?
Solved

PC being hacked remotely

Posted on 2011-10-04
21
Medium Priority
?
357 Views
Last Modified: 2012-08-14
HI Experts,

I have just received a call from a client to say someone took remote control of his PC on a SBS2003 network, it is the only PC on the network to be taken control of.

OS - Windows 7Pro

This happened a couple of weeks ago.... I had installed Logmein for a trial and thought someone had got in via that program.... but I am thinking whoever it is has installed a program on there, let em know if you require more info...any suggestions on best way to stop this would be apprieciated thanks.



0
Comment
Question by:it_fan
  • 9
  • 6
  • 3
  • +1
20 Comments
 
LVL 21

Expert Comment

by:Papertrip
ID: 36913923
Can you be a bit more specific as to why the client thinks his computer has been compromised.
0
 
LVL 2

Expert Comment

by:Aquatone
ID: 36913926
Hi,

Unplug the computer from the network. That'll stop them quickly. Enable the firewall, with NO exceptions.
turn-off remote desktop/remote assistance.
disable the remote desktop services service.
Change the local administrator and local user's passwords (all of them).
Change the domain administrator's password.

Run your A/V software, Malwarebytes anti-malware and remove any findings.

Best bet? Back-up the important data and reinstall Windows.
0
 
LVL 21

Expert Comment

by:Papertrip
ID: 36913947
I can't argue with what Aqua suggested, but you have to take end users words with a grain of salt.  There may not even be a need to do anything!
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 2

Expert Comment

by:Aquatone
ID: 36913951
Changing the admin passwords is the quickest way to curb any possible shenanigans. LogMeIn is not needed to access SBS domain PCs on a LAN.
0
 

Author Comment

by:it_fan
ID: 36914138
Thanks for the quick response...

The client was watching file/folders being opened in front of himself and another worker.
I had disabled remote assistance
Had run ESET AV and malwarebytes when this first happened a few weeks back and found nothing.
I will change the domain admin password.
Had changed the users password again a few weeks back but will also do again.
Disabling remote desktop cant do, due to the fact they access a box which has XP unlimited on it which is where their accounting package runs (MYOB multiuser).

Would like to avoid wipe and reload if I can, but as last resort will do that.
0
 
LVL 2

Expert Comment

by:Aquatone
ID: 36914248
If remote access is a business requirement, then make sure only certain users, the intended users can access. No one else. The behavior you mentioned sounds like LogMeIn or some other VNC client. Windows RDP curtains the desktop, so that the only thing displayed is a locked screen. VNC uses port 5900 and up by one for each session (screen). RDP uses port 3389. Block port 5900-5999 on the client and that should stop the unsolicited remote access.
0
 

Author Comment

by:it_fan
ID: 36916561
Thanks Aqua going in tomorrow and will block those ports... how would it happen though especially since logmein has been removed if it is a program where would it hide?
0
 
LVL 2

Expert Comment

by:Aquatone
ID: 36917095
The program could be anywhere. You would want to look at running processes, especially when the remote behavior is being observed. Check out PsTools from Microsoft to see exactly what is going on.

http://technet.microsoft.com/en-us/sysinternals/bb795533
0
 

Author Comment

by:it_fan
ID: 36921818
Thanks Aqua,

Have downloaded and will try that just out of curriosity since they dont appear to be getting through via the server, how would they get around the password if I changed it a few weeks ago?
0
 
LVL 2

Accepted Solution

by:
Aquatone earned 1600 total points
ID: 36921838
Trojan, keylogger, it is not difficult to come up with tools that will crack a DC's password base. These are suppositions, however. A machine in your office seems to be outside of your control and whatever is happening on that computer needs to be remedied. If it were up to me, I would wipe the machine and take it from there.
0
 

Author Comment

by:it_fan
ID: 36921849
I think that is what I am going to do this afternoon will let you know how I get on thanks Aqua.
0
 
LVL 2

Expert Comment

by:Aquatone
ID: 36921853
Sure. Good luck. As long as the user data is on the server, then the desktop almost become disposable. Preferences and tweaks can be missed, but are not a show-stopper like data loss.
0
 
LVL 15

Assisted Solution

by:Russell_Venable
Russell_Venable earned 400 total points
ID: 36922170
Hi it_fan,
I would start logging the traffic for that box if your not already and find out what traffic is coming in and what traffic is going out, along with what processes.

Also I would do a external portscan of the box and see what ports are exposed. This should give youa basic idea of what to look for if you find information doing that. If there is no firewall I would suggest placing one and keeping a tight security rule package and enable the firewall logs so you can see dropped packets ad successful connection.

If you do that you will not only solve your problem you might find out where it's coming from. If your lucky it's Judy someone screwing around on your local network.
0
 

Author Comment

by:it_fan
ID: 36922335
Thanks Russell, I am in here looking at it now ran netstat -n and found a couple of ip adresses that traced to the US and Germany with host showing unknown. So not sure what to do from there.

I ran Sheildsup https is open only

I was going W & R but I might try your suggestion for the moment what program would you recommend?

I ran sheilds up
0
 
LVL 15

Expert Comment

by:Russell_Venable
ID: 36922937
Ok, I suggest you use TCPView and see what ports are open locally. This will also show you what programs are linked to what open port making it easier to find if it is a backdoor. Sometimes this doesn't work as planned when the attacker uses a rootkit to hide his traffic. Let's see what this shows and move from there.

Other things to bring to the Round table here. Are you running anything like php or some other kind like ASP? I assume your server is hosting some kind of website. Need to be thinking about those as well... Anyways here is a direct link to TCPView http://live.sysinternals.com/Tcpview.exe

As for the IP's netstat listed you can run a ARIN Whois Query or whatever your country's Whois  server is and see if it can come up with a AS for those IP addresses, gives us an idea of where/what they might be. If you can cross reference those ip addresses with your servers firewall you can find out if they where up to no good, what port they connect too, possible port scanning attempts? Those type of things. Very important to look for when you have anonymous activity on your network. Shieldsip is a good service buy TCPView will tell you what ports are really open as long as it run in administrator context as it maps process -> Port Vice Versa. Anyways I'll wait for you to get back with the TCPView information. Night!  :)
0
 

Author Comment

by:it_fan
ID: 36983785
Hi Russell,

Sorry have not been back there since I last wrote... I ended up installing a software firewall (Zonealarm pro) just as a trial. No PHP or ASP also no website, that is hosted externally.

But will try TCPView and see if it shows anything, any tips on what to look for? just link an open port to a remote address? Any particular Process?

Going in there in 2 days time will see what the logs show.


Thanks for the link will post back cheers.
0
 
LVL 15

Expert Comment

by:Russell_Venable
ID: 36994229
You would be looking for processes that are showing suspicious outgoing traffic or listening for a connection. This might even give you the remote connection if your lucky enough to have them connected at the time but seeing as you have a firewall up now that is not going to be the case. You will however have the chance to see what ports are open and mapped to what process giving you a idea of what processes are attempting to access the internet.
0
 

Author Comment

by:it_fan
ID: 37015651
Thanks Russell...Its looking like a W & R malwarebytes is not able to update now, didnt have much time on it the other day shall post back later in the week when back onsite.

cheers
0
 

Author Comment

by:it_fan
ID: 37205175
Sorry have been away for a few weeks... will be going back later this week and will decide what action I will take and distribute points thanks.
0
 

Author Closing Comment

by:it_fan
ID: 37235622
I will be wiping and reloading this machine due to programs like Malwarebytes inoperable and to remove the risk of missing anything despite the fact that Zonealrm pro seemed to block any further issues for the tesing time, thanks for your suggestions some very helpful hints for the future.
0

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
By default the complete memory dump option is disabled in windows . If we want to enable the complete memory dump for a diagnostic purpose, we have a solution for it. here we are using the registry method to enable this.
This Micro Tutorial will go in depth within Systems and Security in Windows 7 and will go into detail regarding Action Center, Windows Firewall, System, etc. This will be demonstrated using Windows 7 operating system.
The viewer will learn how to successfully download and install the SARDU utility on Windows 7, without downloading adware.
Suggested Courses
Course of the Month15 days, 14 hours left to enroll

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question