Someone hacking a computer on our network!!

  • Thread starter Thread starter greenbay
  • Start date Start date
G

greenbay

It has happend three days, first two months ago, second were yesterday
and thrd day was today,

Its a windows 2000 pro, sitting behind i firewall. The hacking
symptoms is like pcanywhere och vnc, you can see everything day do.
First time they wrote something in the start-run, yesterday they tried
to change password on the computer.

I have scanned the computer with mcaffe virusscan, spybot, adaware,
aatools, and spyremover(dont remember the name) is installed on the
computer.
I have checked the registry for porgrams that starts up, checked
installed programs(add remove programs), going thru the services,
checked process running under task manager. Looked for strange
connections from the computer, witch netstat. And havent found
anything. i havent checked this things when the computer was remote
controlled, but right after, without switching off the computer.

I can guess the computer makes a connection out from the network to
the hackers computer or something. I have checked the firewall for vpn
connections and there is nothing unusual with them.

Anyone have ANY suggestions, I will try them all :)

Thx
 
First how are they even getting to this machine? Is there a rule that points
to this machine's internal IP on the firewal that is giving them access? If
not then there is most likely a Trojan on this machine that is making the
initial conneciton out?! I would rebuild this box immediately as obviously
you are not finding the program using Spyware and AV software. If you truly
belive that someone is trying to hack this machine format and reinstall
would be the only true fix to clear it up.
 
You might want to scan with a program geared toward trojans such as Pest Patrol or
the free Swat It at http://swatit.org/download.html . In addition try some tools
from Sysinternals to further search for rouge installations. In particular try
TCPView, Process Explorer, and Autoruns. If you have a root kit compromise, built in
operating system tools may not be reliable in showing the process. In particular look
for unknown process listening on a port. It may help to compare results to a known
clean like configured computer. Process Explorer will give very detailed info about a
process if you look in the process properties.

http://www.sysinternals.com/ntw2k/source/tcpview.shtml
http://security.symantec.com/sscv6/default.asp?productid=symhome&langid=ie&venid=sym
-- may also be worth a try.

Keep in mind that the best solution is to reinstall the operating system to a freshly
formatted drive. There is no harm in trying to pin down the compromise for your
informational purposes in order to learn and therefore reduce future threats.

Verify that your perimeter firewall is correctly configured in blocking all
unauthorized inbound traffic. The best way is to do a scan yourself from the outside
using something like Superscan 4 to look for holes. In a pinch you can use an online
self scan site such as http://scan.sygatetech.com/ . Ideally your firewall should
block all outbound traffic by default and allow only traffic authorized by
port/protocol/address rules. Another thing to try is to install a software firewall
on that computer and configure it to allow necessary traffic. Then when the rouge
application tries to access the internet it should pop up a message notifying you and
asking for access. Sygate would be good for that purpose and it has a lot of built in
logging. Good luck. --- Steve
 
greenbay said:
It has happend three days, first two months ago, second were yesterday
and thrd day was today,

Its a windows 2000 pro, sitting behind i firewall. The hacking
symptoms is like pcanywhere och vnc, you can see everything day do.
First time they wrote something in the start-run, yesterday they tried
to change password on the computer.

I have scanned the computer with mcaffe virusscan, spybot, adaware,
aatools, and spyremover(dont remember the name) is installed on the
computer.
I have checked the registry for porgrams that starts up, checked
installed programs(add remove programs), going thru the services,
checked process running under task manager. Looked for strange
connections from the computer, witch netstat. And havent found
anything. i havent checked this things when the computer was remote
controlled, but right after, without switching off the computer.

I can guess the computer makes a connection out from the network to
the hackers computer or something. I have checked the firewall for vpn
connections and there is nothing unusual with them.

Anyone have ANY suggestions, I will try them all :)
Click to expand...

Unplug the damn computer from the network before doing any other
investigations? That would be my first suggestion.

--
--
Rob Moir, Microsoft MVP for servers & security
Website - http://www.robertmoir.co.uk
Virtual PC 2004 FAQ - http://www.robertmoir.co.uk/win/VirtualPC2004FAQ.html

Kazaa - Software update services for your Viruses and Spyware.
 
This is more of a question to the experts that responded but you might
want to try it in any case ... I wonder if a tool like Active Ports
might be handy to get more info on what is going on - it should show
all traffic in and out including any initiated by a trojan.

Peter
 
Not having a firewall, anti-virus and/or
Microsoft patches are the first suspects. I would be using a firewall like
www.sygate.com or www.kerio.com or www.zonealarm.com or sniffer like
Ethereal to watch network traffic to see where and how this is coming in.
Your firewall may just be logging blocked connections, which would not help
you here, you want to see all connections.

http://securityadmin.info/faq.asp#hacked
http://securityadmin.info/faq.asp#re-secure
http://securityadmin.info/faq.asp#harden

If Windows root kit functionality is being used to hide the malware, or your
anti-virus has been disabled, you may have to scan remotely from another
Windows computer via windows networking, or slave the hard drive in another
windows computer, or boot using a bitdefender linux or knoppix-std boot CD
with clam AV. Note that anti-virus software does not detect things like pc
anywhere and VNC. you could also watch the files being accessed on your
computer using www.sysinternals.com filemon and process explorer.
 
Back
Top