Hello all,

Just as the title states, I woke up this MORNING to find my servers computer logged off, and there was a SECOND adminitstrator account there named "cooldude" that was password protected.
After much turmoil trying to figure out how to delete it, since the traditional "remove user" method in control panel didnt work, I used the command line: Code: [Select]net user cooldude /delete
And it worked, but they will probably be back tonight.

I checked my ftp logs and no one entered through there.

I wrote a program that they might have stolen also.

How do I stop this from happening?


specs:
OS: WinXP 64-bit sp2
Server type: Xampp (apache)
Kinds of servers run on this PC: srcds.exe, filezilla, apache, mysql

I will gladly supply more information, please help me.Turn off your system when you go to bed.What part of apache server is not clear?have you scanned for malware/viruses on the server? Only way to add a user to PC that I know of would be if they had managed to get a backdoor remote console or something installed.Well I run symantec corporate edition and it scans every day, found nothing.

I am assuming they might have used a console command to add the account versus having remote desktop capabilities.what are you using for a firewall?


are we referring to the administrator account of the computer itself or apache? And which console do you mean? some sort of remotely accessible console ability via with apache?I am referring to the desktop users, the ones you login to windows with. There was a second Administrator account.

As far as the console, I was just making a STIPULATION as how I might have been done. I truly have no idea how this could have been done.1) Quote from: Spoiler on December 04, 2009, 10:12:34 AM

what are you using for a firewall?

1) What firewall are you using?
2) What ports do you have open on said firewall? I'm assuming 21 for FTP--don't open any other ports unless you need them. Even then, expect Port 21 to be pounded like a Las Vegas escort after meeting a lottery winner...


3) Do you have any remote services enabled? (i.e.: Remote Desktop Connection, NetMeeting, etc.)

4) Are you using any simple password for admin account? Anything less than 6 or so characters that does NOT vary between three of the following: uppercase letters, lowercase letters, numbers, and symbols is going to get cracked by dictionary or Brute Force.

5) Scan with Malwarebytes' Anti-Malware in addition to Symantec.

6) Enable logging of your Windows accounts:

Start -> Run -> gpedit.msc.

Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Audit Policies.

Change the following to "Enabled":
- Audit Account Logon Events (Success and Failure)
- Audit Logon Events (Success and Failure)
- Audit Privilege Use (Success and Failure) (useful for when some schmuck decides to make themselves admin and lock out the real admin)

Check dem security logs in the Event Viewer from now on after doing this.

...and most importantly...

7) For ANY security breach, RENAME your ADMIN account and CHANGE YOUR PASSWORD!!! Otherwise, you're just asking to be hacked again...