dmctighe
asked on
Hacked!! help please
I should know better, but here is what happened. I have an office with about 20 computers on it, which is behind a a firewall. I point the port for remote desktop to my machine so I can access from home or wherever. When I came in this morning my machine was locked by the administrator account of the local machine(not the domain). I had not accessed it so my first thought was someone in the office tried to log into my computer and could not get in. When I unlocked it with the Admin password for the local machine there was a program running called "Advanced Mass Sender" and apparently it had sent about 10000 emails with the account name "service@paypal.com".
I am almost positive whoever this was came in thru Remote DeskTop. My password is a word in the dictionary and has no numbers or anything with it. I have now changed my password for the local machine.
My questions are:
Is there a place in XP Pro where I can see who logged into my machine thru Remote Desktop?
Do you think this is what happened?
How do people do this? I assume they just scan ports until they find one running RDP then have somekind of password checker?
I thought Windows XP Remote Desktop would only allow 3 tries at login then logout. How would someone check thru that many passwords?
I am by no means a computer expert, but I do build my own machines for the office and take care of all the domain stuff. I am going to switch from Win 2K server to 2003 Server for our office this weekend and was thinking about changing the password policy to allow less than six character and no numbers, I think I will leave that policy alone now.
thanks
derek
I am almost positive whoever this was came in thru Remote DeskTop. My password is a word in the dictionary and has no numbers or anything with it. I have now changed my password for the local machine.
My questions are:
Is there a place in XP Pro where I can see who logged into my machine thru Remote Desktop?
Do you think this is what happened?
How do people do this? I assume they just scan ports until they find one running RDP then have somekind of password checker?
I thought Windows XP Remote Desktop would only allow 3 tries at login then logout. How would someone check thru that many passwords?
I am by no means a computer expert, but I do build my own machines for the office and take care of all the domain stuff. I am going to switch from Win 2K server to 2003 Server for our office this weekend and was thinking about changing the password policy to allow less than six character and no numbers, I think I will leave that policy alone now.
thanks
derek
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I did not have the security logging enabled, but it is now. Is there a way to to tell the ip address of the machine logging into my machine?
I do have virus and firewall and all the latest patches and updates installed.
The reason I think it is from RDP is because the machine was locked like when I access it.
thanks again
derek
I do have virus and firewall and all the latest patches and updates installed.
The reason I think it is from RDP is because the machine was locked like when I access it.
thanks again
derek
ASKER
No such luck with the printer. I did check the Mass mail program though and found something kind of interesting. It seems he had 2 text files each with about 20000 email addressed that the program used. He had a third with one email in it that he called test. What are the odds that this was his email that he used to see if it was working before he sent the rest?
thanks again
derek
thanks again
derek
ASKER
On a different note, what is the best(easiest) way in 2000 server to have all the users have to change password at the next login. I have always done them individually thru Active Directory Users and Computers.
thanks
derek
thanks
derek
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Your router/firewall should be logging incoming connections have you checked there or just on the xp machine
A bit too late, but here's a very interesting article on how to protect and encrypt inbound connections with SSL certificates. That means that only YOU or the owner of a certificate can set up a network connection. This works for all general TCP/IP communication. The example uses WinVNC, but works for Remote Desktop, POP3, etc.
http://www.securityfocus.com/infocus/1677
By the way: any network that is audited for security will automatically fail that audit, if it allows TCP/IP communication to any host on the LAN from the Internet, no matter the application protocol, period. Maybe that shouldn't be a concern on a 20-user network, but the message is that security should not rely on the application being used. If outside people can get to a logon screen (ie Remote Desktop) where they can enter a username and password, they've already come too far.
http://www.securityfocus.com/infocus/1677
By the way: any network that is audited for security will automatically fail that audit, if it allows TCP/IP communication to any host on the LAN from the Internet, no matter the application protocol, period. Maybe that shouldn't be a concern on a 20-user network, but the message is that security should not rely on the application being used. If outside people can get to a logon screen (ie Remote Desktop) where they can enter a username and password, they've already come too far.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Ccould it have been the janitor? That happened once at a place i worked, the admin account that was passworded on the system was just the default one in Xp. The janitor was fooling around with the system and went into safe mode and realized that he could delete that default admin password and the he had complete access to the system where he could sabotage things he wanted to get back at people for not giving him a pay raise or something like that. Alot of kids use the safe mode trick to byass the admin account on there parent's home system so they can install things and lock there parents out of the system, i hear about it all the time.
you can also crack into an xp workstation really easy with the windows 2000 recovery console on a disk, or a piece of software like erd commander. I dont know the issues i have experienced were always people working at the organization, so just speaking from my experiences.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Helped?
ASKER
Thanks everyone for the help. I have been to busy to reply lately swith regular work stuff. I was in the process of replacing servers, so I have since replaced our existing 2000 system with a 2003 system and made some more strict password policies and etc.
thanks again
derek
thanks again
derek
Thank and good luck.
Event Type: Information
Event Source: Print
Event Category: None
Event ID: 2
Date: 22/03/2006
Time: 14:39:24
User: SYSTEM
Computer: <YOUR_MACHINENAME>
Description:
Printer HP LaserJet 1100 (MS) (from %REMOTE_MACHINENAME%) in session 3 was created.
Or you'll get a TermServDevices error if the printer can't be installed. It's a real, real long shot though.