jackjohnson44
asked on
windows 7 hacked how can I find out what happend
I have a windows 7 box that I leave on all the time then remote into. Today I tried to remote into it and saw a desktop that was different from my usual desktop. I thought someone hacked in, so I tried to do a "shutdown /r" to kick them off. The screen froze and I was kicked off. I tried to remote in several times again and every time, I would get in then would get kicked off again. Something similar happened before and it was because someone logged in was sending out spam. I am not sure what happend this time.
How can I find out what happened and how can I tell if my computer is clean?
How can I find out what happened and how can I tell if my computer is clean?
you have to gain physical access to the machine only then can you check the machine. The golden rule is that once a machine is compromised only a clean install will guarantee that the machine is no longer compromised.
@ Jack Johnson
I agree with David, no other go, you need to get physical access to the machine to check what is happening, If you found its hacked then re-building the OS and changing the RDP port to different port is secure, your firewall should be enabled all the time. if you wish you can go for third party firewalls also.
Note; Rebuilding is just a suggestion and it depends upon the impact you got.
Regards, Shiva
I agree with David, no other go, you need to get physical access to the machine to check what is happening, If you found its hacked then re-building the OS and changing the RDP port to different port is secure, your firewall should be enabled all the time. if you wish you can go for third party firewalls also.
Note; Rebuilding is just a suggestion and it depends upon the impact you got.
Regards, Shiva
Even after you have physical access, there's no guarantee that you can find out what happened.
About the only way you could ever find out with any degree of certainty is if you had a network traffic monitor that recorded all traffic in/out of that system (and was not also hacked). You could then later re-play the network traffic to view any remote commands sent to the system and to watch any program objects and/or scripts that came across.
Once someone has sufficient access to your system, any tracks that showed how it was done could also be erased or obfuscated to the point of nonsense.
Tom
About the only way you could ever find out with any degree of certainty is if you had a network traffic monitor that recorded all traffic in/out of that system (and was not also hacked). You could then later re-play the network traffic to view any remote commands sent to the system and to watch any program objects and/or scripts that came across.
Once someone has sufficient access to your system, any tracks that showed how it was done could also be erased or obfuscated to the point of nonsense.
Tom
ASKER
I have physical access now.
Does anyone else have any advice? I was hoping for someone to mention something specific to look for in the event viewer or something of that nature.
Does anyone else have any advice? I was hoping for someone to mention something specific to look for in the event viewer or something of that nature.
@ Jack Johnson
What are the changes do you see in your machine first ?
Any software installed such as new plugin or anything weird ? If you found any check the installation date on appwiz.cpl. Its depends upon the new activity on the machine we can go further and check the Application events.
Regards, Shiva
What are the changes do you see in your machine first ?
Any software installed such as new plugin or anything weird ? If you found any check the installation date on appwiz.cpl. Its depends upon the new activity on the machine we can go further and check the Application events.
Regards, Shiva
ASKER
Everything looks normal once I restarted the computer. There is a chance that no one broke in and that there was another issue with the system. When I had an issue before, I tried logging in and saw another user was attached. I was able to find out that someone went in and created a user then logged in as that user. There is no additional user. Also I was able to login via remote desktop and was immediately kicked off. Since only one user can connect at a time, when I RDP'd in, another user could not also be connected. I also didn't see any message saying that someone was kicked off. Also, there was no desktop for another user.
So I might have mispoke before. My actual issue was that my RDP connection would connect then close immediately. The first time I went in, my desktop was different. After I came home and did a hard reboot, everything was normal. The reason I mentioned another user hacking it was because of what happened before. The computer was rebuilt since then. It could just be an issue with windows needing a restart. I'd like to confirm that no one else has logged in aside from me.
So I might have mispoke before. My actual issue was that my RDP connection would connect then close immediately. The first time I went in, my desktop was different. After I came home and did a hard reboot, everything was normal. The reason I mentioned another user hacking it was because of what happened before. The computer was rebuilt since then. It could just be an issue with windows needing a restart. I'd like to confirm that no one else has logged in aside from me.
@ Jack Jackson
Here is the video to you which explain how to find out whether you got hacked, this can be done through your command prompt please have a look and try this.
http://www.csoonline.com/article/742575/11-sure-signs-you-39-ve-been-hacked
http://www.youtube.com/watch?v=N8348ffSzSU
Regards, Shiva
Here is the video to you which explain how to find out whether you got hacked, this can be done through your command prompt please have a look and try this.
http://www.csoonline.com/article/742575/11-sure-signs-you-39-ve-been-hacked
http://www.youtube.com/watch?v=N8348ffSzSU
Regards, Shiva
@ Jack Johnson
Looks fine, and I would like to suggest you to change the RDP port number to your desired number will give additional security and unless no one knows your port its always be safe. and you can enable your firewall to stop intrusion, and you can also remove the $ shares to stop infiltration (for administration purpose it is)
Regards, Shiva
Looks fine, and I would like to suggest you to change the RDP port number to your desired number will give additional security and unless no one knows your port its always be safe. and you can enable your firewall to stop intrusion, and you can also remove the $ shares to stop infiltration (for administration purpose it is)
Regards, Shiva
ASKER
Thanks, I will take a look at that article.
Also,
I had the issue yesterday, then I came home shutdown and restarted and everything looked normal so I shut down. Today I turned it on and again saw the generic desktop and got the error "C:\Windows\system32\confi g\systempr ofile\Desk top refers to a location that is unavailable. It could be on a hard drive on this computer, or on a network. Check to make sure that the disk is properly inserted, or that you are connected to the Internet or your network, and then try again. If it still cannot be located, the information might have been moved to a different location."
I am beginning to think that there was another issue other than being hacked.
Also, this is actually a vhd that I boot directly to. I am going to just restore a backup since that is safer than trying to figure out what happened. I will also take your advice on the rdp port.
Do you have any other advice for after I restore a backup?
Thanks for your help!
Also,
I had the issue yesterday, then I came home shutdown and restarted and everything looked normal so I shut down. Today I turned it on and again saw the generic desktop and got the error "C:\Windows\system32\confi
I am beginning to think that there was another issue other than being hacked.
Also, this is actually a vhd that I boot directly to. I am going to just restore a backup since that is safer than trying to figure out what happened. I will also take your advice on the rdp port.
Do you have any other advice for after I restore a backup?
Thanks for your help!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
How often do you run disk error checks/corrections? In this kind of case, it's something that should be done just to try to ensure that bad or questionable sectors are marked not for use.
Tom
Tom