First of all, I am fairly knowledgable in windows - but I am new to WHS and remote login, etc....
The Background
So I am running a WHS 2011 box on some basic hardware for music and video streaming in the house. I never log into the server unless I need to add more music or videos (which is rare). The other day I decided that I want to host a Terraria server (game) so my friend and I can play on the same map and I don't have to leave my main computer on. To do this, I must remain logged in (I think) so that the server application can run. It took a little time to get it to where he can connect to it by forwarding ports on my router and in the windows firewall. I eventually got it working without using DMZ and with only forwarding the one port (6666).
The Problem
So I woke up 2 days ago and my internet was just bogged down. I rebooted my router and it was working great for a few minutes and started running slow again. So I logged into my server... or attempted to and found that my password didn't work anymore. I immediately knew that my server got hacked and I flipped the power switch on the PSU off. I booted back up and tried my backup user account and it also had a new password. So I used my trusty password reset tool and deleted all of the passwords. I logged in and everything looked normal. Nothing new on the desktop and it ran great. So I put a new password on and went on with my day. Nothing was wrong anymore and my internet was fast again.
Hoping that this was a one time event was a bad idea. I woke up this morning and my internet again was bogged down. I checked my remote desktop and of course the passwords did not work. I reset the passwords again and logged in, but this time I had stuff all over my desktop. I had 4 folders named Nmap, inmap, DUBRUTE and another I can't recall. I also had 2 text files - one said "Results" and the other said "IPs" both contained a GIANT list of IP addresses. I checked my badwidth usage for my ISP and I apparently used 28GB of data last night... scanning IPs.....
I went into event viewer to see what was going on with login attempts and there were hundreds. Failures and successes. There were 2 main IP addresses that I took a picture of (95.173.185.224 - Turkey) and (113.227.254.82 - Bejing, China). They used a variety of user names to try and log in.
I was fed up and decided to shut down my server. Once I did my internet started having problems and then went out completely. I tried to log into my router but it said it couldn't. I checked my router and it was off. I unplugged it and plugged it back in - still no power. I held the reset button down for 30seconds, then unplugged it while still hodling the button, waited 30 seconds, then plugged in the power and still holding the reset button for another 30 seconds. Once I released, still no power. Did the hacker nuke my router too?!
The Questions
1. How do I secure my WHS so that this does not happen again, but I can keep my game server running?
2. Is my router toast?
3. Should I be concerned with what happened on my server being illegal?
4. Should I report this to anyone or is it worth my trouble?
Thanks!
Jake