[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now

x
?
Solved

windows 7 hacked how can I find out what happend

Posted on 2014-02-27
11
Medium Priority
?
390 Views
Last Modified: 2014-03-08
I have a windows 7 box that I leave on all the time then remote into.  Today I tried to remote into it and saw a desktop that was different from my usual desktop.  I thought someone hacked in, so I tried to do a "shutdown /r" to kick them off.  The screen froze and I was kicked off.  I tried to remote in several times again and every time, I would get in then would get kicked off again.  Something similar happened before and it was because someone logged in was sending out spam. I am not sure what happend this time.

How can I find out what happened and how can I tell if my computer is clean?
0
Comment
Question by:jackjohnson44
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
  • 2
  • +1
11 Comments
 
LVL 83

Expert Comment

by:David Johnson, CD, MVP
ID: 39893645
you have to gain physical access to the machine only then can you check the machine.  The golden rule is that once a machine is compromised only a clean install will guarantee that the machine is no longer compromised.
0
 
LVL 7

Expert Comment

by:Sivaraj E
ID: 39893787
@ Jack Johnson

I agree with David, no other go, you need to get physical access to the machine to check what is happening, If you found its hacked then re-building the OS and changing the RDP port to different port is secure, your firewall should be enabled all the time. if you wish you can go for third party firewalls also.

Note; Rebuilding is just a suggestion and it depends upon the impact you got.

Regards, Shiva
0
 
LVL 27

Expert Comment

by:tliotta
ID: 39894176
Even after you have physical access, there's no guarantee that you can find out what happened.

About the only way you could ever find out with any degree of certainty is if you had a network traffic monitor that recorded all traffic in/out of that system (and was not also hacked). You could then later re-play the network traffic to view any remote commands sent to the system and to watch any program objects and/or scripts that came across.

Once someone has sufficient access to your system, any tracks that showed how it was done could also be erased or obfuscated to the point of nonsense.

Tom
0
Cyber Threats to Small Businesses (Part 1)

This past May, Webroot surveyed more than 600 IT decision-makers at medium-sized companies to see how these small businesses perceived new threats facing their organizations.  Read what Webroot CISO, Gary Hayslip, has to say about the survey in part 1 of this 2-part blog series.

 

Author Comment

by:jackjohnson44
ID: 39894821
I have physical access now.

Does anyone else have any advice?  I was hoping for someone to mention something specific to look for in the event viewer or something of that nature.
0
 
LVL 7

Expert Comment

by:Sivaraj E
ID: 39894870
@ Jack Johnson

What are the changes do you see in your machine first ?

Any software installed such as new plugin or anything weird ? If you found any check the installation date on appwiz.cpl. Its depends upon the new activity on the machine we can go further and check the Application events.

Regards, Shiva
0
 

Author Comment

by:jackjohnson44
ID: 39894938
Everything looks normal once I restarted the computer.  There is a chance that no one broke in and that there was another issue with the system.  When I had an issue before, I tried logging in and saw another user was attached.  I was able to find out that someone went in and created a user then logged in as that user.  There is no additional user.  Also I was able to login via remote desktop and was immediately kicked off.  Since only one user can connect at a time, when I RDP'd in, another user could not also be connected.  I also didn't see any message saying that someone was kicked off.  Also, there was no desktop for another user.

So I might have mispoke before.  My actual issue was that my RDP connection would connect then close immediately.  The first time I went in, my desktop was different.  After I came home and did a hard reboot, everything was normal.  The reason I mentioned another user hacking it was because of what happened before.  The computer was rebuilt since then.  It could just be an issue with windows needing a restart.  I'd like to confirm that no one else has logged in aside from me.
0
 
LVL 7

Expert Comment

by:Sivaraj E
ID: 39894947
@ Jack Jackson

Here is the video to you which explain how to find out whether you got hacked, this can be done through your command prompt please have a look and try this.

http://www.csoonline.com/article/742575/11-sure-signs-you-39-ve-been-hacked
http://www.youtube.com/watch?v=N8348ffSzSU

Regards, Shiva
0
 
LVL 7

Expert Comment

by:Sivaraj E
ID: 39895006
@ Jack Johnson

Looks fine, and I would like to suggest you to change the RDP port number to your desired number will give additional security and unless no one knows your port its always be safe. and you can enable your firewall to stop intrusion, and you can also remove the $ shares to stop infiltration (for administration purpose it is)

Regards, Shiva
0
 

Author Comment

by:jackjohnson44
ID: 39895810
Thanks, I will take a look at that article.

Also,
I had the issue yesterday, then I came home shutdown and restarted and everything looked normal so I shut down.  Today I turned it on and again saw the generic desktop and got the error "C:\Windows\system32\config\systemprofile\Desktop refers to a location that is unavailable. It could be on a hard drive on this computer, or on a network. Check to make sure that the disk is properly inserted, or that you are connected to the Internet or your network, and then try again. If it still cannot be located, the information might have been moved to a different location."

I am beginning to think that there was another issue other than being hacked.

Also, this is actually a vhd that I boot directly to.  I am going to just restore a backup since that is safer than trying to figure out what happened.  I will also take your advice on the rdp port.

Do you have any other advice for after I restore a backup?

Thanks for your help!
0
 
LVL 7

Accepted Solution

by:
Sivaraj E earned 2000 total points
ID: 39896053
@Jack Johnson

Problem seems to be in your profile, please refer this link and sort out issue.

http://social.technet.microsoft.com/Forums/windows/en-US/846bcb83-ae8d-4108-95f1-b097d2f71fa3/c-windows-system32-config-systemprofile-desktop-refers-to-a-location-that-is-unavailable-windows-7?forum=w7itprogeneral

This link give additional information on resetting the corrupted profile

http://windows.microsoft.com/en-us/windows/fix-corrupted-user-profile#1TC=windows-7

Also you can try creating another user on your machine and login to check the whether the problem is still persist

Regards, Shiva
0
 
LVL 27

Expert Comment

by:tliotta
ID: 39902166
How often do you run disk error checks/corrections? In this kind of case, it's something that should be done just to try to ensure that bad or questionable sectors are marked not for use.

Tom
0

Featured Post

Q2 2017 - Latest Malware & Internet Attacks

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out our latest Quarterly Internet Security Report!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

What's worse than having your data encrypted by ransomware? Getting attacked by a so-called "wiper," which simply destroys the data and offers you no hope of ever seeing it again.
IF you are either unfamiliar with rootkits, or want to know more about them, read on ....
The Task Scheduler is a powerful tool that is built into Windows. It allows you to schedule tasks (actions) on a recurring basis, such as hourly, daily, weekly, monthly, at log on, at startup, on idle, etc. This video Micro Tutorial is a brief intro…
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question