Hacker on my system from foreign domain

Posted on 2007-10-02
Last Modified: 2013-12-04
I currently have a network running in 14 different geographic locations across 3 states.  My corporate network is in a frame-relay cloud, all except for 2 of the locations.  One of the locations is hooked to DSL and they work via a citrix connection over the internet.  One of the end users was complaining that they couldn't log in with usual name and password.  Even the admin password wouldn't work to get in the system.  After using a workaround to get into the system, one of my staff actually viewed the hacker inside of the computer creating an executable and running a password hacking program.  The hacker would go to an ftp site with a .ru extension.  (Russia?)  I believe that was on the network block.  Anyway, he would go to the system 32 folder and create his own folder named "mui".  Inside this folder would be the executable of the program he downloaded from the ftp site.  He would rename the executable "svchost".  Now the program was running as a service.  I don't think he knew we were watching at first, but if we could see him through vnc and the end user couldn't see a thing, doesn't he have to be getting in through a hacked vnc password?  If it were remote desktop, I wouldn't be able to see his session.  These guys always seem to be one step ahead and I was wondering what the experts would recommend as the best training ideas for my staff and the best preventive measures to keep anything like this from happening again?  Sorry for the long winded explanation...
Question by:saw1197
    LVL 23

    Expert Comment

    by:Ashish Patel
    Have a firewall and block un-necessary IP's getting into your machine.
    LVL 87

    Accepted Solution

    It isn't necessary that the hacker needs to be online to do all that. You might have a root kit or other malware on your system which could do what you have described automagically. I'd first of all scan the PC using the standard scanning software like adaware, spybot S&D, Superantispyware, hijackthis etc. to scan and clean the infected PC, then make sure all current updates have been applied.
    LVL 9

    Assisted Solution

    I would first start by getting rid of VNC. That software is very easily exploited. If remote access is required secure RDC, or move so another application such as checkpoint.

    Here is a how to on securing RDC.
    LVL 1

    Expert Comment

    Forced accept.

    EE Admin

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How to improve team productivity

    Quip adds documents, spreadsheets, and tasklists to your Slack experience
    - Elevate ideas to Quip docs
    - Share Quip docs in Slack
    - Get notified of changes to your docs
    - Available on iOS/Android/Desktop/Web
    - Online/Offline

    This story has been written with permission from the scammed victim, a valued client of mine – identity protected by request.
    If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
    Migrating to Microsoft Office 365 is becoming increasingly popular for organizations both large and small. If you have made the leap to Microsoft’s cloud platform, you know that you will need to create a corporate email signature for your Office 365…
    This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    11 Experts available now in Live!

    Get 1:1 Help Now