I have had a look around as we thought it was a malware program, but we are not sure if it was actually a hacker.
They seem to have left a couple of brute force attack programs on the server, and we have copied the directories out to see what they have done.
There are a couple of accounts which keep getting automatically created.
Guest, and SUPPORT_388945a0, every time we reboot these are back. I know its not the default inbuilt guest account as i have renamed this to unauthorised user.
This is puzzling me!! We have run malwarebytes and spybot search and destroy which usually fixes all our issues, combofix we have used in extreme cases but i dont like using this on servers.. plus it doesnt support 64 bit!
Is there anyone out there who can help with this?
PS it has also stopped the workstation and server services from starting up.
Edited by Martynstar, 14 April 2011 - 08:22 AM.