Solved

I think my machine is being remote controlled

Posted on 2007-12-06
12
233 Views
Last Modified: 2013-11-21
Today I tried to use my machine, but it keeps on logging off, then a log in window appears.
When I log in it says that the current session will be logged off.

I checked the user accounts and a mystery account has been created.
I checked the remote machine control settings and can see that it has been turned on.

I deleted the account, unchecked the remote control settings and deleted all my firewall rules so that I have to allow each program to access the net.

All has been fine today, but I just checked the machine now and can see that the remote control settings have been switched back on, and another mystery account has been created.

What should I do?
0
Comment
Question by:somewherehot
  • 3
  • 3
  • 3
  • +2
12 Comments
 
LVL 7

Accepted Solution

by:
killbrad earned 500 total points
Comment Utility
Disable RDP.    http://www.petri.co.il/enable_remote_desktop_in_xp_2003.htm    (but uncheck the box, instead of checking it)

I assume you have an up-to-date antivirus software?  If not get AVG Free (free.grisoft.com)

Install and run Spybot S&D (www.safer-networking.org)

Install the latest Windows Updates (windowsupdate.microsoft.com)

If you have access to your hardware router/firewall, block port 3389.

0
 
LVL 5

Expert Comment

by:Taurance
Comment Utility
Also is this a personal compuer or a company computer?  Have you left the computer at all since you have changed the settings? Have you changed your password?  
0
 
LVL 1

Author Comment

by:somewherehot
Comment Utility
It's a personal computer
Yes I had left the computer since I had changed the settings
Yes I have changed my password

I'm using McAfee Firewall - I need to look up on how to block the port

0
 
LVL 5

Expert Comment

by:Taurance
Comment Utility
What type of router are you using for the network and do you have access to change the port settings?
0
 
LVL 1

Author Comment

by:somewherehot
Comment Utility
netgear (the new one with the draft wireless n thingy)
- and I should have access to change the router settings
0
 
LVL 5

Expert Comment

by:crashelite
Comment Utility
i would change your password RDC requires the password to login

i would check and see if there actually is a connection going on... click start then run and type in cmd
then type NETSTAT  to Display networking statistics (TCP/IP)

it will tell you the current open connections and tell you what location the person might be that has remote access to your computer but if there using RDC to connect then it wont show up in there but if they are using something to monitor your computer then it will say it is connecting to them

0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 5

Expert Comment

by:Taurance
Comment Utility
You could also look through the System logs and see what user names have connected to your pc and from what IP address to try and find a reolution, unless they were smart enough to erase those before they left.  So in control panel > Administrative Tools > Event Viewer.  Look through the application and Securiyt logs to see who logged on and what they changed.  With the IP address you can find the ISP and then you can try and complain to them about the malicious activity their user is doing.
0
 
LVL 7

Expert Comment

by:killbrad
Comment Utility
crashelite:  The symptom the user mentions says "current session will be logged off." which to me means that another user is interactively using her computer.  

In reality it WOULD show the RDP connection, but since it is XP, user would not be able to see anything via netstat since only one interactive login is allowed at a time.  

Agree with Taurance to check your eventvwr to see if you can get an IP address, and then check it via arin.net and contact their ISP to report the abuse.  Odds are it will end up being in Russian or China, and even if you could figure out how to get ahold of them, they are unlikely to help.   :-/

I am sure many people here would argue with me, but you always have the option to reformat and reinstall Windows completely.. that will take care of the problem and give you a nice fresh base to work with.

0
 
LVL 24

Expert Comment

by:SunBow
Comment Utility
>
> What should I do?

I tend to recommend a quicker solution, to format the HD and install the OS from scratch. Too many unknowns, and this eliminates all existing problems, You'd still need to change your habits, one activity likely started this, so don't do it again. Don't forget to make new passwords if not IDs. Best is to preplan, and to have most of your stuff on the a separate HD so you can deal separately with that, while it may have 'bad' program (malware) it won't be active until you run it. You probably won't like to do that, and it reduces potential forensics, but if you really cared about that you could swap in another HD to preserve the state and look at that again later on when not on the network. Forensics and analysis are time consuming, but necessary if you want to identify the intruder. Might be someone you know.

> When I log in it says that the current session will be logged off.

This is called Remote Desktop, a Microsoft vulnerability

> What should I do?

Disable Remote Desktop, you do not need it. But that only stops the intrusion, the malware is still present, unless someone stole your password.

To identify the malware, you can try running Symantec's latest, or on your own look at task manager for something extra that is running. You can also go to run MS config. Under startup can be some malware, it is ok to stop all of them, then restore one at a time until the culprit shows up. You can also revert to a prior restore point, one prior to the intrusion. You can also switch to linux or buy an Apple, they do not suffer such Microsoft vulerabilities. Or at least dump Internet Explorer and do not set yourself up as an FTP sit permitting anonymous logins. Under msConfig's services you can disable more that are unwanted such as this one.
0
 
LVL 24

Expert Comment

by:SunBow
Comment Utility
killbrad > always have the option to reformat and reinstall Windows completely.. that will take care of the problem and give you a nice fresh base to work with.

:-)) Ditto. Not often any agree with me

Event viewer I typically recommend, but not here, for this it would be better to have some firewall logging, monitor the time it is in use (do not log them off yet) and look at log later on, hopefully they cannot get at the log or you've got that done in hardware or hidden real good

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_22853538.html

http://search.microsoft.com/results.aspx?q=disable+%22remote+desktop%22&qsc0=0&SearchBtn0=Search&l=en&FORM=QBMA&mkt=en-US&PageType=1&s1=on&OtherSite=

How to disable Remote Desktop by using Group Policy
http://support.microsoft.com/kb/306300
NOTE: Remote Desktop is disabled by default on Windows XP Professional.

http://support.microsoft.com/kb/837954
In Windows 2003, users or members of a group that have been denied "log on locally" can still connect to the computer using Remote Desktop Connection. In Windows 2000, connections from the console or through Terminal Services were handled the same way : through the "Log on locally" user right.

http://support.microsoft.com/kb/924927
Method 1: Create a policy to block RDP requests from a specific network interface in Windows XP with Service Pack 2 (SP2)
Method 2: Manually edit the registry and add registry entries to enable listening for RDP requests

http://support.microsoft.com/default.aspx?pr=windowsxpsp2it
While recognizing the security benefits of SP2, some organizations have requested the ability to temporarily disable delivery of this update via AU and WU.
How to turn on the Remote Desktop Sharing feature of Windows NetMeeting in SP2

http://support.microsoft.com/kb/323258
Automatic Reconnection feature for terminal services. You can use this feature to automatically reconnect to the same session without re-typing logon credentials if the session is disconnected because of dropped packets on the network or a network error. By default, a maximum of twenty reconnection attempts are made at five-second intervals.

By default, the Automatic Reconnection feature is turned on in Windows XP Service Pack 1 (SP1). You can turn the Automatic Reconnection feature off by editing the registry.
How to Turn on Automatic Reconnection in Windows Server 2003
How to Turn on Automatic Reconnection by Using a Group Policy
How to Configure Automatic Reconnection in Windows XP SP1
How to Configure Automatic Reconnection in the Default.rdp File

http://support.microsoft.com/kb/918043
Important It is time to move to Microsoft Windows Server Update Services (WSUS).
http://support.microsoft.com/kb/899591/
MS05-041: Vulnerability in Remote Desktop Protocol could allow denial of service

http://www.microsoft.com/protect/computer/advanced/useraccount.mspx
If you work in a Limited User account, you might be able to decrease the effect of a virus or other malicious software. But if the attack happens while you're in an Administrator account, the attacker can gain full access to your computer and the results can range from annoying to catastrophic
0
 
LVL 1

Author Closing Comment

by:somewherehot
Comment Utility
Blocking the port was the key to this - thanks!
0
 
LVL 24

Expert Comment

by:SunBow
Comment Utility
.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now