How do I deal with a compromised server?
Today I opened TCPView to see what was causing a lot of outbound network activity and could only identify svchost.exe on port 3389 (which i understand to be the port used by remote desktop).
I ended the process almost immediately.
I’ve searched for the IP address it was connected to, and discovered it originates in South Korea.
I have just discovered in the Windows Event Viewer under “Applications and Services Log > Microsoft > Windows > TerminalServices-RemoteConnectionManager” almost 2,000 events which read similar to:
Remote Desktop Services: User authentication succeeded: User: administrator Domain: Source Network Address: 18.104.22.168
I wanted to know if my system has indeed been compromised and whether it is at all possible for me to track any activity; such as file access.
What is the best course of action to take to prevent this happening in future. Or haven’t I anything to worry about.
It says Administrator successfully logged in via Remote Desktop from somewhere in South Korea. If the administrator isn’t in South Korea, you’ve been compromised.
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.