menulogo
Hostingexpand_more
Solutionsexpand_more
Resourcesexpand_more
Data Center
Affiliate
Contact Usexpand_more
VPS HostingVPS HostingResources isolated, For websites and applicationsDedicated ServerDedicated ServerDedicated resources, Optimal performance, Bare metalGPU ServerGPU ServerUsed in deep learning, Android emulator, Gaming, etcCloud hostingCloud hostingWebsite data is distributed in the cloudWeb HostingWeb HostingStore and maintain files. Put website onlineDomain RegistrationDomain RegistrationChoose from .com, .name, .net, .org, .biz, .us and .infoSSL CertificateSSL CertificateSecure transmitted data over the internet
RDP ServerRDP ServerRemote Desktop Connection on WindowsVPN ServerVPN ServerSecure connection, protect your network trafficHA DatabaseHA DatabaseIncrease the service availability and data safetyNetwork Load BalancingNetwork Load BalancingDistributed algorithm to balance network trafficForex VPSForex VPSRun multiple trading terminals and platformsDatabase HostingDatabase HostingSQL, NoSQL, and NewSQL database server hostingKubernetes HostingKubernetes HostingFully Managed Kubernetes Clusters
BlogBlogLearn everything about server industryKnowledgeBaseKnowledgeBaseKnowledge Base articles on server operationsFAQsFAQsSummary of frequently asked questions
Live ChatLive ChatStart an instant online chat with our support teamTicketTicketSubmit us tickets for technical assistanceEmailEmailSend us emails for technical assistance

How to Check if a Windows Server Has Been Hacked

Introduction

This article introduces the steps on how to troubleshoot if the Windows server has been hacked.

1 Check for hidden users or abnormal users.

2 Check abnormal processes.

3 Check Windows system directories.

4 Check for abnormal firewall rules.

5 Check for abnormal tasks in task scheduler.

6 Scan all drives through Windows Defender.

1 Check for hidden users or abnormal users

Open Computer Management -> Local Users and Groups. Check the name of the user/user group. If the name contains a special symbol, such as $ or gibberish, it indicates that the user/user group is hidden and vulnerable to hacking.

If there are abnormal users or groups, please delete them.

Log in to Linux servers

2 Check abnormal processes

2.1 Check processes with high CPU and memory usage

Abnormal processes may cause high CPU or memory usage. The Xmrig.exe process, as the screenshot shows, might be uploaded by a hacker.

Check processes with high CPU and memory usage
Check processes with high CPU and memory usage
2.2 Check processes with suspicious publishers

Right-click on the top menu to find out the name of the application publisher as highlighted below. Notice any suspicious processes and carry out further investigations. The following shows how to enable the menu of Type, Status, Publisher, PID, and so on.

Check processes with high CPU and memory usage
2.3 Check processes with abnormal connections

Open the command prompt on your PC and type “netstat -ano” to check all connections. If there are many connections from the same PID, please enter command tasklist |findstr “pid” to check the related services that use the PID.

Check processes with abnormal connections
Check processes with abnormal connections
2.4 End abnormal processes

If you identify a malicious process, right-click on the process name and click “End Process Tree”. Choose “Open file location” to delete the abnormal files. This disconnects your server from the suspicious connections and all its dependencies. The following shows how to end a process.

End abnormal processes

3 Check Windows system directories

Check the system directories in Windows such as “C:Windows” and “C:WindowsSystem32”. If there are abnormal scripts or executable files in your server as the screenshot shows, your server probably has been hacked.

Check the system directories in Windows

4 Check firewall rules

Check whether there are garbled firewall rules or strange ports opened. If there are abnormal firewall rules, please delete them. An example of abnormal firewall rules is shown below.

Check firewall rules

5 Check tasks in Task Scheduler

Go to the start menu, enter "task scheduler" and open it. Check if there are abnormal tasks listed in the library. If there are abnormal tasks, please disable and delete them. The following shows how to disable and delete a task.

Check tasks in Task Scheduler

6 Scan all drives through Windows Defender

If the server is based on Windows Server 2016/2019, clients can use Windows Defender to scan the server. If the server is based on Windows Server 2008/2012 R2, please refer to the link https://portal.databasemart.com/kb/a532/install-microsoft-security-essentials-on-windows-server-2012-r2-x64.aspx to install Microsoft Security Essentials. Other security software is available too.

Click Clean up if any suspicious files are found after scanning.

Scan all drives through Windows Defender

7 YouTube Tutorials on How to Protect Your Servers

How to install Windows Defender to protect your server from virus threats

Bulletproof your Linux server: 5 essential tips for rock-solid security

Linux security | How to know if your Linux server is hacked in 3 minutes

6 steps help check & secure your Windows system | Windows security