Marian Dan

  • Content Count

  • Joined

  • Last visited

Community Reputation

0 Neutral

About Marian Dan

  • Rank
    New Member
  1. Hi and good morning, all the ports ware closed for the RDP right away.... admin passwords have been changed…. parsed the accounts and found a suspect one and disable it... the FRST log is attached in the post... i'm working on some contingency for tomorrow....
  2. I know that defeats the purpose but to try to contact them?
  3. so there are no tools to help me.... ? i'm running scans on all of them....
  4. I think it started from the terminal server.... not all of them got infected..... shadow copies got deleted.... the xml files from the backups are also infected.... it is on a NAS box
  5. at around 11:00PM I've got alarms from the firewall that rdp is attacked.... firewall dropped the connections at once..... I waited for 30 minutes or so to see if it repeats... now the existing connection will still be up until the client logoff. looking in the logs everybody was off by midnight... rdp ports are still blocked... passwords in the environment are randomly generated.... the only thing that is crossing my mind is an attachment that the bitdefender did not catch
  6. the domain controller got infected.... i'm attaching scan files and reference of the ransom demand.... I tried to upload an encrypted file but it was rejected. Please help. Thanks FRST.txt FSMMSILog.txt.Contact_Data_Recovery.txt scan_190727-131017.txt Addition.txt