bit-tech.net

Go Back   bit-tech.net Forums > Technology > Software

Reply
 
Thread Tools
Old 12th Oct 2014, 23:06   #1
Gurdeep14
Supermodder
 
Gurdeep14's Avatar
 
Join Date: Apr 2009
Location: SE London,UK
Posts: 572
Gurdeep14 is the Cheesecake. Relix smiles down upon them.Gurdeep14 is the Cheesecake. Relix smiles down upon them.Gurdeep14 is the Cheesecake. Relix smiles down upon them.Gurdeep14 is the Cheesecake. Relix smiles down upon them.Gurdeep14 is the Cheesecake. Relix smiles down upon them.Gurdeep14 is the Cheesecake. Relix smiles down upon them.Gurdeep14 is the Cheesecake. Relix smiles down upon them.Gurdeep14 is the Cheesecake. Relix smiles down upon them.Gurdeep14 is the Cheesecake. Relix smiles down upon them.Gurdeep14 is the Cheesecake. Relix smiles down upon them.Gurdeep14 is the Cheesecake. Relix smiles down upon them.
Remote Desktop'd to my server/nas, saw someone using it (hacker)

Hi guys
This is worrying me. I have a server/nas I built running windows 8.1 64 bit professional, it is always on 24/7.
Every few days I remote desktop to it to see if everything is running ok and check for updates etc. Tonight I connected to it and got a message a user was connected and they were disconnected so I could connect.
Once it established a connection, I saw a cmd window running with some IP related commands running and a webpage open, a few seconds later I was disconnected again as the hacker connected back to the server. I once again connected again (1 second later) to disconnect him (this happened a 3 times)
Then I connected and right clicked My Computer and disabled Allow Remote Connections and enabled Remote Desktop with Network Level Authentication. After that, the hacker didn't connect back (not sure if that stopped him or he realised he got found out and quit)
Theses options were originally unselected due to Microsoft support working on the Server a few weeks back (updates werent working)

This was really worrying. I was only using Microsoft Defender (for AV) and Windows Firewall (thinking i'd never need anything more.
I checked the open webpage, it was some french site, and checked the history, the hacker had been using the internet browser for around 40 minutes, running a speed test, going to a website to figure out my IP address, going to VPNs and Proxies and then eventually....Porn? WTF
I think he was either french or spanish judging by the sites he visited.

After this, I signed out of Chrome, and did a system restore to a few days before to remove any registry changed he may have made.
I then installed Private Firewall 7.0 and and currently running a virus scan (it runs automatically every night at 3am anyway)
Should I be worried? Any ideas or help?

Thanks guys
__________________
Intel Core i7 920 D0 @ 4Ghz HT | EVGA 780 Classified Hydro Copper 3GB | ASUS Rampage Extreme II | 12GB Corsair Dominator CM3X2G1600C8D | Enermax Revolution 1250W | ASUS Xonar D2X | 250GB Samsung Evo | 256GB Samsung 830 |2 Samsung F3 1TB | Silverstone TJ-07 |
Gurdeep14 is offline   Reply With Quote
Old 12th Oct 2014, 23:11   #2
deathtaker27
Backups ... Its a way of life
 
deathtaker27's Avatar
 
Join Date: Apr 2010
Location: United Kingdom
Posts: 1,704
deathtaker27 is a Super Spamming Saiyandeathtaker27 is a Super Spamming Saiyandeathtaker27 is a Super Spamming Saiyandeathtaker27 is a Super Spamming Saiyandeathtaker27 is a Super Spamming Saiyandeathtaker27 is a Super Spamming Saiyandeathtaker27 is a Super Spamming Saiyandeathtaker27 is a Super Spamming Saiyandeathtaker27 is a Super Spamming Saiyandeathtaker27 is a Super Spamming Saiyandeathtaker27 is a Super Spamming Saiyan
Have you got 3389 external mapped to your internal server?

If so is it locked down to a range of ip addresses or anyone on your router?
And change your password
deathtaker27 is offline   Reply With Quote
Old 12th Oct 2014, 23:15   #3
Gurdeep14
Supermodder
 
Gurdeep14's Avatar
 
Join Date: Apr 2009
Location: SE London,UK
Posts: 572
Gurdeep14 is the Cheesecake. Relix smiles down upon them.Gurdeep14 is the Cheesecake. Relix smiles down upon them.Gurdeep14 is the Cheesecake. Relix smiles down upon them.Gurdeep14 is the Cheesecake. Relix smiles down upon them.Gurdeep14 is the Cheesecake. Relix smiles down upon them.Gurdeep14 is the Cheesecake. Relix smiles down upon them.Gurdeep14 is the Cheesecake. Relix smiles down upon them.Gurdeep14 is the Cheesecake. Relix smiles down upon them.Gurdeep14 is the Cheesecake. Relix smiles down upon them.Gurdeep14 is the Cheesecake. Relix smiles down upon them.Gurdeep14 is the Cheesecake. Relix smiles down upon them.
Quote:
Originally Posted by deathtaker27 View Post
Have you got 3389 external mapped to your internal server?

If so is it locked down to a range of ip addresses or anyone on your router?
I literally have no idea what that means. Im not totally clued up with networks. I have my router set to MAC address filtering & I have a limited IP range (the exact amount of devices in my network).
Other than that, I have done nothing else.
Could you talk me through what you mean please
thanks
__________________
Intel Core i7 920 D0 @ 4Ghz HT | EVGA 780 Classified Hydro Copper 3GB | ASUS Rampage Extreme II | 12GB Corsair Dominator CM3X2G1600C8D | Enermax Revolution 1250W | ASUS Xonar D2X | 250GB Samsung Evo | 256GB Samsung 830 |2 Samsung F3 1TB | Silverstone TJ-07 |
Gurdeep14 is offline   Reply With Quote
Old 12th Oct 2014, 23:21   #4
Gurdeep14
Supermodder
 
Gurdeep14's Avatar
 
Join Date: Apr 2009
Location: SE London,UK
Posts: 572
Gurdeep14 is the Cheesecake. Relix smiles down upon them.Gurdeep14 is the Cheesecake. Relix smiles down upon them.Gurdeep14 is the Cheesecake. Relix smiles down upon them.Gurdeep14 is the Cheesecake. Relix smiles down upon them.Gurdeep14 is the Cheesecake. Relix smiles down upon them.Gurdeep14 is the Cheesecake. Relix smiles down upon them.Gurdeep14 is the Cheesecake. Relix smiles down upon them.Gurdeep14 is the Cheesecake. Relix smiles down upon them.Gurdeep14 is the Cheesecake. Relix smiles down upon them.Gurdeep14 is the Cheesecake. Relix smiles down upon them.Gurdeep14 is the Cheesecake. Relix smiles down upon them.
Quote:
Originally Posted by deathtaker27 View Post
Have you got 3389 external mapped to your internal server?

If so is it locked down to a range of ip addresses or anyone on your router?
And change your password
Just changed the password for the server and deleted the Port Forwarding rule I had in place for port 3389 from the router. Is that what you meant?
__________________
Intel Core i7 920 D0 @ 4Ghz HT | EVGA 780 Classified Hydro Copper 3GB | ASUS Rampage Extreme II | 12GB Corsair Dominator CM3X2G1600C8D | Enermax Revolution 1250W | ASUS Xonar D2X | 250GB Samsung Evo | 256GB Samsung 830 |2 Samsung F3 1TB | Silverstone TJ-07 |
Gurdeep14 is offline   Reply With Quote
Old 13th Oct 2014, 09:55   #5
Pookie
Lest We Forget
 
Pookie's Avatar
 
Join Date: May 2010
Location: Newton Abbot (originally from Wantage)
Posts: 1,863
Pookie is a Super Spamming SaiyanPookie is a Super Spamming SaiyanPookie is a Super Spamming SaiyanPookie is a Super Spamming SaiyanPookie is a Super Spamming SaiyanPookie is a Super Spamming SaiyanPookie is a Super Spamming SaiyanPookie is a Super Spamming SaiyanPookie is a Super Spamming SaiyanPookie is a Super Spamming SaiyanPookie is a Super Spamming Saiyan
That will stop the remote access Gurdeep not only for the hacker but also for you. If I was you I would do the following...

1. Change the default port used for RDP. Use a obscure port like 50578. http://support2.microsoft.com/kb/306759 When you connect via remote desktop you will need to format the address like this 85.67.123.16:50578

2. Make sure you do not use the default "Administrator" account. I would disable this and create a new admin account using a name that's hard to guess.

3. Contact your ISP and see if you can get a new static IP address. They should be able to help you with this.

Good luck
__________________
Fractal R4/ GA-X58A-UD3R / Corsair RM850/ Westmere Xeon X5650 2.66Ghz Hex core / Corsair H60 (2013 Model) with 2 x Corsair SP120 / Corsair Force GT 120 SSD /Sapphire R9 290X / 12GB (3x4GB)Corsair Dominator 1600mhz with Airflow Kit / AOC i2757fm 27" IPS Monitor/ Razer Lachesis.
Rotel RA-02 Amplifier/ B&W DM601 S3/ QED XT350 With Airlock plugs/All QED Interconnects.

http://www.compucare.co.uk/
Pookie is offline   Reply With Quote
Old 13th Oct 2014, 11:06   #6
Gurdeep14
Supermodder
 
Gurdeep14's Avatar
 
Join Date: Apr 2009
Location: SE London,UK
Posts: 572
Gurdeep14 is the Cheesecake. Relix smiles down upon them.Gurdeep14 is the Cheesecake. Relix smiles down upon them.Gurdeep14 is the Cheesecake. Relix smiles down upon them.Gurdeep14 is the Cheesecake. Relix smiles down upon them.Gurdeep14 is the Cheesecake. Relix smiles down upon them.Gurdeep14 is the Cheesecake. Relix smiles down upon them.Gurdeep14 is the Cheesecake. Relix smiles down upon them.Gurdeep14 is the Cheesecake. Relix smiles down upon them.Gurdeep14 is the Cheesecake. Relix smiles down upon them.Gurdeep14 is the Cheesecake. Relix smiles down upon them.Gurdeep14 is the Cheesecake. Relix smiles down upon them.
Quote:
Originally Posted by Pookie View Post
That will stop the remote access Gurdeep not only for the hacker but also for you. If I was you I would do the following...

1. Change the default port used for RDP. Use a obscure port like 50578. http://support2.microsoft.com/kb/306759 When you connect via remote desktop you will need to format the address like this 85.67.123.16:50578

2. Make sure you do not use the default "Administrator" account. I would disable this and create a new admin account using a name that's hard to guess.

3. Contact your ISP and see if you can get a new static IP address. They should be able to help you with this.

Good luck
Thanks for the reply Pookie
I changed the Port over on the server and turned the server/nas off and on and now I cant connect to the server. I added an exception in the router for the port and I tried connecting via RDP using the 192.168.0.*:new port number but that didn't work. I also tried doing the same with the external IP address without luck. Any ideas? Anything obvious I am missing?
__________________
Intel Core i7 920 D0 @ 4Ghz HT | EVGA 780 Classified Hydro Copper 3GB | ASUS Rampage Extreme II | 12GB Corsair Dominator CM3X2G1600C8D | Enermax Revolution 1250W | ASUS Xonar D2X | 250GB Samsung Evo | 256GB Samsung 830 |2 Samsung F3 1TB | Silverstone TJ-07 |
Gurdeep14 is offline   Reply With Quote
Old 13th Oct 2014, 12:03   #7
Pookie
Lest We Forget
 
Pookie's Avatar
 
Join Date: May 2010
Location: Newton Abbot (originally from Wantage)
Posts: 1,863
Pookie is a Super Spamming SaiyanPookie is a Super Spamming SaiyanPookie is a Super Spamming SaiyanPookie is a Super Spamming SaiyanPookie is a Super Spamming SaiyanPookie is a Super Spamming SaiyanPookie is a Super Spamming SaiyanPookie is a Super Spamming SaiyanPookie is a Super Spamming SaiyanPookie is a Super Spamming SaiyanPookie is a Super Spamming Saiyan
Dont forget you will need to port forward your new port in the router.
__________________
Fractal R4/ GA-X58A-UD3R / Corsair RM850/ Westmere Xeon X5650 2.66Ghz Hex core / Corsair H60 (2013 Model) with 2 x Corsair SP120 / Corsair Force GT 120 SSD /Sapphire R9 290X / 12GB (3x4GB)Corsair Dominator 1600mhz with Airflow Kit / AOC i2757fm 27" IPS Monitor/ Razer Lachesis.
Rotel RA-02 Amplifier/ B&W DM601 S3/ QED XT350 With Airlock plugs/All QED Interconnects.

http://www.compucare.co.uk/
Pookie is offline   Reply With Quote
Old 13th Oct 2014, 12:05   #8
Gurdeep14
Supermodder
 
Gurdeep14's Avatar
 
Join Date: Apr 2009
Location: SE London,UK
Posts: 572
Gurdeep14 is the Cheesecake. Relix smiles down upon them.Gurdeep14 is the Cheesecake. Relix smiles down upon them.Gurdeep14 is the Cheesecake. Relix smiles down upon them.Gurdeep14 is the Cheesecake. Relix smiles down upon them.Gurdeep14 is the Cheesecake. Relix smiles down upon them.Gurdeep14 is the Cheesecake. Relix smiles down upon them.Gurdeep14 is the Cheesecake. Relix smiles down upon them.Gurdeep14 is the Cheesecake. Relix smiles down upon them.Gurdeep14 is the Cheesecake. Relix smiles down upon them.Gurdeep14 is the Cheesecake. Relix smiles down upon them.Gurdeep14 is the Cheesecake. Relix smiles down upon them.
Quote:
Originally Posted by Pookie View Post
Dont forget you will need to port forward your new port in the router.
I have, I set it as TCP/UPD, that didnt help.
Could it be the windows firewall on the server/nas?
__________________
Intel Core i7 920 D0 @ 4Ghz HT | EVGA 780 Classified Hydro Copper 3GB | ASUS Rampage Extreme II | 12GB Corsair Dominator CM3X2G1600C8D | Enermax Revolution 1250W | ASUS Xonar D2X | 250GB Samsung Evo | 256GB Samsung 830 |2 Samsung F3 1TB | Silverstone TJ-07 |
Gurdeep14 is offline   Reply With Quote
Old 13th Oct 2014, 12:12   #9
Pookie
Lest We Forget
 
Pookie's Avatar
 
Join Date: May 2010
Location: Newton Abbot (originally from Wantage)
Posts: 1,863
Pookie is a Super Spamming SaiyanPookie is a Super Spamming SaiyanPookie is a Super Spamming SaiyanPookie is a Super Spamming SaiyanPookie is a Super Spamming SaiyanPookie is a Super Spamming SaiyanPookie is a Super Spamming SaiyanPookie is a Super Spamming SaiyanPookie is a Super Spamming SaiyanPookie is a Super Spamming SaiyanPookie is a Super Spamming Saiyan
Quote:
Originally Posted by Gurdeep14 View Post
I have, I set it as TCP/UPD, that didnt help.
Could it be the windows firewall on the server/nas?
Ah yes. It's too early lol. In and out rule required on the windows firewall.
__________________
Fractal R4/ GA-X58A-UD3R / Corsair RM850/ Westmere Xeon X5650 2.66Ghz Hex core / Corsair H60 (2013 Model) with 2 x Corsair SP120 / Corsair Force GT 120 SSD /Sapphire R9 290X / 12GB (3x4GB)Corsair Dominator 1600mhz with Airflow Kit / AOC i2757fm 27" IPS Monitor/ Razer Lachesis.
Rotel RA-02 Amplifier/ B&W DM601 S3/ QED XT350 With Airlock plugs/All QED Interconnects.

http://www.compucare.co.uk/
Pookie is offline   Reply With Quote
Old 13th Oct 2014, 12:37   #10
Votick
My CPU's hot but my core runs cold.
 
Votick's Avatar
 
Join Date: May 2009
Location: Cambridgeshire
Posts: 1,909
Votick is a Super Spamming SaiyanVotick is a Super Spamming SaiyanVotick is a Super Spamming SaiyanVotick is a Super Spamming SaiyanVotick is a Super Spamming SaiyanVotick is a Super Spamming SaiyanVotick is a Super Spamming SaiyanVotick is a Super Spamming SaiyanVotick is a Super Spamming SaiyanVotick is a Super Spamming SaiyanVotick is a Super Spamming Saiyan
TBH I would have done Port Translation on the router from the external port to the internal on 3389.
__________________

http://stats.bish.pro/
Votick is offline   Reply With Quote
Old 13th Oct 2014, 15:30   #11
creative
Minimodder
 
Join Date: May 2014
Posts: 30
creative is the Cheesecake. Relix smiles down upon them.creative is the Cheesecake. Relix smiles down upon them.creative is the Cheesecake. Relix smiles down upon them.creative is the Cheesecake. Relix smiles down upon them.creative is the Cheesecake. Relix smiles down upon them.creative is the Cheesecake. Relix smiles down upon them.creative is the Cheesecake. Relix smiles down upon them.creative is the Cheesecake. Relix smiles down upon them.creative is the Cheesecake. Relix smiles down upon them.creative is the Cheesecake. Relix smiles down upon them.creative is the Cheesecake. Relix smiles down upon them.
Quote:
.....Theses options were originally unselected due to Microsoft support working on the Server a few weeks back (updates werent working)........
Did you contact MS or did they contact you?
creative is offline   Reply With Quote
Old 13th Oct 2014, 15:33   #12
Gurdeep14
Supermodder
 
Gurdeep14's Avatar
 
Join Date: Apr 2009
Location: SE London,UK
Posts: 572
Gurdeep14 is the Cheesecake. Relix smiles down upon them.Gurdeep14 is the Cheesecake. Relix smiles down upon them.Gurdeep14 is the Cheesecake. Relix smiles down upon them.Gurdeep14 is the Cheesecake. Relix smiles down upon them.Gurdeep14 is the Cheesecake. Relix smiles down upon them.Gurdeep14 is the Cheesecake. Relix smiles down upon them.Gurdeep14 is the Cheesecake. Relix smiles down upon them.Gurdeep14 is the Cheesecake. Relix smiles down upon them.Gurdeep14 is the Cheesecake. Relix smiles down upon them.Gurdeep14 is the Cheesecake. Relix smiles down upon them.Gurdeep14 is the Cheesecake. Relix smiles down upon them.
Quote:
Originally Posted by creative View Post
Did you contact MS or did they contact you?
I contacted them. They made me use logmein (I think, it didn't install, it just ran from the .exe.)
__________________
Intel Core i7 920 D0 @ 4Ghz HT | EVGA 780 Classified Hydro Copper 3GB | ASUS Rampage Extreme II | 12GB Corsair Dominator CM3X2G1600C8D | Enermax Revolution 1250W | ASUS Xonar D2X | 250GB Samsung Evo | 256GB Samsung 830 |2 Samsung F3 1TB | Silverstone TJ-07 |
Gurdeep14 is offline   Reply With Quote
Old 13th Oct 2014, 15:35   #13
Gurdeep14
Supermodder
 
Gurdeep14's Avatar
 
Join Date: Apr 2009
Location: SE London,UK
Posts: 572
Gurdeep14 is the Cheesecake. Relix smiles down upon them.Gurdeep14 is the Cheesecake. Relix smiles down upon them.Gurdeep14 is the Cheesecake. Relix smiles down upon them.Gurdeep14 is the Cheesecake. Relix smiles down upon them.Gurdeep14 is the Cheesecake. Relix smiles down upon them.Gurdeep14 is the Cheesecake. Relix smiles down upon them.Gurdeep14 is the Cheesecake. Relix smiles down upon them.Gurdeep14 is the Cheesecake. Relix smiles down upon them.Gurdeep14 is the Cheesecake. Relix smiles down upon them.Gurdeep14 is the Cheesecake. Relix smiles down upon them.Gurdeep14 is the Cheesecake. Relix smiles down upon them.
Quote:
Originally Posted by Pookie View Post
Ah yes. It's too early lol. In and out rule required on the windows firewall.
Done that and it now works again
Thanks Pookie

I also ran Microsoft Baseline Security Analyzer and made and necessary changes. Anything else you guys can suggest? Is it worth buying a dedicated firewall/VPN to put before the router (Netgear WND3700)?
__________________
Intel Core i7 920 D0 @ 4Ghz HT | EVGA 780 Classified Hydro Copper 3GB | ASUS Rampage Extreme II | 12GB Corsair Dominator CM3X2G1600C8D | Enermax Revolution 1250W | ASUS Xonar D2X | 250GB Samsung Evo | 256GB Samsung 830 |2 Samsung F3 1TB | Silverstone TJ-07 |
Gurdeep14 is offline   Reply With Quote
Old 14th Nov 2014, 16:28   #14
ModSquid
Multimodder
 
Join Date: Apr 2011
Posts: 201
ModSquid is the Cheesecake. Relix smiles down upon them.ModSquid is the Cheesecake. Relix smiles down upon them.ModSquid is the Cheesecake. Relix smiles down upon them.ModSquid is the Cheesecake. Relix smiles down upon them.ModSquid is the Cheesecake. Relix smiles down upon them.ModSquid is the Cheesecake. Relix smiles down upon them.ModSquid is the Cheesecake. Relix smiles down upon them.ModSquid is the Cheesecake. Relix smiles down upon them.ModSquid is the Cheesecake. Relix smiles down upon them.ModSquid is the Cheesecake. Relix smiles down upon them.ModSquid is the Cheesecake. Relix smiles down upon them.
I asked a similar question a while back as I was nervous about opening myself up during online gaming and someone suggested using this site:

https://www.grc.com/shieldsup

Apologies to whomever it was as I can't remember. I haven't used it myself yet though, so have nothing to go by unfortunately.
ModSquid is offline   Reply With Quote
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT +1. The time now is 01:24.
Powered by: vBulletin Version 3
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.