Chiyo
Save Me Konata-Chan
Premium
join:2003-02-20
Minneapolis, MN
clubs:
 ·Comcast
1 edit | so I logged onto my file server tonight
Good evening everyone,
I'm not having such a great evening, Internally I use remote administrator and lately when I tried to log on to my fileserver I couldn't get in.
So just in case I had RDP to fall back on, well tonight I logged in 5 IE windows are open and SOMEONE IS CHECKING THEIR E-MAIL!
They booted me out of RDP 4 times before they high tailed it out of my system. I panicked disconnect the modem from the iternet and started searching my settings sure enough I fucked up big time.
I had been running a webserver on my file server to do network monitoring RDC was turned on with my username being simple and password being simple.
So I know it was poor security on my part. Here's the funny thing I started going though my IE logs, the guy visted the LA craigslist, meebo, jah-jah and yahoo mail several times now I can't read cookies and he didn't save passwords or usernames in any fields. By looking at the cookies can I extract any info from them?
I went wondering though my shares nothing is out of place I'm sure he didn't know what he was sitting on just figured a windows xp desktop I mean who is dumb enough to check their e-mail and shit?
I've done the following since finding the intrusion
* Disable, rename, repassword administrator account
* enable windows xp firewall
* create new administrator
* ran ad-ware 2007 - looking for keyloggers
* removed all port forwards from the box
* in the process of re-doing a dyndns entry and trying to get comcast to issue me a brand new IP address.
I have 3 computers on my network is there anything else I should check for? I really think this person was a novice and port scanned me and was using the box as a secondary box or something.
Any help would be great please be positive.
Thank you.
--
My Blog:
»jaab1.blogspot.com/ |
|
Caution
@netcarrier.net
|
You are "ASSUMING MUCH TO MUCH".......an best begin "assuming" that the hacker was an expert......"hope for the best but expect the worse"
If the person compromised your computer there is a good chance he compromised the other computers on your network.
This is not what you may want to hear but your very best bet would be to reformat ALL the computers......that should be your automatic re-action..no questions asked.
Truely I feel for you....when these things happen there is no middle ground....you clean the systems correctly or forever wonder if they are infected..
good luck |
|
EGeezer
Go Bobcats
Premium
join:2002-08-04
Country!
 ·Callcentric
·RoadRunner Cable
·AT&T CallVantage
2 edits | reply to Chiyo
from a known safe system check your logins to your email accounts and websites where you have logins and change the passwords. Also check to see if you have any financial or personal identity information or site logins on your systems. If so, assume you could have had that information compromised, and that your identity could be stolen.
See »Security »How to report ID theft, fraud, drive-by installs, hijacking and malware? for identity theft reporting/preventative actions.
Better to have done this than to go through recovery of your identity or any funds and closing fraudulently opened accounts.
--
In memoriam Tommy Makem, Nov. 4, 1932 - Aug. 1, 2007 |
|
youveshutmedown
@sbcglobal.net
| Two things are likely to have happened to you.
The first is the best case scenario. Some guy got lucky, caught you in a scan, and climbed into your box to do some stuff, like check email, go to craigslist, etc. You've already locked it down, so barring anything turning up in a virus/malware/rootkit scan, you got lucky and dodged a bullet.
The second is not so great. It's not a stretch of the imagination to realize that if some idiot found your box in a random scan, you've probably already had other visitors, who were not so dumb, and you may have bigger problems than you realize. You may have been owned for a period of time, long enough for some "n00b" to come by and find the box wide open. Fact is, someone may have even sold him the login information to the box, burning him and you. He does make for a nice coverup and distraction when you do find that you have been compromised.
It's already been suggested, but I will strongly repeat it.
Climb through your network with a fine tooth comb. Change all your passwords *now*. To *everything*. Even an overlooked email account can be enough for someone to initiate a "reset my password" process with someone and cause you lots of trouble. |
|
Chiyo
Save Me Konata-Chan
Premium
join:2003-02-20
Minneapolis, MN
clubs:
·Comcast
| Thank you everyone for the replies I felt really stupid and just something I didn't think of. I mean TSWeb wasn't running and I thought I had RDP running internally only. I scanned all my systems all came back clean. I changed passwords on all my accounts been looking for anything suspicious
So far I can report everything has been quiet and nothing has happened since I just feel dumb I've worked with PCs for a long time and I've been in the field for 2 years now and just for something like this to happen is un-nerving.
Thanks again. |
|
The Snowman
Premium
join:2007-05-20
 ·Verizon Online DSL
|
Say don't feel so bad.....the same thing could happen to anyone.......and anyone who thinks it can't is only fooling themselfs. Consider it a wake-up call...try to laugh about it....then move on. We are all the wiser from our mistakes.
Take care friend |
|
