I am running Server 2003 at a datacenter. I use Remote Desktop to access the machine.
Last week I noticed there were a few ‘new’ users in the Computer Management screen. I deleted the un-invited users (both of which had admin rights). Then yesterday I noticed one of the accounts had been re-created, with the name “admin”.
I don’t think the exploiter is actually getting into the system, as absolutely NOTHING seems to have been added during the time period. I have verified that all running processes are legit and doing exactly what I expect them to do.
The question is this: How is someone remotely adding a user to this machine?
The machine is fully patched with all Windows updates, and most of the services have been turned off (there is only about 10 left running in fact).
Is anyone familiar with this line of attack, or what needs to be done to thwart it?
Danny