Mark Minasi's Tech Forum
Sign up Calendar Latest Topics
 
 
 


Reply
  Author   Comment  
Lisa

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 36
Reply with quote  #1 
Yes I have been hacked on a standalone computer on a network but not on a domain.

Three or so years ago my win2008R2 server was hacked. I did not click on anything.

I turned that server off and rebuilt my computer. My machine is wired and is Win7. I only plug my ethernet cable in when I use the computer. Otherwise, no internet. Remote Desktop is disabled.

A day or so ago, I discovered that Remote Desktop was on my “recently used” list but still disabled. Someone covered their tracks and cleaned up after a RDP session but I guess they forgot to clean that part up. That started me looking around at event viewer. I found some scary stuff.

1. Computer Management TerminalServices, Operational logs showed multiple suspicious events of Event ID: 21, 22, 23 & 24. With my logins.
2. The security log Event ID: 4672, Special privileges assigned to new logon showed elevated privileges for SYSTEM, Security and NT Authority. With the following Privileges:

SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege

I changed the local policy to deny Remote Desktop for my administrator account, my standard user account and Administrators.

I disallowed Powershell with Software Restriction Policies.

When I rebooted after setting the Software Restriction Policies there were “background processes” running but they weren’t listed, indicating to me that invisible powershell processes were running in the background.

These logins are during the day only and it is my suspicion that whenever my computer is online the hacker gets an alert.

How can I block this person from accessing my computer in Powershell? Can I trace this person’s IP address? I know this is a classic powershell hack. How can I find out what scripts are running?

To make matters more complicated, my husband has Win8, but thinks he is safe because his AntiVirus and Malwarebytes tells him he’s clean PLUS, although this hacker is traversing his computer also, our bank accounts have not been compromised. His machine is on wireless while my machine is wired.

We have a movie server that runs on Linux. Could a backdoor have been placed on that Linux Server?

I would like to be able to block this person until I can get my Linux machine up and running. (I’m moving away from Windows anyway since Win7 is on EOL). And I would like to slow this person down and stop him/her. What can I do? What other things should I look for?

If you could point me to a website or any other resources, I would appreciate it.

Thank you.


PS I am aware that it is probably my husband’s machine that is allowing access to my computer via the hacker.

Edit: to be more concise.

__________________
Lisa O'Hara
0
Previous Topic | Next Topic
Print
Reply

Quick Navigation:

Easily create a Forum Website with Website Toolbox.