So, I have a Win7 box that is used to record video surveillance that was compromised about a week ago at 3am. Running combofix showed that someone or some script repeatedly try to log into my server. I assume that it was done remote desktop...but really don't know other than it was not done in the same location as the server.
I'm wondering how this happened and how to prevent it.
Here's the background on this:
- To allow remote access to the remote viewing app, I have to open up some ports on my router. Firewall was disabled and there was no antivirus running. The security installer said it would not be necessary. In hindsight this was a bad idea and they should have done the work to turn on the firewall and only allow the connections that needed to get through to enable remote viewing
- Remote desktop was turned on so that the security installer could remotely troubleshoot any issues
- Strong passwords were not setup by security installers
- DDNS was used
- Only security installer and I have the password. No one except for myself has had physical access to the server
- Only use the browser to access reputable sites
How I discovered the problem:
- Tried to remote desktop into the server from work to adjust some settings and discovered the admin password did not work
- Got home and saw that a new account that I did not recognize was added
- Had to reset the password using Win7 disk to get back into the system
- How did this happen to me?
- Why would I have been a target?
- What were the hackers trying to do other than break in and let me know that they had done so. They could have just conducted any malicious activity with the Admin account
- How can I prevent this from happening in the future?
- How can I be made aware whenever remote connections are made to my server and know where it is coming from?