<flame on> I am amazed that there are people who spend their time looking around the Internet for malicious things to do. People like this need to spend their energies on more productive things! <flame off>

We just built a new Windows 2016 Datacenter serverthat will host an outward facing IIS application. The installation was pretty clean — no problems.

About two days after the server was completed, I was doing some work on it via a remote VMWare console).

I went to lunch leaving the console session connected (maybe a mistake) and when I returned, I had been logged off. I went to login again and none of the local users / passwords that I defined when building the system worked. It appeared (and it was true) that I was locked out of the system.

Uh Oh!

Task 1: Get Access To The System

Task 1 was to get access to the system.

I found a write-up on line about how to get access to a system if you are completely locked out. It requires that you boot from the original ISO that you used to build the system. Details are here. (If I ever meet you Kieran Lane, I owe you dinner!). This process allowed me to reset the Administrators password so I could login.

Task 2: Find Out What’s Going On

After I recovered access, I noticed two programs that had been installed on the desktop. The program icons were NLBrute and KPortScan3.

I found very little online about NLBrute but I did find one site written in Persian that I had to have Google translate.

Task 3: Lock It Down

After I got access, I went to the system configuration tool where I listed the user accounts. I noticed that there were three other user accounts that had been added. The user names were “gast”, “admin1” and “admin”.

Task 4: Find Out What Happened

Here is what I think happened:

1. The hacked system was an outward facing system in a DMZ. In our firewall configuration, the hacked system had an external address that was NATted to an internal address. As part of that definition, ports 80 and 443 (for IIS apps) were allowed to be NATted but so were ports 21 and a higher range of “ephemeral” ports required for passive FTP (good writeup here).
2. A port scan from the internet on the external address detected that port 3389 was open. The hacker used this address and the default user name of “Administrator” and hacked the password (which was pretty complex — or so I thought).
3. Once the hacker had access to the system, they:
   • Added additional users
   • Changed all the passwords of all the existing users including Administrator
   • Downloaded the NLBrute and KPortscan3 programs

Task 5: Fix It

We decided that the best fix was to wipe the entire system and re-build it. That way, we were sure that we would have a system that was clean. It caused a bit more work but it was, no doubt, worth it.

We removed all NATted ports except 80 and 443. This (hopefully) would prevent any other future attacks through the ephemeral ports.

The FIRST thing that I did after I rebuilt the system was to deactivate the Administrator user name that was part of the installation process. I defined a new administrator user with a different login name and a more complex password. (Hind sight: I should have done this – and will do this — for every Server 2016 system that I install from now on.

I also forced the system to require a CTL+ALT+DEL before it would display a login screen. I reasoned that this may be some help in discouraging bots from hacking the system.

We’re Back (Whew!)

We were lucky — real lucky — that I caught the hack almost immediately after it had taken place. We have a pretty restrictive set of firewall rules that allow limited access to systems inside our firewall so I hope I can be sure that no damage to our internal systems took place.

You never know what today will bring!