PC being hacked remotely

HI Experts,

I have just received a call from a client to say someone took remote control of his PC on a SBS2003 network, it is the only PC on the network to be taken control of.

OS - Windows 7Pro

This happened a couple of weeks ago.... I had installed Logmein for a trial and thought someone had got in via that program.... but I am thinking whoever it is has installed a program on there, let em know if you require more info...any suggestions on best way to stop this would be apprieciated thanks.



AndrewPartnerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

PapertripCommented:
Can you be a bit more specific as to why the client thinks his computer has been compromised.
0
AquatoneCommented:
Hi,

Unplug the computer from the network. That'll stop them quickly. Enable the firewall, with NO exceptions.
turn-off remote desktop/remote assistance.
disable the remote desktop services service.
Change the local administrator and local user's passwords (all of them).
Change the domain administrator's password.

Run your A/V software, Malwarebytes anti-malware and remove any findings.

Best bet? Back-up the important data and reinstall Windows.
0
PapertripCommented:
I can't argue with what Aqua suggested, but you have to take end users words with a grain of salt.  There may not even be a need to do anything!
0
Cloud Class® Course: Microsoft Azure 2017

Azure has a changed a lot since it was originally introduce by adding new services and features. Do you know everything you need to about Azure? This course will teach you about the Azure App Service, monitoring and application insights, DevOps, and Team Services.

AquatoneCommented:
Changing the admin passwords is the quickest way to curb any possible shenanigans. LogMeIn is not needed to access SBS domain PCs on a LAN.
0
AndrewPartnerAuthor Commented:
Thanks for the quick response...

The client was watching file/folders being opened in front of himself and another worker.
I had disabled remote assistance
Had run ESET AV and malwarebytes when this first happened a few weeks back and found nothing.
I will change the domain admin password.
Had changed the users password again a few weeks back but will also do again.
Disabling remote desktop cant do, due to the fact they access a box which has XP unlimited on it which is where their accounting package runs (MYOB multiuser).

Would like to avoid wipe and reload if I can, but as last resort will do that.
0
AquatoneCommented:
If remote access is a business requirement, then make sure only certain users, the intended users can access. No one else. The behavior you mentioned sounds like LogMeIn or some other VNC client. Windows RDP curtains the desktop, so that the only thing displayed is a locked screen. VNC uses port 5900 and up by one for each session (screen). RDP uses port 3389. Block port 5900-5999 on the client and that should stop the unsolicited remote access.
0
AndrewPartnerAuthor Commented:
Thanks Aqua going in tomorrow and will block those ports... how would it happen though especially since logmein has been removed if it is a program where would it hide?
0
AquatoneCommented:
The program could be anywhere. You would want to look at running processes, especially when the remote behavior is being observed. Check out PsTools from Microsoft to see exactly what is going on.

http://technet.microsoft.com/en-us/sysinternals/bb795533
0
AndrewPartnerAuthor Commented:
Thanks Aqua,

Have downloaded and will try that just out of curriosity since they dont appear to be getting through via the server, how would they get around the password if I changed it a few weeks ago?
0
AquatoneCommented:
Trojan, keylogger, it is not difficult to come up with tools that will crack a DC's password base. These are suppositions, however. A machine in your office seems to be outside of your control and whatever is happening on that computer needs to be remedied. If it were up to me, I would wipe the machine and take it from there.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
AndrewPartnerAuthor Commented:
I think that is what I am going to do this afternoon will let you know how I get on thanks Aqua.
0
AquatoneCommented:
Sure. Good luck. As long as the user data is on the server, then the desktop almost become disposable. Preferences and tweaks can be missed, but are not a show-stopper like data loss.
0
Russell_VenableCommented:
Hi it_fan,
I would start logging the traffic for that box if your not already and find out what traffic is coming in and what traffic is going out, along with what processes.

Also I would do a external portscan of the box and see what ports are exposed. This should give youa basic idea of what to look for if you find information doing that. If there is no firewall I would suggest placing one and keeping a tight security rule package and enable the firewall logs so you can see dropped packets ad successful connection.

If you do that you will not only solve your problem you might find out where it's coming from. If your lucky it's Judy someone screwing around on your local network.
0
AndrewPartnerAuthor Commented:
Thanks Russell, I am in here looking at it now ran netstat -n and found a couple of ip adresses that traced to the US and Germany with host showing unknown. So not sure what to do from there.

I ran Sheildsup https is open only

I was going W & R but I might try your suggestion for the moment what program would you recommend?

I ran sheilds up
0
Russell_VenableCommented:
Ok, I suggest you use TCPView and see what ports are open locally. This will also show you what programs are linked to what open port making it easier to find if it is a backdoor. Sometimes this doesn't work as planned when the attacker uses a rootkit to hide his traffic. Let's see what this shows and move from there.

Other things to bring to the Round table here. Are you running anything like php or some other kind like ASP? I assume your server is hosting some kind of website. Need to be thinking about those as well... Anyways here is a direct link to TCPView http://live.sysinternals.com/Tcpview.exe

As for the IP's netstat listed you can run a ARIN Whois Query or whatever your country's Whois  server is and see if it can come up with a AS for those IP addresses, gives us an idea of where/what they might be. If you can cross reference those ip addresses with your servers firewall you can find out if they where up to no good, what port they connect too, possible port scanning attempts? Those type of things. Very important to look for when you have anonymous activity on your network. Shieldsip is a good service buy TCPView will tell you what ports are really open as long as it run in administrator context as it maps process -> Port Vice Versa. Anyways I'll wait for you to get back with the TCPView information. Night!  :)
0
AndrewPartnerAuthor Commented:
Hi Russell,

Sorry have not been back there since I last wrote... I ended up installing a software firewall (Zonealarm pro) just as a trial. No PHP or ASP also no website, that is hosted externally.

But will try TCPView and see if it shows anything, any tips on what to look for? just link an open port to a remote address? Any particular Process?

Going in there in 2 days time will see what the logs show.


Thanks for the link will post back cheers.
0
Russell_VenableCommented:
You would be looking for processes that are showing suspicious outgoing traffic or listening for a connection. This might even give you the remote connection if your lucky enough to have them connected at the time but seeing as you have a firewall up now that is not going to be the case. You will however have the chance to see what ports are open and mapped to what process giving you a idea of what processes are attempting to access the internet.
0
AndrewPartnerAuthor Commented:
Thanks Russell...Its looking like a W & R malwarebytes is not able to update now, didnt have much time on it the other day shall post back later in the week when back onsite.

cheers
0
AndrewPartnerAuthor Commented:
Sorry have been away for a few weeks... will be going back later this week and will decide what action I will take and distribute points thanks.
0
AndrewPartnerAuthor Commented:
I will be wiping and reloading this machine due to programs like Malwarebytes inoperable and to remove the risk of missing anything despite the fact that Zonealrm pro seemed to block any further issues for the tesing time, thanks for your suggestions some very helpful hints for the future.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
SBS

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.