Remote Desktop Hack Investigation

May 4, 2018

- Checked the server Remote Desktop port and found it moved
  from 3391 to 3389.  
- Checked the antivirus, firewall and supplemental malware
  program (Malwarebytes).  Ran Malwarebytes scan.
- Analyzed files, folders and event logs.
- Created document detailing times of accesses, critical
  events and the name of the Remote Desktop add-in responsible
  for the unauthorized access.
- Changed the server admin account name and password; disabled
  Remote Desktop access to the server.  
- Discussed the particulars with company personnel including the
  timeline and techniques involved.


Note:  this business used the two server remote desktop maintenance

connections for access by offsite employees.  Passwords were not

sufficiently complex and access was hacked by an automated malware

exploit. The malware created a new user account and at that point a

live human was most likely alerted.  A web browser was loaded, email

account created and used to create an ID for bank transfers.


Lesson:  for starters use complex passwords,use a VPN for Remote Desktop

access if possible. Rogue access would then require the hacking of both

the VPN encryption key and a Windows password (unlikely).

Please reload

OfficeRescue Blog
Recent Posts

May 15, 2018

May 4, 2018

May 4, 2018

Please reload

Please reload

Search By Tags

I'm busy working on my blog posts. Watch this space!

Please reload

Follow Us
  • Facebook Basic Square
  • Twitter Basic Square
  • Google+ Basic Square