The Glade 4.0

Is there anyway to check for security holes on my computer? I came home for lunch and there was someone logged into my account via RDP. I have disabled RDP closed all ports on my router, changed passwords etc. I just want to see if there is a hole somewhere.

_________________
Hokanu
Duty is a magnificent blessing because it is the sign of trust from the universe.
END OF LINE.

That's a tall order. What exactly are you looking for? If you've got another machine handy, you could run nmap against your potentially compromised computer.

_________________

I'm assuming you're behind NAT? How did the ports for RDP get forwarded to the outside world?

I don't think there's a short answer to this. First and foremost, close the barn door. Reset your router to the factory settings and put a strong password on the router's admin account. Make sure that no ports are being forwarded.

After that, it becomes a question of whether you want to try to salvage the compromised system or just cut your losses. Honestly, in most cases, its probably better to just nuke it all from orbit unless you have a really strong background in Windows security. And even then...most security experts would rather scrub the system and restore from known clean backups than try to "close the holes" after the fact.

If you want to try to fix the system, the only thing I can recommend is to go over the logs with a fine-toothed comb, and try to figure out how the system was compromised. Unfortunately, it's not really possible to write a how-to for that. And, of course, run a full battery of anti-malware/anti-trojan/etc. software. You should especially run some rootkit detectors since you know that someone got in. Odds are they planted at least one backdoor, and if they were smart, they hid it with a rootkit.

Personally, I'd scrub it all. If you have more than one computer on your network, assume they've all been compromised. Disconnect them all from the network (physically) and then connect up one at a time for reformatting + reinstallation. Do not let the cleanly reinstalled machines have *any* contact with the others until they've all been reinstalled. It's best if you can do all of this without any of them being connected to the public internet, but you may have to make some allowances to grab security updates/patches. If you can fetch them (from a clean network) and stick them on a thumbdrive or something before the install, that would be best. At a bare minimum, I would install the latest service pack from off-network before letting any of them touch the internet.

Whichever way you go about getting back to a clean state, I'd recommend that you google "windows hardening" and try to lock your system down a little tighter to prevent future intrusions.

Edit: Oh, and hopefully this goes without saying, but if you wind up doing a reinstall, be *very* careful about importing any data from the old system. If it's not irreplaceable, just trash it and get a clean copy from the source. For irreplaceable data (ex. personal documents), I'd keep them quarantined until you're absolutely certain they aren't infected with anything.

_________________
Sail forth! steer for the deep waters only!
Reckless, O soul, exploring, I with thee, and thou with me;
For we are bound where mariner has not yet dared to go,
And we will risk the ship, ourselves and all.

UPnP ?

Disabling this is always the first thing I do when I power on a new home router....

I don't know. I don't care for UPnP either, but it shouldn't open ports except by request from the LAN side of the network. And as far as that goes, I'm 99% sure that the Terminal Services (RDP) server itself doesn't make any UPnP requests. As far as I know, the only way to get RDP through NAT directly is create a port mapping manually (even if it's a "triggered" mapping).

_________________
Sail forth! steer for the deep waters only!
Reckless, O soul, exploring, I with thee, and thou with me;
For we are bound where mariner has not yet dared to go,
And we will risk the ship, ourselves and all.

Well, again, depending on the router and security settings, they can be set to be managed from the WAN interface, and if you use the default password, well, there you go....

But even with the router only being manageable from the LAN side, any app (think malware, trojan, embedded or otherwise) running on a LAN side PC could use UPnP to open the RDP ports on your router and then send the public IP 'home'. This is programatically trivial.

I started looking through logs and then realized I don't really have a starting point.. ugh. So I nuked her last night. I ran av/malware scans etc and they all found nothing. I think it was as simple as someone getting my IP. My password was way weak so it has been beefed up!

Any suggestions on a root kit detector?

_________________
Hokanu
Duty is a magnificent blessing because it is the sign of trust from the universe.
END OF LINE.