[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now


Hacker on my system from foreign domain

Posted on 2007-10-02
Medium Priority
Last Modified: 2013-12-04
I currently have a network running in 14 different geographic locations across 3 states.  My corporate network is in a frame-relay cloud, all except for 2 of the locations.  One of the locations is hooked to DSL and they work via a citrix connection over the internet.  One of the end users was complaining that they couldn't log in with usual name and password.  Even the admin password wouldn't work to get in the system.  After using a workaround to get into the system, one of my staff actually viewed the hacker inside of the computer creating an executable and running a password hacking program.  The hacker would go to an ftp site with a .ru extension.  (Russia?)  I believe that was on the network block.  Anyway, he would go to the system 32 folder and create his own folder named "mui".  Inside this folder would be the executable of the program he downloaded from the ftp site.  He would rename the executable "svchost".  Now the program was running as a service.  I don't think he knew we were watching at first, but if we could see him through vnc and the end user couldn't see a thing, doesn't he have to be getting in through a hacked vnc password?  If it were remote desktop, I wouldn't be able to see his session.  These guys always seem to be one step ahead and I was wondering what the experts would recommend as the best training ideas for my staff and the best preventive measures to keep anything like this from happening again?  Sorry for the long winded explanation...
Question by:saw1197
LVL 23

Expert Comment

by:Ashish Patel
ID: 19998082
Have a firewall and block un-necessary IP's getting into your machine.
LVL 88

Accepted Solution

rindi earned 1000 total points
ID: 19998105
It isn't necessary that the hacker needs to be online to do all that. You might have a root kit or other malware on your system which could do what you have described automagically. I'd first of all scan the PC using the standard scanning software like adaware, spybot S&D, Superantispyware, hijackthis etc. to scan and clean the infected PC, then make sure all current updates have been applied.

Assisted Solution

bigjimbo813 earned 1000 total points
ID: 19998765
I would first start by getting rid of VNC. That software is very easily exploited. If remote access is required secure RDC, or move so another application such as checkpoint.

Here is a how to on securing RDC.

Expert Comment

ID: 20238026
Forced accept.

EE Admin

Featured Post

New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
this video summaries big data hadoop online training demo (http://onlineitguru.com/big-data-hadoop-online-training-placement.html) , and covers basics in big data hadoop .
As many of you are aware about Scanpst.exe utility which is owned by Microsoft itself to repair inaccessible or damaged PST files, but the question is do you really think Scanpst.exe is capable to repair all sorts of PST related corruption issues?
Suggested Courses

872 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question