Solved

windows 7 hacked how can I find out what happend

Posted on 2014-02-27
11
357 Views
Last Modified: 2014-03-08
I have a windows 7 box that I leave on all the time then remote into.  Today I tried to remote into it and saw a desktop that was different from my usual desktop.  I thought someone hacked in, so I tried to do a "shutdown /r" to kick them off.  The screen froze and I was kicked off.  I tried to remote in several times again and every time, I would get in then would get kicked off again.  Something similar happened before and it was because someone logged in was sending out spam. I am not sure what happend this time.

How can I find out what happened and how can I tell if my computer is clean?
0
Comment
Question by:jackjohnson44
  • 5
  • 3
  • 2
  • +1
11 Comments
 
LVL 78

Expert Comment

by:David Johnson, CD, MVP
Comment Utility
you have to gain physical access to the machine only then can you check the machine.  The golden rule is that once a machine is compromised only a clean install will guarantee that the machine is no longer compromised.
0
 
LVL 7

Expert Comment

by:Sivaraj E
Comment Utility
@ Jack Johnson

I agree with David, no other go, you need to get physical access to the machine to check what is happening, If you found its hacked then re-building the OS and changing the RDP port to different port is secure, your firewall should be enabled all the time. if you wish you can go for third party firewalls also.

Note; Rebuilding is just a suggestion and it depends upon the impact you got.

Regards, Shiva
0
 
LVL 27

Expert Comment

by:tliotta
Comment Utility
Even after you have physical access, there's no guarantee that you can find out what happened.

About the only way you could ever find out with any degree of certainty is if you had a network traffic monitor that recorded all traffic in/out of that system (and was not also hacked). You could then later re-play the network traffic to view any remote commands sent to the system and to watch any program objects and/or scripts that came across.

Once someone has sufficient access to your system, any tracks that showed how it was done could also be erased or obfuscated to the point of nonsense.

Tom
0
 

Author Comment

by:jackjohnson44
Comment Utility
I have physical access now.

Does anyone else have any advice?  I was hoping for someone to mention something specific to look for in the event viewer or something of that nature.
0
 
LVL 7

Expert Comment

by:Sivaraj E
Comment Utility
@ Jack Johnson

What are the changes do you see in your machine first ?

Any software installed such as new plugin or anything weird ? If you found any check the installation date on appwiz.cpl. Its depends upon the new activity on the machine we can go further and check the Application events.

Regards, Shiva
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:jackjohnson44
Comment Utility
Everything looks normal once I restarted the computer.  There is a chance that no one broke in and that there was another issue with the system.  When I had an issue before, I tried logging in and saw another user was attached.  I was able to find out that someone went in and created a user then logged in as that user.  There is no additional user.  Also I was able to login via remote desktop and was immediately kicked off.  Since only one user can connect at a time, when I RDP'd in, another user could not also be connected.  I also didn't see any message saying that someone was kicked off.  Also, there was no desktop for another user.

So I might have mispoke before.  My actual issue was that my RDP connection would connect then close immediately.  The first time I went in, my desktop was different.  After I came home and did a hard reboot, everything was normal.  The reason I mentioned another user hacking it was because of what happened before.  The computer was rebuilt since then.  It could just be an issue with windows needing a restart.  I'd like to confirm that no one else has logged in aside from me.
0
 
LVL 7

Expert Comment

by:Sivaraj E
Comment Utility
@ Jack Jackson

Here is the video to you which explain how to find out whether you got hacked, this can be done through your command prompt please have a look and try this.

http://www.csoonline.com/article/742575/11-sure-signs-you-39-ve-been-hacked
http://www.youtube.com/watch?v=N8348ffSzSU

Regards, Shiva
0
 
LVL 7

Expert Comment

by:Sivaraj E
Comment Utility
@ Jack Johnson

Looks fine, and I would like to suggest you to change the RDP port number to your desired number will give additional security and unless no one knows your port its always be safe. and you can enable your firewall to stop intrusion, and you can also remove the $ shares to stop infiltration (for administration purpose it is)

Regards, Shiva
0
 

Author Comment

by:jackjohnson44
Comment Utility
Thanks, I will take a look at that article.

Also,
I had the issue yesterday, then I came home shutdown and restarted and everything looked normal so I shut down.  Today I turned it on and again saw the generic desktop and got the error "C:\Windows\system32\config\systemprofile\Desktop refers to a location that is unavailable. It could be on a hard drive on this computer, or on a network. Check to make sure that the disk is properly inserted, or that you are connected to the Internet or your network, and then try again. If it still cannot be located, the information might have been moved to a different location."

I am beginning to think that there was another issue other than being hacked.

Also, this is actually a vhd that I boot directly to.  I am going to just restore a backup since that is safer than trying to figure out what happened.  I will also take your advice on the rdp port.

Do you have any other advice for after I restore a backup?

Thanks for your help!
0
 
LVL 7

Accepted Solution

by:
Sivaraj E earned 500 total points
Comment Utility
@Jack Johnson

Problem seems to be in your profile, please refer this link and sort out issue.

http://social.technet.microsoft.com/Forums/windows/en-US/846bcb83-ae8d-4108-95f1-b097d2f71fa3/c-windows-system32-config-systemprofile-desktop-refers-to-a-location-that-is-unavailable-windows-7?forum=w7itprogeneral

This link give additional information on resetting the corrupted profile

http://windows.microsoft.com/en-us/windows/fix-corrupted-user-profile#1TC=windows-7

Also you can try creating another user on your machine and login to check the whether the problem is still persist

Regards, Shiva
0
 
LVL 27

Expert Comment

by:tliotta
Comment Utility
How often do you run disk error checks/corrections? In this kind of case, it's something that should be done just to try to ensure that bad or questionable sectors are marked not for use.

Tom
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
jump server vs push server 6 66
Robocopy questions 45 115
Windows 2012R server restarting mysteriously 9 55
Folder NTFS Permissions 14 66
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
This Micro Tutorial will teach you how to change your appearance and customize your Windows 7 interface to your unique preference. This will be demonstrated using Windows 7 operating system.
This Micro Tutorial will give you a introduction in two parts how to utilize Windows Live Movie Maker to its maximum capability. This will be demonstrated using Windows Live Movie Maker on Windows 7 operating system.

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now