Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Hacked!! help please

Posted on 2006-03-23
18
Medium Priority
?
385 Views
Last Modified: 2010-04-11
I should know better, but here is what happened.  I have an office with about 20 computers on it, which is behind a a firewall.  I point the port for remote desktop to my machine so I can access from home or wherever.  When I came in this morning my machine was locked by the administrator account of the local machine(not the domain).  I had not accessed it so my first thought was someone in the office tried to log into my computer and could not get in.  When I unlocked it with the Admin password for the local machine there was a program running called "Advanced Mass Sender" and apparently it had sent about 10000 emails with the account name "service@paypal.com".

I am almost positive whoever this was came in thru Remote DeskTop.  My password is a word in the dictionary and has no numbers or anything with it. I have now changed my password for the local machine.

My questions are:
Is there a place in XP Pro where I can see who logged into my machine thru Remote Desktop?
Do you think this is what happened?
How do people do this?  I assume they just scan ports until they find one running RDP then have somekind of password checker?
I thought Windows XP Remote Desktop would only allow 3 tries at login then logout.  How would someone check thru that many passwords?

I am by no means a computer expert, but I do build my own machines for the office and take care of all the domain stuff.  I am going to switch from Win 2K server to 2003 Server for our office this weekend and was thinking about changing the password policy to allow less than six character and no numbers,  I think I will leave that policy alone now.

thanks
derek

0
Comment
Question by:dmctighe
  • 4
  • 3
  • 2
  • +7
18 Comments
 
LVL 19

Assisted Solution

by:CoccoBill
CoccoBill earned 200 total points
ID: 16269274
> Is there a place in XP Pro where I can see who logged into my machine thru Remote Desktop?

Security event logs, provided that you had it enabled.
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q308427

> Do you think this is what happened?

Impossible to say without further information, check the event logs.

> How do people do this?  I assume they just scan ports until they find one running RDP then have somekind of password checker?
> I thought Windows XP Remote Desktop would only allow 3 tries at login then logout.  How would someone check thru that many passwords?

That's one possibility, or the machine has an open service that has a vulnerability they used to gain access. Do you have all latest hotfixes installed, are you running a firewall and antivirus?

> was thinking about changing the password policy to allow less than six character and no numbers,  I think I will leave that policy alone now.

Good idea. I recommend you enforce at least 8 characters and password complexity.
0
 
LVL 2

Assisted Solution

by:zyclonix
zyclonix earned 200 total points
ID: 16269641
There's no way to tell you what happened, check the event logs, firewall logs, etc.

As for how you got it:
- a an vulnerability in windows over your remote access port (possible)
- a virus or trojan from another machine in your network(more probable). Check ALL your machines, it's quite possible they are all similarly infected. DO NOT ASSUME THIS IS THE ONLY HACKED MACHINE
- A targeted attack by in internal party, ie an inside job. (unlikely)

The machine is totally suspect now, I would wipe it completely and rebuild it. If that's not possible run a virus checker, spybot search & destroy, adaware, and hijack this.

In the future set your firewall to ONLY allow remote desktop from the IP address of your home DSL router/cable modem. If you don't have a static IP then ask your ISP for one.

-Make sure to install all windows security patches.
-Check all your machines top to bottom.
-Have virus checking on all machines
-Force all users to change their passwords IMMEDIATELY
-Many people still have a guest account, eleminate all guest accounts
-Never, ever, ever base your password off of a dictionary word.

0
 
LVL 6

Expert Comment

by:ian_chard
ID: 16270706
There is a long shot. Check the system events on your machine, and look for events named Print. If they have a printer connected to their machine the chances are it will attempt to install on to your machine, so you should get an event that looks like this:

Event Type:      Information
Event Source:      Print
Event Category:      None
Event ID:      2
Date:            22/03/2006
Time:            14:39:24
User:            SYSTEM
Computer:      <YOUR_MACHINENAME>
Description:
Printer HP LaserJet 1100 (MS) (from %REMOTE_MACHINENAME%) in session 3 was created.

Or you'll get a TermServDevices error if the printer can't be installed. It's a real, real long shot though.
0
Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

 

Author Comment

by:dmctighe
ID: 16270736
I did not have the security logging enabled, but it is now.  Is there a way to to tell the ip address of the machine logging into my machine?

I do have virus and firewall and all the latest patches and updates installed.

The reason I think it is from RDP is because the machine was locked like when I access it.

thanks again
derek
0
 

Author Comment

by:dmctighe
ID: 16270895
No such luck with the printer.  I did check the Mass mail program though and found something kind of interesting.  It seems he had 2 text files each with about 20000 email addressed that the program used.  He had a third with one email in it that he called test.  What are the odds that this was his email that he used to see if it was working before he sent the rest?

thanks again
derek
0
 

Author Comment

by:dmctighe
ID: 16271294
On a different note, what is the best(easiest) way in 2000 server to have all the users have to change password at the next login.  I have always done them individually thru Active Directory Users and Computers.

thanks
derek
0
 
LVL 3

Accepted Solution

by:
zgrp earned 400 total points
ID: 16274324
Hello,

- Windows Remote Desktop doesn't have a bad history of vulnerability, just a DOS, so a exploit itself probability isn't your case.

Brute Force is the best choice to attack Remote Desktop, exist programs in the wild that do it, using some resources that the own microsoft provide to create utilitys able to interact with Terminal Service / Remote Desktop.

Some intersting question is:

1 - Is your firewall ONLY forwarding connections to your machine in the Remote Desktop/Terminal Service Port  (port 3389 TCP)?

2 - Do you checked your log firewall? What do you found ? What were the forwarding connections from the last night until you arrive at office ? What connections and from where were forwarded to Remote Desktop machine ?

3 - Do you take a copy of the "Advanced Mass Sender" and all it's dependencies ? It may help you to find information from the destination of attacker/spammer. ;)

4 - Contact Paypal via link http://www.paypal.com/cgi-bin/webscr?cmd=_contact-general and explain what happened. It will any way, help them to analyze your Spam and try protect users, and maybe help you.

Just for curious, make your users (and even your machine) change password will not help much, since your network can be compromissed, with backdoor, etc.

A intersting point, is that, a normal spammer should not take the job to brute-force a Remote Desktop, since:

- It`s much time consuming.

- It can never be breaked, if the password it hard.

- Spammers tend to hack by common mass attacks, like using "Mass Attackers tools", "Web flaws using google to locate vulnerable sites", etc.

So TIP is:

- Who hacked your machine, is someone that know you or your company ( ex-employ, concurrent company, employ), and maybe that you don't have a password politic, etc.

Anyway, I suggest you to contract a specialized company in the Security area, since it's not a easy job, and any error your make, can compromise the full analyze, even impossibilityng future forensics analyze.

If you live in Brazil (and maybe out), I suggest the following comapanys:

http://www.ipdi.com.br

http://www.intruders.com.br

Hope this help,

Cheers
0
 
LVL 32

Assisted Solution

by:r-k
r-k earned 400 total points
ID: 16277935
I think it's very likely that your password was "guessed" if it was a dictionary word.

In addition to what has been suggested already, I highly recommend running RootkitRevealer on any compromised or suspect machine:

 http://www.sysinternals.com/Utilities/RootkitRevealer.html

Save the log if it finds anything of interest, you may need it later.

In any case check all usernames on the machine(s). A common trick is to install a new user with a common sounding username for future breakins.

Also run MBSA:

 http://www.microsoft.com/technet/security/tools/mbsahome.mspx
0
 
LVL 2

Expert Comment

by:Peregian
ID: 16278114
Your router/firewall should be logging incoming connections have you checked there or just on the xp machine
0
 
LVL 12

Expert Comment

by:Rant32
ID: 16288405
A bit too late, but here's a very interesting article on how to protect and encrypt inbound connections with SSL certificates. That means that only YOU or the owner of a certificate can set up a network connection. This works for all general TCP/IP communication. The example uses WinVNC, but works for Remote Desktop, POP3, etc.

http://www.securityfocus.com/infocus/1677

By the way: any network that is audited for security will automatically fail that audit, if it allows TCP/IP communication to any host on the LAN from the Internet, no matter the application protocol, period. Maybe that shouldn't be a concern on a 20-user network, but the message is that security should not rely on the application being used. If outside people can get to a logon screen (ie Remote Desktop) where they can enter a username and password, they've already come too far.
0
 
LVL 33

Assisted Solution

by:masnrock
masnrock earned 200 total points
ID: 16288711
Audit the network immediately.

> No such luck with the printer.  I did check the Mass mail program though and found
> something kind of interesting.  It seems he had 2 text files each with about 20000 email
> addressed that the program used.  He had a third with one email in it that he called test.
> What are the odds that this was his email that he used to see if it was working before he
> sent the rest?

Something you could look at, but something I would guess they're not stupid enough to do. Rather than use an email address of their own, I'd assume they'd use an email address that they've taken over. Are there any firewall logs that you could look at?

For future reference.... make an image of that machine so that you can preserve the integrity of the machine before you start to really poke around. Makes forensics work easier and you can play with the duplicates while not damaging the original.

There are many ways into a machine... for example, does your PC have a private or public IP? But also, how complex is your administrator password? Is there a lockout policy? Any other ports open on the firewall itself, etc.

Forensics isn't a simple thing.... plus you have people always covering their tracks, etc. So they might have used another machine they hacked to get into yours.

Never make for simple password policies.... that's a security hole begging for exploitation. Ideally, you want 8+ (10+ is better, but considering people's memories) characters with complexity AND not allow users to repeat passwords.
0
 

Expert Comment

by:ckonrad1
ID: 16289530
Ccould it have been the janitor? That happened once at a place i worked, the admin account that was passworded on the system was just the default one in Xp. The janitor was fooling around with the system and went into safe mode and realized that he could delete that default admin password and the he had complete access to the system where he could sabotage things he wanted to get back at people for not giving him a pay raise or something like that. Alot of kids use the safe mode trick to byass the admin account on there parent's home system so they can install things and lock there parents out of the system, i hear about it all the time.
0
 

Expert Comment

by:ckonrad1
ID: 16289549
you can also crack into an xp workstation really easy with the windows 2000 recovery console on a disk, or a piece of software like erd commander. I dont know the issues i have experienced were always people working at the organization, so just speaking from my experiences.
0
 

Assisted Solution

by:ckonrad1
ckonrad1 earned 400 total points
ID: 16289665
How do people do this?  I assume they just scan ports until they find one running RDP then have somekind of password checker?
> I thought Windows XP Remote Desktop would only allow 3 tries at login then logout.  How would someone check thru that many passwords?


yeah RDP runs on port 3389 i believe, if you want to go into the registry and change that you can. It is located here:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\Terminal Server\WinStations\RDP-Tcp  

then look for the PortNumber subkey and enter the new port number in hex format. I dont really know what else to tell you, there is really no way to figure out where that hacker came from unless you can see his Ip address in a log, but most hackers just mask there Ip address or use a program like Steganos antonym to make it look like they are bouncing all over the world, heh.

Regarding your password there is most likely a way to decipher that on there end way before they even try it while connected to your system, just by observing those remote desktop packets. I dont know i am still learning all this stuff myself.
0
 
LVL 2

Assisted Solution

by:Peregian
Peregian earned 200 total points
ID: 16291349
I would be worried about what they have left behind. Its pretty easy with the access theyve had to put a trojon on your pc and cloak it with a rootkit. Try fsecures black light, rootkit revealer and download rkfiles http://skads.org/special/rkfiles.zip and run them in safemode. Run all three of these. Ignore the defrag entry you get from rkfiles
0
 
LVL 3

Expert Comment

by:zgrp
ID: 16356538
Helped?
0
 

Author Comment

by:dmctighe
ID: 16448685
Thanks everyone for the help.  I have been to busy to reply lately swith regular work stuff.  I was in the process of replacing servers, so I have since replaced our existing 2000 system with a 2003 system and made some more strict password policies and etc.

thanks again
derek
0
 
LVL 32

Expert Comment

by:r-k
ID: 16448855
Thank and good luck.
0

Featured Post

The Lifecycle Approach to Managing Security Policy

Managing application connectivity and security policies can be achieved more effectively when following a framework that automates repeatable processes and ensures that the right activities are performed in the right order.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When you put your credit card number into a website for an online transaction, surely you know to look for signs of a secure website such as the padlock icon in the web browser or the green address bar.  This is one way to protect yourself from oth…
Each password manager has its own problems in dealing with certain websites and their login methods. In Part 1, I review the Top 5 Password Managers that I've found to be the best. In Part 2 we'll look at which ones co-exist together and why it'…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
Suggested Courses

564 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question