Here's a detailed breakdown of the attack. http://blog.emsisoft.com/2012/04/11/...ndows-servers/

Saved and Texan by the Grace of God, Redneck by choice.

Is this English?

Of course it is. Just remember, If we index the card, we can get to the EXE monitor through the haptic COM capacitor.

This doesn't appear to be new or innovative or really 2003 specific.

The "attacker" is just scoping for any servers with an open RDP port. Once found, it'll run a brute force attack on a preset list of usernames hoping it gets lucky.

1) it appears to be local user accounts only unless i missed something
2) if it does attempt to scope domain accounts, simple blocks are (and already should be):
- rename their administrator account and put a dummy account in its place
- require strong passwords/lockouts via group policy

Other than that, which is something thats been going on everyday and night for 10+ years anyway, the payload is nothing more than a script kiddie package.

Disable autorun from all drives, perform backups of data on the server and run a good spam/malware front and backend. Anyone not doing any of the above deserves to get their digital ass handed to them.

If someone RDP's into your server with the administrator password, a delete and encryption script is the least of your worries.

I posted in the BP as a heads up if anyone is in this type of admin role and because I had buddy contact me about trying to remedy one of these, but I'd not heard of it when he asked.

After a lil research, I was/am flabbergasted that 1 a server was left so open like this, and 2 that someone is successfully extorting money and reeking havoc on small businesses like this.

Saved and Texan by the Grace of God, Redneck by choice.

What version of Linux does this apply too? /Abecx

Heh

Saved and Texan by the Grace of God, Redneck by choice.

No 1. any server admin/infrastructure worth a damn would not have rdp publicly accessible.

Even small businesses can avoid this very easily.