- Checked the server Remote Desktop port and found it moved
from 3391 to 3389.
- Checked the antivirus, firewall and supplemental malware
program (Malwarebytes). Ran Malwarebytes scan.
- Analyzed files, folders and event logs.
- Created document detailing times of accesses, critical
events and the name of the Remote Desktop add-in responsible
for the unauthorized access.
- Changed the server admin account name and password; disabled
Remote Desktop access to the server.
- Discussed the particulars with company personnel including the
timeline and techniques involved.
Note: this business used the two server remote desktop maintenance
connections for access by offsite employees. Passwords were not
sufficiently complex and access was hacked by an automated malware
exploit. The malware created a new user account and at that point a
live human was most likely alerted. A web browser was loaded, email
account created and used to create an ID for bank transfers.
Lesson: for starters use complex passwords,use a VPN for Remote Desktop
access if possible. Rogue access would then require the hacking of both
the VPN encryption key and a Windows password (unlikely).