Someone hacking a computer on our network!!

Archived from groups: microsoft.public.win2000.security (More info?)

It has happend three days, first two months ago, second were yesterday
and thrd day was today,

Its a windows 2000 pro, sitting behind i firewall. The hacking
symptoms is like pcanywhere och vnc, you can see everything day do.
First time they wrote something in the start-run, yesterday they tried
to change password on the computer.

I have scanned the computer with mcaffe virusscan, spybot, adaware,
aatools, and spyremover(dont remember the name) is installed on the
computer.
I have checked the registry for porgrams that starts up, checked
installed programs(add remove programs), going thru the services,
checked process running under task manager. Looked for strange
connections from the computer, witch netstat. And havent found
anything. i havent checked this things when the computer was remote
controlled, but right after, without switching off the computer.

I can guess the computer makes a connection out from the network to
the hackers computer or something. I have checked the firewall for vpn
connections and there is nothing unusual with them.

Anyone have ANY suggestions, I will try them all :)

Thx
5 answers Last reply
More about someone hacking computer network
  1. Archived from groups: microsoft.public.win2000.security (More info?)

    First how are they even getting to this machine? Is there a rule that points
    to this machine's internal IP on the firewal that is giving them access? If
    not then there is most likely a Trojan on this machine that is making the
    initial conneciton out?! I would rebuild this box immediately as obviously
    you are not finding the program using Spyware and AV software. If you truly
    belive that someone is trying to hack this machine format and reinstall
    would be the only true fix to clear it up.

    --
    Scott Harding
    MCSE, MCSA, A+, Network+
    Microsoft MVP - Windows NT Server

    "greenbay" <greenbay@telia.com> wrote in message
    news:oopfg01379n1mb7nvsmuns8ci6tea1a1bk@4ax.com...
    > It has happend three days, first two months ago, second were yesterday
    > and thrd day was today,
    >
    > Its a windows 2000 pro, sitting behind i firewall. The hacking
    > symptoms is like pcanywhere och vnc, you can see everything day do.
    > First time they wrote something in the start-run, yesterday they tried
    > to change password on the computer.
    >
    > I have scanned the computer with mcaffe virusscan, spybot, adaware,
    > aatools, and spyremover(dont remember the name) is installed on the
    > computer.
    > I have checked the registry for porgrams that starts up, checked
    > installed programs(add remove programs), going thru the services,
    > checked process running under task manager. Looked for strange
    > connections from the computer, witch netstat. And havent found
    > anything. i havent checked this things when the computer was remote
    > controlled, but right after, without switching off the computer.
    >
    > I can guess the computer makes a connection out from the network to
    > the hackers computer or something. I have checked the firewall for vpn
    > connections and there is nothing unusual with them.
    >
    > Anyone have ANY suggestions, I will try them all :)
    >
    > Thx
    >
    >
  2. Archived from groups: microsoft.public.win2000.security (More info?)

    You might want to scan with a program geared toward trojans such as Pest Patrol or
    the free Swat It at http://swatit.org/download.html . In addition try some tools
    from Sysinternals to further search for rouge installations. In particular try
    TCPView, Process Explorer, and Autoruns. If you have a root kit compromise, built in
    operating system tools may not be reliable in showing the process. In particular look
    for unknown process listening on a port. It may help to compare results to a known
    clean like configured computer. Process Explorer will give very detailed info about a
    process if you look in the process properties.

    http://www.sysinternals.com/ntw2k/source/tcpview.shtml
    http://security.symantec.com/sscv6/default.asp?productid=symhome&langid=ie&venid=sym
    -- may also be worth a try.

    Keep in mind that the best solution is to reinstall the operating system to a freshly
    formatted drive. There is no harm in trying to pin down the compromise for your
    informational purposes in order to learn and therefore reduce future threats.

    Verify that your perimeter firewall is correctly configured in blocking all
    unauthorized inbound traffic. The best way is to do a scan yourself from the outside
    using something like Superscan 4 to look for holes. In a pinch you can use an online
    self scan site such as http://scan.sygatetech.com/ . Ideally your firewall should
    block all outbound traffic by default and allow only traffic authorized by
    port/protocol/address rules. Another thing to try is to install a software firewall
    on that computer and configure it to allow necessary traffic. Then when the rouge
    application tries to access the internet it should pop up a message notifying you and
    asking for access. Sygate would be good for that purpose and it has a lot of built in
    logging. Good luck. --- Steve


    "greenbay" <greenbay@telia.com> wrote in message
    news:oopfg01379n1mb7nvsmuns8ci6tea1a1bk@4ax.com...
    > It has happend three days, first two months ago, second were yesterday
    > and thrd day was today,
    >
    > Its a windows 2000 pro, sitting behind i firewall. The hacking
    > symptoms is like pcanywhere och vnc, you can see everything day do.
    > First time they wrote something in the start-run, yesterday they tried
    > to change password on the computer.
    >
    > I have scanned the computer with mcaffe virusscan, spybot, adaware,
    > aatools, and spyremover(dont remember the name) is installed on the
    > computer.
    > I have checked the registry for porgrams that starts up, checked
    > installed programs(add remove programs), going thru the services,
    > checked process running under task manager. Looked for strange
    > connections from the computer, witch netstat. And havent found
    > anything. i havent checked this things when the computer was remote
    > controlled, but right after, without switching off the computer.
    >
    > I can guess the computer makes a connection out from the network to
    > the hackers computer or something. I have checked the firewall for vpn
    > connections and there is nothing unusual with them.
    >
    > Anyone have ANY suggestions, I will try them all :)
    >
    > Thx
    >
    >
  3. Archived from groups: microsoft.public.win2000.security (More info?)

    greenbay wrote:
    > It has happend three days, first two months ago, second were yesterday
    > and thrd day was today,
    >
    > Its a windows 2000 pro, sitting behind i firewall. The hacking
    > symptoms is like pcanywhere och vnc, you can see everything day do.
    > First time they wrote something in the start-run, yesterday they tried
    > to change password on the computer.
    >
    > I have scanned the computer with mcaffe virusscan, spybot, adaware,
    > aatools, and spyremover(dont remember the name) is installed on the
    > computer.
    > I have checked the registry for porgrams that starts up, checked
    > installed programs(add remove programs), going thru the services,
    > checked process running under task manager. Looked for strange
    > connections from the computer, witch netstat. And havent found
    > anything. i havent checked this things when the computer was remote
    > controlled, but right after, without switching off the computer.
    >
    > I can guess the computer makes a connection out from the network to
    > the hackers computer or something. I have checked the firewall for vpn
    > connections and there is nothing unusual with them.
    >
    > Anyone have ANY suggestions, I will try them all :)

    Unplug the damn computer from the network before doing any other
    investigations? That would be my first suggestion.

    --
    --
    Rob Moir, Microsoft MVP for servers & security
    Website - http://www.robertmoir.co.uk
    Virtual PC 2004 FAQ - http://www.robertmoir.co.uk/win/VirtualPC2004FAQ.html

    Kazaa - Software update services for your Viruses and Spyware.
  4. Archived from groups: microsoft.public.win2000.security (More info?)

    This is more of a question to the experts that responded but you might
    want to try it in any case ... I wonder if a tool like Active Ports
    might be handy to get more info on what is going on - it should show
    all traffic in and out including any initiated by a trojan.

    Peter

    On Wed, 28 Jul 2004 17:52:13 GMT, greenbay <greenbay@telia.com> wrote:

    >It has happend three days, first two months ago, second were yesterday
    >and thrd day was today,
    >
    >Its a windows 2000 pro, sitting behind i firewall. The hacking
    >symptoms is like pcanywhere och vnc, you can see everything day do.
    >First time they wrote something in the start-run, yesterday they tried
    >to change password on the computer.
    >
    >I have scanned the computer with mcaffe virusscan, spybot, adaware,
    >aatools, and spyremover(dont remember the name) is installed on the
    >computer.
    >I have checked the registry for porgrams that starts up, checked
    >installed programs(add remove programs), going thru the services,
    >checked process running under task manager. Looked for strange
    >connections from the computer, witch netstat. And havent found
    >anything. i havent checked this things when the computer was remote
    >controlled, but right after, without switching off the computer.
    >
    >I can guess the computer makes a connection out from the network to
    >the hackers computer or something. I have checked the firewall for vpn
    >connections and there is nothing unusual with them.
    >
    >Anyone have ANY suggestions, I will try them all :)
    >
    >Thx
    >
  5. Archived from groups: microsoft.public.win2000.security (More info?)

    Not having a firewall, anti-virus and/or
    Microsoft patches are the first suspects. I would be using a firewall like
    www.sygate.com or www.kerio.com or www.zonealarm.com or sniffer like
    Ethereal to watch network traffic to see where and how this is coming in.
    Your firewall may just be logging blocked connections, which would not help
    you here, you want to see all connections.

    http://securityadmin.info/faq.asp#hacked
    http://securityadmin.info/faq.asp#re-secure
    http://securityadmin.info/faq.asp#harden

    If Windows root kit functionality is being used to hide the malware, or your
    anti-virus has been disabled, you may have to scan remotely from another
    Windows computer via windows networking, or slave the hard drive in another
    windows computer, or boot using a bitdefender linux or knoppix-std boot CD
    with clam AV. Note that anti-virus software does not detect things like pc
    anywhere and VNC. you could also watch the files being accessed on your
    computer using www.sysinternals.com filemon and process explorer.


    "greenbay" <greenbay@telia.com> wrote in message
    news:oopfg01379n1mb7nvsmuns8ci6tea1a1bk@4ax.com...
    > It has happend three days, first two months ago, second were yesterday
    > and thrd day was today,
    >
    > Its a windows 2000 pro, sitting behind i firewall. The hacking
    > symptoms is like pcanywhere och vnc, you can see everything day do.
    > First time they wrote something in the start-run, yesterday they tried
    > to change password on the computer.
    >
    > I have scanned the computer with mcaffe virusscan, spybot, adaware,
    > aatools, and spyremover(dont remember the name) is installed on the
    > computer.
    > I have checked the registry for porgrams that starts up, checked
    > installed programs(add remove programs), going thru the services,
    > checked process running under task manager. Looked for strange
    > connections from the computer, witch netstat. And havent found
    > anything. i havent checked this things when the computer was remote
    > controlled, but right after, without switching off the computer.
    >
    > I can guess the computer makes a connection out from the network to
    > the hackers computer or something. I have checked the firewall for vpn
    > connections and there is nothing unusual with them.
    >
    > Anyone have ANY suggestions, I will try them all :)
    >
    > Thx
    >
    >
Ask a new question

Read More

Hacking Computers Windows