I have inherited a new customer with a 2003 Server & 2008 R2 Terminal Server. The server if fine but the Terminal Server is a disaster.
I pounded it with CCleaner, Spybot, Malwarebytes, Hitman Pro, Eset Smart, Rkill, Super Antispyware, TDSKiller & possibly a couple others. I removed a mass email sender, various spywares, viruses and other nasties.
I've cleaned all of the garbage registry entries that I could find, removed a Chinese Mozilla browser and generally ran scans at least twice a day for two weeks.
At this time the system checks clean, but my hackers are still hanging around. Almost daily, a new administrator account appears on the terminal server. If I leave it for a few days, other user accounts appear. I have removed those account folders from the users folder & regedited them out, also. They keep appearing & at this point, I feel that I'm getting a whoopin'.
Is there possibly a group policy hole, browser hole or just plain unholy hole that I'm missing.
I have been an I.T. guy for years, but I run bare minimum servers with just enough overhead to get the medical & dental applications to do what they must. Some are domain controllers but this customer is not. They are useing older Foxpro databases with low demands on the server itself.
Anyway, the server config isn't the problem, but the security access is...
Any and all help welcomed!!!
I pounded it with CCleaner, Spybot, Malwarebytes, Hitman Pro, Eset Smart, Rkill, Super Antispyware, TDSKiller & possibly a couple others. I removed a mass email sender, various spywares, viruses and other nasties.
I've cleaned all of the garbage registry entries that I could find, removed a Chinese Mozilla browser and generally ran scans at least twice a day for two weeks.
At this time the system checks clean, but my hackers are still hanging around. Almost daily, a new administrator account appears on the terminal server. If I leave it for a few days, other user accounts appear. I have removed those account folders from the users folder & regedited them out, also. They keep appearing & at this point, I feel that I'm getting a whoopin'.
Is there possibly a group policy hole, browser hole or just plain unholy hole that I'm missing.
I have been an I.T. guy for years, but I run bare minimum servers with just enough overhead to get the medical & dental applications to do what they must. Some are domain controllers but this customer is not. They are useing older Foxpro databases with low demands on the server itself.
Anyway, the server config isn't the problem, but the security access is...
Any and all help welcomed!!!
