Other Remote Desktop'd to my server/nas, saw someone using it (hacker)

Hi guys
This is worrying me. I have a server/nas I built running windows 8.1 64 bit professional, it is always on 24/7.
Every few days I remote desktop to it to see if everything is running ok and check for updates etc. Tonight I connected to it and got a message a user was connected and they were disconnected so I could connect.
Once it established a connection, I saw a cmd window running with some IP related commands running and a webpage open, a few seconds later I was disconnected again as the hacker connected back to the server. I once again connected again (1 second later) to disconnect him (this happened a 3 times)
Then I connected and right clicked My Computer and disabled Allow Remote Connections and enabled Remote Desktop with Network Level Authentication. After that, the hacker didn't connect back (not sure if that stopped him or he realised he got found out and quit)
Theses options were originally unselected due to Microsoft support working on the Server a few weeks back (updates werent working)

This was really worrying. I was only using Microsoft Defender (for AV) and Windows Firewall (thinking i'd never need anything more.
I checked the open webpage, it was some french site, and checked the history, the hacker had been using the internet browser for around 40 minutes, running a speed test, going to a website to figure out my IP address, going to VPNs and Proxies and then eventually....Porn? WTF
I think he was either french or spanish judging by the sites he visited.

After this, I signed out of Chrome, and did a system restore to a few days before to remove any registry changed he may have made.
I then installed Private Firewall 7.0 and and currently running a virus scan (it runs automatically every night at 3am anyway)
Should I be worried? Any ideas or help?

Thanks guys

 

Have you got 3389 external mapped to your internal server?

If so is it locked down to a range of ip addresses or anyone on your router?
And change your password

 

I literally have no idea what that means. Im not totally clued up with networks. I have my router set to MAC address filtering & I have a limited IP range (the exact amount of devices in my network).
Other than that, I have done nothing else.
Could you talk me through what you mean please
thanks

 

Just changed the password for the server and deleted the Port Forwarding rule I had in place for port 3389 from the router. Is that what you meant?

 

That will stop the remote access Gurdeep not only for the hacker but also for you. If I was you I would do the following...

1. Change the default port used for RDP. Use a obscure port like 50578. http://support2.microsoft.com/kb/306759 When you connect via remote desktop you will need to format the address like this 85.67.123.16:50578

2. Make sure you do not use the default "Administrator" account. I would disable this and create a new admin account using a name that's hard to guess.

3. Contact your ISP and see if you can get a new static IP address. They should be able to help you with this.

Good luck

 

Thanks for the reply Pookie
I changed the Port over on the server and turned the server/nas off and on and now I cant connect to the server. I added an exception in the router for the port and I tried connecting via RDP using the 192.168.0.*:new port number but that didn't work. I also tried doing the same with the external IP address without luck. Any ideas? Anything obvious I am missing?

 

Dont forget you will need to port forward your new port in the router.

 

I have, I set it as TCP/UPD, that didnt help.
Could it be the windows firewall on the server/nas?

 

Ah yes. It's too early lol. In and out rule required on the windows firewall.

 

TBH I would have done Port Translation on the router from the external port to the internal on 3389.

 

Did you contact MS or did they contact you?

 

I contacted them. They made me use logmein (I think, it didn't install, it just ran from the .exe.)

 

Done that and it now works again
Thanks Pookie

I also ran Microsoft Baseline Security Analyzer and made and necessary changes. Anything else you guys can suggest? Is it worth buying a dedicated firewall/VPN to put before the router (Netgear WND3700)?

 

I asked a similar question a while back as I was nervous about opening myself up during online gaming and someone suggested using this site:

https://www.grc.com/shieldsup

Apologies to whomever it was as I can't remember. I haven't used it myself yet though, so have nothing to go by unfortunately.

 

Thanks for that site, it really helped show me which ports were vulnerable. Since then I have changed routers to a Netgear Nighthawk R7000. It seems to be much more secure, with ALL ports stealthed.

 

According to my new router logs (Netgear Nighthawk) I have been targeted for a lot of attacks.
I am considering a RADIUS server, if it would help? Perhaps on a Raspberry Pi

 

Damn those 192. hackers.

 

there are some foreign IP addresses.
[DoS attack: ACK Scan] attack packets in last 20 sec from ip [208.64.202.85], Thursday, Nov 27,2014 14:46:27
[DoS attack: ACK Scan] attack packets in last 20 sec from ip [208.64.202.85], Thursday, Nov 27,2014 14:45:34
[DoS attack: FIN Scan] attack packets in last 20 sec from ip [173.194.67.95], Friday, Nov 28,2014 17:45:00
[DoS attack: STORM] attack packets in last 20 sec from ip [141.134.78.191], Saturday, Nov 29,2014 19:32:17
[DoS attack: STORM] attack packets in last 20 sec from ip [141.134.78.191], Saturday, Nov 29,2014 19:31:56
[DoS attack: STORM] attack packets in last 20 sec from ip [81.233.177.223], Saturday, Nov 29,2014 19:31:22
[DoS attack: STORM] attack packets in last 20 sec from ip [81.155.202.10], Saturday, Nov 29,2014 19:28:18
[DoS attack: STORM] attack packets in last 20 sec from ip [94.2.235.209], Saturday, Nov 29,2014 19:23:21
[DoS attack: STORM] attack packets in last 20 sec from ip [94.2.235.209], Saturday, Nov 29,2014 19:22:58
[DoS attack: STORM] attack packets in last 20 sec from ip [151.228.57.252], Saturday, Nov 29,2014 19:20:36