Urgent: Windows Server 2003 - Determine last logged in IP of user

G'day,

I have a very urgent issue. I've just started a new job as a software engineer with a charity in UK, and have found that someone (a hacker) has created a user for themselves and executed a password cracker uBrute on one of our Windows 2003 servers. I've killed the process and crippled the user but I am very concerned.

All of our external traffic goes through a pretty beefy Cisco firewall, but they have a MASSIVE gaping hole in the form of a Win Server 2003 Remote Desktop server which sits OUTSIDE of the Cisco. I know...madness. Anyway, I'm pretty sure that's how they're getting in, though the rules on the Cisco were configured by someone who is less than an expert on firewall rules!!

I'd like to track down the user's IP so that I can put a new rule in the firewall to reject that subnet, as well as move the remote desktop server behind the firewall. Does anyone know how to view the last logged in IP for a particular user? Is this even possible?

I don't know anything about Windows security as I'm a Unix man...and not a security analyst!! I'd really REALLY appreciate your help, as would our donors.

Thanks!

Hi,

Trawl the logs for anything pertaining to remote Windows log-ins. Been a while since I did anything like that, it may not be logged at all by default (I'm not up to speed on a default Win2k3 install as I lock it down from the start).

You did the right thing moving the server inside the firewall; I guess whoever put it outside knows nothing about port forwarding.

I wouldn't worry too much about trying to block the hacking IP - chances are it is not real anyway, and the attacker will just try from another address.

Lock down the firewall so that only those services required can transit, and ensure everything that isn't required on the servers is stopped. If you aren't into Windows you will have to find out which services are critical to Windows operation before you can disable the rest. I disable services that look important but aren't. It can stop attacks succeeding.

As for the compromised system, I'd start over with that one if possible. You don't know what else is on there, and whilst it is great to spend a week reverse-engineering an attack, it often isn't worth the time to do it as you likely can't stop it happening again if a service you need is exploited.

Consider use of VPNs too if security is a big concern, that way services such as RDP can be blocked from outside unless connected via VPN to the network first. Performance is not an issue.

Best regards,
AstroTux.