Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Windows Server 2013 Hacked into

  • Please log in to reply
2 replies to this topic

#1 Beaumonts


  • Members
  • 29 posts
  • Local time:11:59 PM

Posted 06 December 2016 - 11:13 AM

When i accessed our Server 2013 this morning someone had logged into it without permission.


They had opened Mozilla Firefox browser and had opened the following webpages:-







https://c9.io seems to be some sort of developers website.  


We ran Malware which found the following C:\Users\adminnew\downloads\setup.winrar.exe


They had set up a new User on the Server as adminnew.  We have removed this user, changed the password on the Server and removed any ports on the router that we don't need to have open.


Is there anything else we can do to increase security?


Also has anybody had anything similar happen to them?

BC AdBot (Login to Remove)


#2 Sneakycyber


    Network Engineer

  • BC Advisor
  • 6,135 posts
  • Gender:Male
  • Location:Ohio
  • Local time:05:59 PM

Posted 07 December 2016 - 02:21 AM

Find out how they got in if possible. Could have been a fishing campain, brute force, or a sticky note depending on company policies. Plug that whole and stop using admin accounts for maintenance on the servers. Login with a standard user granted access and enter the admin credentials when needed. Run malware, adware, and rootkit scans. Is it possible a vendor was setting up software?

Edited by Sneakycyber, 07 December 2016 - 02:21 AM.

Chad Mockensturm 
Network Engineer
Certified CompTia Network +, A +

#3 i2D_


  • Members
  • 11 posts
  • Local time:11:59 PM

Posted 20 December 2016 - 10:08 AM

If you found these apps open, it means they logged in with your username and password.


Or did you log into the server with a generic local account? If so, is this generic account on other computers/servers? You may want to update via GPO.



Check DC Event log, for audits of that server, you should be able to locate the source IP of the login, and find out if this was external or internal and do further digging from there.


As Sneaky has said, its possible it was just Dev if its a generic account.


Or if it was an attacker, they could of left rootkit to gain access again remotely.

Edited by i2D_, 20 December 2016 - 10:09 AM.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users