Ugh, Hacked Through Remote Desktop (Win 7). What to Do?

Centimetro

Distinguished
Feb 14, 2009
2
0
18,510
Took me over a day or so to figure out exactly what happened after I noticed fradulent purchases from my eBay and Paypal and text message sent remotely from my phone (via Pushbullet app), but determined from talking to eBay (and finding out the orders were made from my IP address) and then checking my browser history and finally system logs that the culprit was a Russian logging into my Remote Desktop via a proxy.

I turned off remote desktop and un-DMZed my connection. Changed some passwords etc. But now worried that with unrestricted access to my machine they installed a keylogger or something.

In light of that, seems like the smart/safe thing to do would be to reinstall Windows and whipe everything. I am very busy right now and this would be an _IMMENSE_ pain, but I will do it if it is the only intelligent solution.

Just wondering if there are ways to be at least reasonably sure that there are no backdoors on my machine. Is looking through the running Processes list good enough? If so, would such a program be running under my username, LOCAL, or could it be listed as a service or SYSTEM?

Also, since I would in theory like to be able to use RDP again in the future, does anyone have any tips for making it more secure? No idea how this hacker was able to log in via my remote desktop, but looks like he logged in several times over the last 5 days.

Thanks in advance for any help or advice
 
Solution
Full wipe and reinstall. There is no other option, there is no 'reasonably sure'.
Power off and unplug the LAN cable now.

From a known clean system, change your passwords. All of them.
Bank, email, etc, etc.

HUMDRUM2000

Honorable
Jan 22, 2014
6
0
10,510
My friend, wipe the PC clean do not take chances. i seriously would go as far to DOD wipe the HDD.
Change all of your passwords asap they are most likely compromised,as are your credit cards connected to eBay and pay-pal accounts.
You never know what the perpetrators have of yours,just make it less likely they can do anything with your information.
It is a serious matter so take precautions and check your credit report as well.
Hope it ends well for you good luck.
 

arossetti

Honorable
Feb 22, 2013
13
0
10,570
As someone who routinely investigates and re-mediates network intrusions I can easily say, the most secure solution is to wipe your system - switch out the drive (or at least use a forensic wiper) and start over. Of course also, monitor any account that you may have accessed and change all your passwords.

If you do not want to go to that extreme, use several third party virus/malware scanners on USB drives to sweep the system. Once you are satisfied with tat, reinstall one of those scanners.

Once you have done that, reset your firewall to an implicit-deny and then methodically open only the ports that you need.

My question though is why on earth are you using RDP? And why were you in a DMZ? If you need to remote into your computer use something like Teamviewer or LogMeIn with really long passwords. I've seen a lot of issues with LogMeIn related to people not using complex passwords but not many issues with Teamviewer. The main lesson there is to use complex passwords.

Hope that helps ... good luck...
 

Tech_TTT

Prominent
Apr 4, 2017
51
0
610
I always use my smartphone/tablet (iphone/ipad) for banking and purchasing online ... I stopped using Windows crap long time ago when it comes to banking and buying/selling...

I would advice you take that route as well ... it is very hard to hack your phone/Tablet ... and use LTE if possible and not the WIFI connection for more security.
 

Tech_TTT

Prominent
Apr 4, 2017
51
0
610


What phone bill ? using LTE/4G just for banking and buying/selling online is nothing .. its not like watching movies online or browsing heavy sites with alot of data to download....
 

Tech_TTT

Prominent
Apr 4, 2017
51
0
610


This is what I do , I never enter a banking/shopping password while using wifi .. When I decide to buy or sell or access my Bank account , I turn off the WIFI on my iphone/ipad , then Clear History, then Connect using LTE , then after I finish my work , clear history again then , I get back to WIFI again...

not like all the time using LTE :)

@OP , make sure you check your email settings for mail forwarding ... changing the email password alone is not enough. he could still read all your emails if he set up forwarding rules.

@Op2 : if that Russian is good he maybe also hacked your router , and routed your traffic to his DNS server ... if you can flash your router clean by downloading the image and flashing the router (not factory reset) , would also be good thing to do. hacking routers is a very hidden thing most people never guess ... if he hacked your router then he can spy on you still and trap you into fake sites using his DNS to steal your passwords again. Thats one of the reasons I use LTE instead of Wifi in critical things like banking as well , routers are easy to hack.
 

Tech_TTT

Prominent
Apr 4, 2017
51
0
610


You know what ..All this stuff should be made behind the knowledge of the user. a non IT personnel should never bother to configure this stuff . This is where Apple are better than any windows products , they make it ready for you and take care of the details.

Setting up security measure should not be the normal user problem .. should be automated by default to the best possible security measures.
 

USAFRet

Illustrious
Moderator


Make it too 'secure', and you lock users out of functionality. Turn the computer into a consumption device...a glorified TV.
Or only those "apps" that exist within their walled garden. Only that data that has been vetted. Only those functions we allow you to do.

(and apple systems get hacked as well)
 

Tech_TTT

Prominent
Apr 4, 2017
51
0
610


So what is the solution then ? I my self am getting tired of this and I dont have the time for this as I used to be 10 years ago ... I am very busy myself and I am good at computers ... and I got tired of it ...

there has to be a solution for this , it is time consuming.
 

USAFRet

Illustrious
Moderator


The link you replied to was discussing security for RDP. Something a 'normal' user will never ever have to use.
But if you do want to allow incoming access to a system...that access needs to be configured. And it ain't easy.
The code or function you thought was secure today, is found to have a hole tomorrow.

Make the PC a fully secure box (HAHA), and you shut off that RDP functionality.
Or you lock out the capability of me sending you a file to review.

So far, there is no answer.
But the best security configuration device lies between your auditory receptors.
 

Centimetro

Distinguished
Feb 14, 2009
2
0
18,510
Thanks for the replies. Wise words here. I will take your advice and start working out a reinstall and try to use different PCs until then as much as possible -- I got lucky to catch the intrusion before I suffered any monetary loss but I definitely now realize how serious this can be.

As to why I used RDP or DMZ -- simply because I always have and found them convenient and as far as I know nothing bad ever happened to me as a result. I DMZed my routers since I was a teenager to play games or whatever, and now as an adult Remote Desktop Connection was something I used for work purposes. So this was just a case of not realizing how serious hack attacks could be and thinking "it won't happen to me" I guess

Really glad I asked on here, I hadn't thought of checking emails for forwarding rules and stuff like that. Wow. And I had just started wondering if my entire network could have been compromised, and then I read the post by Tech_TTT about router hacking... scary stuff