20

OS: Windows 7 Enterprise Edition (90 Day Trial Version)

I put my computer into a DMZ so that I could host a server for a little while. (Port Forwarding was not working in my version of DD-WRT that I had installed on my router.) After a little while someone made a connection to my computer via Remote Desktop Connection. In fact, he is typing to me on the compromised computer right, asking me if "I will license", and that I should "wait 5 minutes". (Needless to say, I typed back and told him to ... well shove it.)

Doing a netstat command from the comprised computer showed this TCP 192.168.1.50:49198 qy-in-f125:5222 ESTABLISHED so I'm guessing he changed my hosts file to that his IP address would be hidden. He also changed the admin password on box, and demoted my account so that it's not admin. I can login to my own account and do the non-admin things that I like, but that's it.

He also comes back every time I turn on my computer, usually within about 25 minutes, but some times as little as 2 or 3 after I turn it on. SO I have a feeling that he uploaded something that runs on startup and calls home.

To me, this seems like the work of a script kiddie, and someone who does not speak English very well. All my doors where open as well as my windows. (No pun intended.) I had RDC enabled to allow remote connections from outside my network.

After this is over I will be formatting the whole computer, but I wanted to know if there is anything I can do to track back this guy so I can hand over his IP address to the cyber crime authorities in my area.

[EDIT] My router had my now compromised computer's IP address on the local network set to the DMZ address in my router. I know how to setup Port Fording, but like I said, it does not work in my version of DD-WRT, I'm using a beta, unstable version of DD-WRT. I did not have the Windows Firewall turned on at all. I believe that it's RDC because Windows asks me if it's OK to allow Administator/DESKTOP-PC to connect. Task Mangager only shows my account, to view the proceess over the other accounts I need Admin, and he's changed my admin password. He was typing to me through the open command line console I had open so that I could do the netstat command. After I did the netset command, I was using another linux laptop to find out if I could get his IP address from his hostname. While I was doing that, I noticed that there was some text in the console that I did not write that said "You will license, wait 5 minutes." in the command line console. This is why I think he is using RDC, because it's apparent that he can see my computer's desktop. I'll try the tcpvcon connection, and I'll give Hiren's Boot CD a go. I'll check the AutoRun log after I have regained admin access to my account, and I'm using the 64bit version of Windows 7. And I will for sure try NetFlow, but I think I'll have to update my router's Firmware to a later version that what I already have. Thank you for your help so far!

Mark Tomlin
  • 1,359

4 Answers4

17

put my computer into a DMZ so that I could host a server for a little while.

You mean a client, as you said it's about Windows 7. What services are you hosting?

Port Forwarding was not working in my version of DD-WRT that I had installed on my router.

Read a guide, because this is fairly simple to set up. You most likely have forgotten to open up a port.

What about Windows Firewall? Is that properly configured or is it wide open too?

After a little while someone made a connection to my computer via Remote Desktop Connection

Are you sure? Did you verify that this is a RDC? It should reveal a connection.

Under what account is he logged in? Look in the task manager.

Is your password strong enough? Something like 8 characters minimum in A-Za-z0-9 style...

In fact, he is typing to me on the compromised computer right

How is he typing to you on the computer? Through net send?

Do you see him typing live to you in notepad or something? Because that wouldn't be RDC...

so I'm guessing he changed my hosts file to that his IP address would be hidden

Can you at least verify your assumptions? If it helps, that is a Google server related to Talk services... Other than that there is a lack of information, it can't be that there is just one connection there.

Try the following command line after downloading this handy connections tool:

tcpvcon -a -c > connections.csv

Which would allow us to get a better clue how he connected, other than that you could try the GUI itself.

He also changed the admin password on box, and demoted my account so that it's not admin. I can login to my own account and do the non-admin things that I like, but that's it.

Use ntpasswd to recover your admin account. It's available on Hiren's Boot CD.

SO I have a feeling that he uploaded something that runs on startup and calls home.

Have you verified that?

Check Autoruns for anything abnormal (which you could also save if you want to share).

Also check Rootkitrevealer if you are running a 32-bit system, just in case he's really nasty...

All my doors where open as well as my windows. (No pun intended.) I had RDC enabled to allow remote connections from outside my network.

After this is over I will be formatting the whole computer, but I wanted to know if there is anything I can do to track back this guy so I can hand over his IP address to the cyber crime authorities in my area.

If you're opening up your computer to the wide internet you should at least protect it, it's most likely not RDC as I said before. There is also no need to format the whole computer as once you prevent his things from running and you firewall the computer and do a simple sfc /scannow along a virus scan your computer you should be fine. Although that you don't like troubleshooting you might as well reinstall.

If you want to be the nasty person you could enable NetFlow on your DD-WRT and configure it to send it to another computer that's running ntop and is configured to receive from the router to track him down.

enter image description here

Community
  • 1
Tamara Wijsman
  • 57,881
11

If your router is logging (or you can monitor) the traffic, and you can get the routable IP address he is using (in other words, his Internet IP address, not a 192.168.x.x IP address, which is an internal, non-routable IP address), you could turn that over, but the chances are still very slim that they catch him.

If he is smart, he is using an infected computer as a proxy (or a paid proxy service in another country with lax laws), routing all this illegal stuff through it. In other words, you would just be turning over the IP of an innocent, but naive infected user. Even then, it is probably in some country where the reach of US law will not reach, let alone will they have the desire in most cases unless the dollar figures are high.

That said, you can always try.

KCotreau
  • 25,622
3

Use a more verbose program like tcpview and turn off the option for host resolution, so the actual IP address will be shown instead of the host name.

But, like KCotreau says, unless they are a super script kiddie they are going through a proxy, another compromised machine, or over Tor, so their IP address is untraceable unless you wanna try and trick them into doing something that would disclose it, like visiting a specially crafted flash of javascript page, etc. Not sure you wanna travel down that path.

queso
  • 792
1
  • Unplug the network cable from the computer.
  • Check startup for anything unusual (start > run > msconfig > "Startup" tab)
  • Run AV scans
  • Run scans with malwarebytes and spybot
  • After that's all done, reboot and run HijackThis! and analyze the log which is generated.
  • After your computer is free of everything, make sure your firewall is up and AV protection is enabled and up-to-date. Also disable the DMZ in the router. If you can't do a port forward, then use logmein.com for remote access.
Force Flow
  • 4,144