Finding how a server was accessed [HACKED] RRS feed

  • Question

  • Hi Guys,

    I've just discovered one of our hyperv host servers (SERVER 2016 Std) has been compromised.

    I'm trying to establish how they got on.

    The terminal services remote connection log shows the following:

    Remote Desktop Services: User authentication succeeded:

    User: Locked

    Domain: <Server Name>

    Source Network Address:

    Security logs show that the "Locked" account was created 19/05/2019 at 22:54:11

    However, when I create a user you'll see the account name and account domain are different.

    Theres no way anyone physically accessed this.

    They installed something called NSSM and OpenSSH from Github and used it to make sure ssh.exe was always running with this command:

    Started C:\Program Files\OpenSSH-Win64\ssh.exe -p 2222 -o StrictHostKeyChecking=no -o ServerAliveInterval=60 -fN -R privport@ for service System Update in C:\Program Files\OpenSSH-Win64.

    Does anyone know what the above is doing?

    They also installed a Debian Cent OS virtual machine and had that running. But, i'm unable to log in to this. Malwarebytes nor ESET picked up anything malicious so I dont think this was a ransomware attack. I've since put measures in place and removed SSH and NSSM.

    Any help would be appreciated in finding out how they got on.

    Thursday, May 23, 2019 1:19 PM

All replies

  • Hi,

    This is a quick note to let you know that I am currently performing research on this issue and will get back to you as soon as possible. I appreciate your patience.

    If you have any updates during this process, please feel free to let me know.

    Best Regards,


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact

    Friday, May 31, 2019 8:12 AM