Someone successfully Brute Forced their way into a specific profile username on our Terminal Server running Windows 2003 Server (up-to-date security patches by the way) this passed Saturday 4-13-2013. I came across while reviewing Event Security Logs on that server and also a got an alert on our Anti-virus threat logs, ESET NOD 32 Business. I started investigating further after this and found that one of the user profiles has been hijacked. It is my fault, since this specific profile had a weak password to begin with and username was the same. Yes, I know. I immediately changed the password and I also removed the server from being exposed to the web with the public IP address and I am now having my external users use SSL VPN to connect remotely from home.
We just changed our firewall service to SonicWall about 3 weeks ago and I'm still learning how to use it. Fortunately I have an IT service provider helping me with configuring some of the more complex settings and configurations that need to be done. But going back to the hacked user profile on that terminal server, I found a list of programs installed that were dated with the same date of 4-13-2013. I also found a text file on one of the shared drives from this anonymous person with a note saying how poorly secured our Terminal Server was and that IT staff (which is just me) are so incompetent when it comes to security. It's understandable in this case, I don't disagree as I regret it so much and learned my lesson.
Software found installed on server:
-iLivid
-Havij 1.16 Pro: Advanced SQL Injection
-Cardrecon v1.14.7
-DesktopLocker 10
-Advanced Mass Sender
-...along with several .txt files that look like scripts they were using (attached)
We noticed high internet bandwidth usage during the week, of at least 84% according to our ISP provider. From the looks of these installed programs, it looks like the attacker was using our bandwidth to send out spam. After I uninstalled the software, scanning the server and removing anything found (which it did) with our ESET NOD32, Malwarebytes, SuperAnti-Spyware, and Norman Malware Cleaner, Ccleaner and made the necessary changes to prevent this user profile from being hijacked, our internet bandwidth went back to 15% percent. and after checking speedtest.net our download/upload speeds were as they're suppose to be.
But I'm still wondering if I got it all taken care of or if I missed something. Do I have to worry about that Advanced SQL Injection software that was installed on that user profile? What else should I do? I'm seeking for some advice from the SpiceWorks community because they always seems to have helpful answers a lot of the times. Thanks in advance.