow, they managed to remotely create a new ADMIN user and login use RDC to this user. I have SBS server scripts which alerted me that the user had been created, a user had tried to log in, but then the server kicked them off (I then deleted the account).

I have RDC set on only 3 user accounts - and nobody accessed these accounts. I have very strong passwords on all user accounts and would have been notified if they got through and RDC'd/logged in to any of these accounts?

So how did they manage to create this account? Could they have done it through SQL or something? Really confused (and concerned).

Any help or suggestions would be appreciated.

[ad...@adamjc.me]

First of all, why on earth do you have port 3389 facing the internet? This is VERY bad security practise!

Here's what you should do, in order:

1) Change all administrator passwords and anyone who could have logged on remotely via RDP that has permission.

2) Configure remote settings on the server to ONLY allow ONE user account to log on (e.g srv-admin)

3) DO NOT USE THE ADMINISTRATOR ACCOUNT on SBS2003 - Create another admin account with full domain admin privileges and disable the 'administrator' account.

4) Configure RRAS/VPN so you can VPN to your server, and access RDP that way.

These are basic security principles, if you haven't done these basic steps you should obtain professional assistance as you are putting your business (or the business you run) at serious risk.

Hope this helps.