The Glade 4.0

"Turn the lights down, the party just got wilder."
It is currently Sun Nov 24, 2024 10:00 am

All times are UTC - 6 hours [ DST ]




Post new topic Reply to topic  [ 7 posts ] 
Author Message
 Post subject: someone broke into my pc
PostPosted: Wed Sep 01, 2010 11:34 am 
Offline
User avatar

Joined: Wed Sep 02, 2009 11:04 pm
Posts: 751
Is there anyway to check for security holes on my computer? I came home for lunch and there was someone logged into my account via RDP. I have disabled RDP closed all ports on my router, changed passwords etc. I just want to see if there is a hole somewhere.

_________________
Hokanu
Duty is a magnificent blessing because it is the sign of trust from the universe.
END OF LINE.


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Wed Sep 01, 2010 12:56 pm 
Offline

Joined: Wed Sep 02, 2009 10:49 pm
Posts: 3455
Location: St. Louis, MO
That's a tall order. What exactly are you looking for? If you've got another machine handy, you could run nmap against your potentially compromised computer.

_________________
Image


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Wed Sep 01, 2010 6:52 pm 
Offline
Lean, Mean, Googling Machine
User avatar

Joined: Thu Sep 03, 2009 9:35 am
Posts: 2903
Location: Maze of twisty little passages, all alike
I'm assuming you're behind NAT? How did the ports for RDP get forwarded to the outside world?

I don't think there's a short answer to this. First and foremost, close the barn door. Reset your router to the factory settings and put a strong password on the router's admin account. Make sure that no ports are being forwarded.

After that, it becomes a question of whether you want to try to salvage the compromised system or just cut your losses. Honestly, in most cases, its probably better to just nuke it all from orbit unless you have a really strong background in Windows security. And even then...most security experts would rather scrub the system and restore from known clean backups than try to "close the holes" after the fact.

If you want to try to fix the system, the only thing I can recommend is to go over the logs with a fine-toothed comb, and try to figure out how the system was compromised. Unfortunately, it's not really possible to write a how-to for that. And, of course, run a full battery of anti-malware/anti-trojan/etc. software. You should especially run some rootkit detectors since you know that someone got in. Odds are they planted at least one backdoor, and if they were smart, they hid it with a rootkit.

Personally, I'd scrub it all. If you have more than one computer on your network, assume they've all been compromised. Disconnect them all from the network (physically) and then connect up one at a time for reformatting + reinstallation. Do not let the cleanly reinstalled machines have *any* contact with the others until they've all been reinstalled. It's best if you can do all of this without any of them being connected to the public internet, but you may have to make some allowances to grab security updates/patches. If you can fetch them (from a clean network) and stick them on a thumbdrive or something before the install, that would be best. At a bare minimum, I would install the latest service pack from off-network before letting any of them touch the internet.

Whichever way you go about getting back to a clean state, I'd recommend that you google "windows hardening" and try to lock your system down a little tighter to prevent future intrusions.

Edit: Oh, and hopefully this goes without saying, but if you wind up doing a reinstall, be *very* careful about importing any data from the old system. If it's not irreplaceable, just trash it and get a clean copy from the source. For irreplaceable data (ex. personal documents), I'd keep them quarantined until you're absolutely certain they aren't infected with anything.

_________________
Sail forth! steer for the deep waters only!
Reckless, O soul, exploring, I with thee, and thou with me;
For we are bound where mariner has not yet dared to go,
And we will risk the ship, ourselves and all.


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Wed Sep 01, 2010 6:57 pm 
Offline
User avatar

Joined: Thu Sep 03, 2009 3:08 am
Posts: 6465
Location: The Lab
Stathol wrote:
I'm assuming you're behind NAT? How did the ports for RDP get forwarded to the outside world?


UPnP ?

Disabling this is always the first thing I do when I power on a new home router....


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Wed Sep 01, 2010 7:16 pm 
Offline
Lean, Mean, Googling Machine
User avatar

Joined: Thu Sep 03, 2009 9:35 am
Posts: 2903
Location: Maze of twisty little passages, all alike
I don't know. I don't care for UPnP either, but it shouldn't open ports except by request from the LAN side of the network. And as far as that goes, I'm 99% sure that the Terminal Services (RDP) server itself doesn't make any UPnP requests. As far as I know, the only way to get RDP through NAT directly is create a port mapping manually (even if it's a "triggered" mapping).

_________________
Sail forth! steer for the deep waters only!
Reckless, O soul, exploring, I with thee, and thou with me;
For we are bound where mariner has not yet dared to go,
And we will risk the ship, ourselves and all.


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Wed Sep 01, 2010 7:21 pm 
Offline
User avatar

Joined: Thu Sep 03, 2009 3:08 am
Posts: 6465
Location: The Lab
Well, again, depending on the router and security settings, they can be set to be managed from the WAN interface, and if you use the default password, well, there you go....

But even with the router only being manageable from the LAN side, any app (think malware, trojan, embedded or otherwise) running on a LAN side PC could use UPnP to open the RDP ports on your router and then send the public IP 'home'. This is programatically trivial.


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Thu Sep 02, 2010 11:46 am 
Offline
User avatar

Joined: Wed Sep 02, 2009 11:04 pm
Posts: 751
I started looking through logs and then realized I don't really have a starting point.. ugh. So I nuked her last night. I ran av/malware scans etc and they all found nothing. I think it was as simple as someone getting my IP. My password was way weak so it has been beefed up!

Any suggestions on a root kit detector?

_________________
Hokanu
Duty is a magnificent blessing because it is the sign of trust from the universe.
END OF LINE.


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 7 posts ] 

All times are UTC - 6 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 150 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group