New Friend (or an Old Friend who Built a New Account)
Registered: 1451955328 Posts: 36
Reply with quote
Yes I have been hacked on a standalone computer on a network but not on a domain.
Three or so years ago my win2008R2 server was hacked. I did not click on anything. I turned that server off and rebuilt my computer. My machine is wired and is Win7. I only plug my ethernet cable in when I use the computer. Otherwise, no internet. Remote Desktop is disabled. A day or so ago, I discovered that Remote Desktop was on my “recently used” list but still disabled. Someone covered their tracks and cleaned up after a RDP session but I guess they forgot to clean that part up. That started me looking around at event viewer. I found some scary stuff. 1. Computer Management TerminalServices, Operational logs showed multiple suspicious events of Event ID: 21, 22, 23 & 24. With my logins. 2. The security log Event ID: 4672, Special privileges assigned to new logon showed elevated privileges for SYSTEM, Security and NT Authority. With the following Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege I changed the local policy to deny Remote Desktop for my administrator account, my standard user account and Administrators. I disallowed Powershell with Software Restriction Policies. When I rebooted after setting the Software Restriction Policies there were “background processes” running but they weren’t listed, indicating to me that invisible powershell processes were running in the background. These logins are during the day only and it is my suspicion that whenever my computer is online the hacker gets an alert. How can I block this person from accessing my computer in Powershell? Can I trace this person’s IP address? I know this is a classic powershell hack. How can I find out what scripts are running? To make matters more complicated, my husband has Win8, but thinks he is safe because his AntiVirus and Malwarebytes tells him he’s clean PLUS, although this hacker is traversing his computer also, our bank accounts have not been compromised. His machine is on wireless while my machine is wired. We have a movie server that runs on Linux. Could a backdoor have been placed on that Linux Server? I would like to be able to block this person until I can get my Linux machine up and running. (I’m moving away from Windows anyway since Win7 is on EOL). And I would like to slow this person down and stop him/her. What can I do? What other things should I look for? If you could point me to a website or any other resources, I would appreciate it. Thank you. PS I am aware that it is probably my husband’s machine that is allowing access to my computer via the hacker. Edit: to be more concise. __________________ Lisa O'Hara