Posted 17 April 2010 - 09:07 AM
Our Terminal Server was noticed to be compromised on 4/16. It was revealed through a glance at the currest user sessions that our 'backup' user was logged on from 'JOHNSPC" (a false netbios name I'm sure). We went through the event viewer filtering for user 'backup' events. There was three items, User backup started the Application Management server, User backup installed 'Rummy Royale' from an MSI and user backup was logged off (there was never a log on).
First we changed the user's password and started in on 'Rummy Royale' we determined that it was also running as a service and installed in "C:\Rummy Royale". We stopped/unregistered the server, uninstalled the program and proceeded to do forensics on the user account itself. User backup ntuser.dat was last modified on 2/18/2010, no recent documents and one non-standard favorite AOL Mail. Browsing to the 'My Documents' folder inside the user profile reveals 'SYSTEM's Pictures' which is worrysome.
As of right now, attempt at running gmer.exe for rootkits failed unless using random .exe. RKill shows nothing, and superantispyware will not start unless using random exe (alternate start). A little forensics help would be greatly appreciated on this server based terminal server.