Solved

I think my machine is being remote controlled

Posted on 2007-12-06
12
238 Views
Last Modified: 2013-11-21
Today I tried to use my machine, but it keeps on logging off, then a log in window appears.
When I log in it says that the current session will be logged off.

I checked the user accounts and a mystery account has been created.
I checked the remote machine control settings and can see that it has been turned on.

I deleted the account, unchecked the remote control settings and deleted all my firewall rules so that I have to allow each program to access the net.

All has been fine today, but I just checked the machine now and can see that the remote control settings have been switched back on, and another mystery account has been created.

What should I do?
0
Comment
Question by:somewherehot
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 3
  • +2
12 Comments
 
LVL 7

Accepted Solution

by:
killbrad earned 500 total points
ID: 20422849
Disable RDP.    http://www.petri.co.il/enable_remote_desktop_in_xp_2003.htm    (but uncheck the box, instead of checking it)

I assume you have an up-to-date antivirus software?  If not get AVG Free (free.grisoft.com)

Install and run Spybot S&D (www.safer-networking.org)

Install the latest Windows Updates (windowsupdate.microsoft.com)

If you have access to your hardware router/firewall, block port 3389.

0
 
LVL 5

Expert Comment

by:Taurance
ID: 20422892
Also is this a personal compuer or a company computer?  Have you left the computer at all since you have changed the settings? Have you changed your password?  
0
 
LVL 1

Author Comment

by:somewherehot
ID: 20422907
It's a personal computer
Yes I had left the computer since I had changed the settings
Yes I have changed my password

I'm using McAfee Firewall - I need to look up on how to block the port

0
Resolve Critical IT Incidents Fast

If your data, services or processes become compromised, your organization can suffer damage in just minutes and how fast you communicate during a major IT incident is everything. Learn how to immediately identify incidents & best practices to resolve them quickly and effectively.

 
LVL 5

Expert Comment

by:Taurance
ID: 20422963
What type of router are you using for the network and do you have access to change the port settings?
0
 
LVL 1

Author Comment

by:somewherehot
ID: 20422977
netgear (the new one with the draft wireless n thingy)
- and I should have access to change the router settings
0
 
LVL 5

Expert Comment

by:crashelite
ID: 20423101
i would change your password RDC requires the password to login

i would check and see if there actually is a connection going on... click start then run and type in cmd
then type NETSTAT  to Display networking statistics (TCP/IP)

it will tell you the current open connections and tell you what location the person might be that has remote access to your computer but if there using RDC to connect then it wont show up in there but if they are using something to monitor your computer then it will say it is connecting to them

0
 
LVL 5

Expert Comment

by:Taurance
ID: 20423177
You could also look through the System logs and see what user names have connected to your pc and from what IP address to try and find a reolution, unless they were smart enough to erase those before they left.  So in control panel > Administrative Tools > Event Viewer.  Look through the application and Securiyt logs to see who logged on and what they changed.  With the IP address you can find the ISP and then you can try and complain to them about the malicious activity their user is doing.
0
 
LVL 7

Expert Comment

by:killbrad
ID: 20423321
crashelite:  The symptom the user mentions says "current session will be logged off." which to me means that another user is interactively using her computer.  

In reality it WOULD show the RDP connection, but since it is XP, user would not be able to see anything via netstat since only one interactive login is allowed at a time.  

Agree with Taurance to check your eventvwr to see if you can get an IP address, and then check it via arin.net and contact their ISP to report the abuse.  Odds are it will end up being in Russian or China, and even if you could figure out how to get ahold of them, they are unlikely to help.   :-/

I am sure many people here would argue with me, but you always have the option to reformat and reinstall Windows completely.. that will take care of the problem and give you a nice fresh base to work with.

0
 
LVL 24

Expert Comment

by:SunBow
ID: 20424663
>
> What should I do?

I tend to recommend a quicker solution, to format the HD and install the OS from scratch. Too many unknowns, and this eliminates all existing problems, You'd still need to change your habits, one activity likely started this, so don't do it again. Don't forget to make new passwords if not IDs. Best is to preplan, and to have most of your stuff on the a separate HD so you can deal separately with that, while it may have 'bad' program (malware) it won't be active until you run it. You probably won't like to do that, and it reduces potential forensics, but if you really cared about that you could swap in another HD to preserve the state and look at that again later on when not on the network. Forensics and analysis are time consuming, but necessary if you want to identify the intruder. Might be someone you know.

> When I log in it says that the current session will be logged off.

This is called Remote Desktop, a Microsoft vulnerability

> What should I do?

Disable Remote Desktop, you do not need it. But that only stops the intrusion, the malware is still present, unless someone stole your password.

To identify the malware, you can try running Symantec's latest, or on your own look at task manager for something extra that is running. You can also go to run MS config. Under startup can be some malware, it is ok to stop all of them, then restore one at a time until the culprit shows up. You can also revert to a prior restore point, one prior to the intrusion. You can also switch to linux or buy an Apple, they do not suffer such Microsoft vulerabilities. Or at least dump Internet Explorer and do not set yourself up as an FTP sit permitting anonymous logins. Under msConfig's services you can disable more that are unwanted such as this one.
0
 
LVL 24

Expert Comment

by:SunBow
ID: 20424813
killbrad > always have the option to reformat and reinstall Windows completely.. that will take care of the problem and give you a nice fresh base to work with.

:-)) Ditto. Not often any agree with me

Event viewer I typically recommend, but not here, for this it would be better to have some firewall logging, monitor the time it is in use (do not log them off yet) and look at log later on, hopefully they cannot get at the log or you've got that done in hardware or hidden real good

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_22853538.html

http://search.microsoft.com/results.aspx?q=disable+%22remote+desktop%22&qsc0=0&SearchBtn0=Search&l=en&FORM=QBMA&mkt=en-US&PageType=1&s1=on&OtherSite=

How to disable Remote Desktop by using Group Policy
http://support.microsoft.com/kb/306300
NOTE: Remote Desktop is disabled by default on Windows XP Professional.

http://support.microsoft.com/kb/837954
In Windows 2003, users or members of a group that have been denied "log on locally" can still connect to the computer using Remote Desktop Connection. In Windows 2000, connections from the console or through Terminal Services were handled the same way : through the "Log on locally" user right.

http://support.microsoft.com/kb/924927
Method 1: Create a policy to block RDP requests from a specific network interface in Windows XP with Service Pack 2 (SP2)
Method 2: Manually edit the registry and add registry entries to enable listening for RDP requests

http://support.microsoft.com/default.aspx?pr=windowsxpsp2it
While recognizing the security benefits of SP2, some organizations have requested the ability to temporarily disable delivery of this update via AU and WU.
How to turn on the Remote Desktop Sharing feature of Windows NetMeeting in SP2

http://support.microsoft.com/kb/323258
Automatic Reconnection feature for terminal services. You can use this feature to automatically reconnect to the same session without re-typing logon credentials if the session is disconnected because of dropped packets on the network or a network error. By default, a maximum of twenty reconnection attempts are made at five-second intervals.

By default, the Automatic Reconnection feature is turned on in Windows XP Service Pack 1 (SP1). You can turn the Automatic Reconnection feature off by editing the registry.
How to Turn on Automatic Reconnection in Windows Server 2003
How to Turn on Automatic Reconnection by Using a Group Policy
How to Configure Automatic Reconnection in Windows XP SP1
How to Configure Automatic Reconnection in the Default.rdp File

http://support.microsoft.com/kb/918043
Important It is time to move to Microsoft Windows Server Update Services (WSUS).
http://support.microsoft.com/kb/899591/
MS05-041: Vulnerability in Remote Desktop Protocol could allow denial of service

http://www.microsoft.com/protect/computer/advanced/useraccount.mspx
If you work in a Limited User account, you might be able to decrease the effect of a virus or other malicious software. But if the attack happens while you're in an Administrator account, the attacker can gain full access to your computer and the results can range from annoying to catastrophic
0
 
LVL 1

Author Closing Comment

by:somewherehot
ID: 31413245
Blocking the port was the key to this - thanks!
0
 
LVL 24

Expert Comment

by:SunBow
ID: 20442446
.
0

Featured Post

The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Backup and host a VM 6 55
How to use LDAP user filtering on Barracuda anti-spam service 25 51
Red Hat Satellite report generator 4 26
Local admin account 3 44
This article describes my battle tested process for setting up delegation. I use this process anywhere that I need to setup delegation. In the article I will show how it applies to Active Directory
Ransomware is a malware that is again in the list of security  concerns. Not only for companies, but also for Government security and  even at personal use. IT departments should be aware and have the right  knowledge to how to fight it.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question