Link to home
Start Free TrialLog in
Avatar of jackjohnson44
jackjohnson44

asked on

windows 7 hacked how can I find out what happend

I have a windows 7 box that I leave on all the time then remote into.  Today I tried to remote into it and saw a desktop that was different from my usual desktop.  I thought someone hacked in, so I tried to do a "shutdown /r" to kick them off.  The screen froze and I was kicked off.  I tried to remote in several times again and every time, I would get in then would get kicked off again.  Something similar happened before and it was because someone logged in was sending out spam. I am not sure what happend this time.

How can I find out what happened and how can I tell if my computer is clean?
Avatar of David Johnson, CD
David Johnson, CD
Flag of Canada image

you have to gain physical access to the machine only then can you check the machine.  The golden rule is that once a machine is compromised only a clean install will guarantee that the machine is no longer compromised.
@ Jack Johnson

I agree with David, no other go, you need to get physical access to the machine to check what is happening, If you found its hacked then re-building the OS and changing the RDP port to different port is secure, your firewall should be enabled all the time. if you wish you can go for third party firewalls also.

Note; Rebuilding is just a suggestion and it depends upon the impact you got.

Regards, Shiva
Avatar of Member_2_276102
Member_2_276102

Even after you have physical access, there's no guarantee that you can find out what happened.

About the only way you could ever find out with any degree of certainty is if you had a network traffic monitor that recorded all traffic in/out of that system (and was not also hacked). You could then later re-play the network traffic to view any remote commands sent to the system and to watch any program objects and/or scripts that came across.

Once someone has sufficient access to your system, any tracks that showed how it was done could also be erased or obfuscated to the point of nonsense.

Tom
Avatar of jackjohnson44

ASKER

I have physical access now.

Does anyone else have any advice?  I was hoping for someone to mention something specific to look for in the event viewer or something of that nature.
@ Jack Johnson

What are the changes do you see in your machine first ?

Any software installed such as new plugin or anything weird ? If you found any check the installation date on appwiz.cpl. Its depends upon the new activity on the machine we can go further and check the Application events.

Regards, Shiva
Everything looks normal once I restarted the computer.  There is a chance that no one broke in and that there was another issue with the system.  When I had an issue before, I tried logging in and saw another user was attached.  I was able to find out that someone went in and created a user then logged in as that user.  There is no additional user.  Also I was able to login via remote desktop and was immediately kicked off.  Since only one user can connect at a time, when I RDP'd in, another user could not also be connected.  I also didn't see any message saying that someone was kicked off.  Also, there was no desktop for another user.

So I might have mispoke before.  My actual issue was that my RDP connection would connect then close immediately.  The first time I went in, my desktop was different.  After I came home and did a hard reboot, everything was normal.  The reason I mentioned another user hacking it was because of what happened before.  The computer was rebuilt since then.  It could just be an issue with windows needing a restart.  I'd like to confirm that no one else has logged in aside from me.
@ Jack Jackson

Here is the video to you which explain how to find out whether you got hacked, this can be done through your command prompt please have a look and try this.

http://www.csoonline.com/article/742575/11-sure-signs-you-39-ve-been-hacked
http://www.youtube.com/watch?v=N8348ffSzSU

Regards, Shiva
@ Jack Johnson

Looks fine, and I would like to suggest you to change the RDP port number to your desired number will give additional security and unless no one knows your port its always be safe. and you can enable your firewall to stop intrusion, and you can also remove the $ shares to stop infiltration (for administration purpose it is)

Regards, Shiva
Thanks, I will take a look at that article.

Also,
I had the issue yesterday, then I came home shutdown and restarted and everything looked normal so I shut down.  Today I turned it on and again saw the generic desktop and got the error "C:\Windows\system32\config\systemprofile\Desktop refers to a location that is unavailable. It could be on a hard drive on this computer, or on a network. Check to make sure that the disk is properly inserted, or that you are connected to the Internet or your network, and then try again. If it still cannot be located, the information might have been moved to a different location."

I am beginning to think that there was another issue other than being hacked.

Also, this is actually a vhd that I boot directly to.  I am going to just restore a backup since that is safer than trying to figure out what happened.  I will also take your advice on the rdp port.

Do you have any other advice for after I restore a backup?

Thanks for your help!
ASKER CERTIFIED SOLUTION
Avatar of Sivaraj Essaki
Sivaraj Essaki
Flag of India image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
How often do you run disk error checks/corrections? In this kind of case, it's something that should be done just to try to ensure that bad or questionable sectors are marked not for use.

Tom