Announcement

Collapse
No announcement yet.

Advanced Mass Sender On Client's Computer

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Advanced Mass Sender On Client's Computer

    I first need to set this small story up, this building that i am talking about has several floors, 8 or 9. This office that i am talking about has its own network. this building has their own IT team, 24 hrs, and has a cleaning staff........

    Over the weekend i decided to do some work on my pc, at that location from home via RDP, it's after hours so the office is locked. i RDP into the computer and i get the popup that so and so is currently logged in to the computer, if i log in they will be disconnected. i log in to my account and start setting up a program that i want to test, pc anywhere, all of a sudden i get kicked off, i know immediately that something isn't right, so i try to connect back, i get the pop up that said that i was refused permission to log in, what the "@#$%&!"
    I also have a log me in account, so i go to log me in, logged into my admin account, not the account that was running, went to user profiles and changed the password. Right after, i lost connection. they shut down the computer.


    This morninig, i had the staff turn the computer on and logged into the computer, it had 2 .txt files on the desktop and one in the documents folder. 2 of the text files were ton's of e-mail addresses, and the other was a story about someone had died and left 10 million dollers, call me and we can split it type of deal, much more proffesionally written. I looked at the history and found they had visited sweetylife.com/smtper, dnsstuff and AMS4.3 installed, Advanced Mass Sender. i tracked down the domain, where the return emails would be sent to, it was in Saudi Arabia


    Questions,

    What should i do
    Does this sound like a inside jobe
    How did they get the password to the computer
    Could they have telneted into the computer
    How did they shut the computer down, can they do that through telnet?

  • #2
    Re: Advanced Mass Sender On Client's Computer(GOT TO READ THIS!!!)

    IMO this does sound like an "inside" job, only users for that office should have login credentials to a PC on that network correct?

    As for telnet, it may or may not be listening on that PC, and if i recall correctly, a PC can be shutdown from a command line, as long as the user that launched the session has sufficient privlidges.

    Comment


    • #3
      Re: Advanced Mass Sender On Client's Computer(GOT TO READ THIS!!!)

      Agree "inside job" -- I presume you recognised the account already logged onto your computer?

      Access would probably have been by RDP as your session kicked theirs off and vice versa.

      Shutdown -s -f will close it down nicely.

      Are you on a domain -- if so, tell your admin, if not, tell your boss (cover your a**)
      Tom Jones
      MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
      PhD, MSc, FIAP, MIITT
      IT Trainer / Consultant
      Ossian Ltd
      Scotland

      ** Remember to give credit where credit is due and leave reputation points where appropriate **

      Comment


      • #4
        Re: Advanced Mass Sender On Client's Computer(GOT TO READ THIS!!!)

        Yes, only users have login credentials

        this was an account that was really a test account, it was nobody's, it was on my computer as 2nd user.

        only problem is when i "changed" the password when this person was on, i don't remember if it said "create password" or "change password". if it was create, then they couldn't have rdp'd in. if it did, how did they know the password, and i guarentee it wasn't anyone that worked in the office, they are all comuter eliterate, and they don't have a key for the office.
        Last edited by Kobe 310; 15th August 2011, 19:34.

        Comment


        • #5
          Re: Advanced Mass Sender On Client's Computer(GOT TO READ THIS!!!)

          thanks for reading the post Ossian!

          no domain

          i did recognize the computer logged in, but moved to fast on the log in, wasn't expecting it.

          this network is on it's own WAN, not connected to the building at all, has it's own public ip.

          i have a cisco router, mangement access is enabled, so only certain computers can telnet or ssh it, so it wasn't telnet.

          Embarrsed to say, i am the Admin


          scenerio;


          someone from their it dept came in our office, logged in the computer, did a whatismyip.com, and logged in to the computer remotely.
          someone was phisically at the terminal doing this.
          someone was entering in ip addresses using rdp from somewhere unknown, got lucky to my bad luck and picked my computer to set up shop.

          ???
          Last edited by Kobe 310; 15th August 2011, 21:09.

          Comment


          • #6
            Re: Advanced Mass Sender On Client's Computer(GOT TO READ THIS!!!)

            Do an analysis of the PC and search for similar things on other office PCs.
            ** Remember to give credit where credit is due and leave reputation points where appropriate **

            Comment


            • #7
              Re: Advanced Mass Sender On Client's Computer(GOT TO READ THIS!!!)

              In the process, great idea. thanks

              Comment


              • #8
                Re: Advanced Mass Sender On Client's Computer(GOT TO READ THIS!!!)

                Since this appears to be human initiated, rather than a Bot, do some detective work and see who is doing bad things on the interweb....
                Tom Jones
                MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
                PhD, MSc, FIAP, MIITT
                IT Trainer / Consultant
                Ossian Ltd
                Scotland

                ** Remember to give credit where credit is due and leave reputation points where appropriate **

                Comment


                • #9
                  Re: Advanced Mass Sender On Client's Computer(GOT TO READ THIS!!!)

                  my router has management access configured, no telnet except for certain nodes, so i know they couldn't have been through that. i have been trying to gather as many clues as possible.

                  is it possible some person just happened to put my public in their rdp, connect, see the icons of the desktop, enter in the password and bingo. if so, how can i stop a person from doing that, it's a xp machine. i have this computer set up in the router to go straight to it in the nat.

                  Comment


                  • #10
                    Re: Advanced Mass Sender On Client's Computer(GOT TO READ THIS!!!)

                    So you had RDP and LogMeIn running. Any other remote access software installed that may have been compromised?

                    How to stop or rather how to make this harder? Have a non standard User Name and a really strong password?

                    Just a thought, have you checked you machine for a keylogger?
                    1 1 was a racehorse.
                    2 2 was 1 2.
                    1 1 1 1 race 1 day,
                    2 2 1 1 2

                    Comment


                    • #11
                      Re: Advanced Mass Sender On Client's Computer(GOT TO READ THIS!!!)

                      It seems unlikely to me this is an "inside job" but then again can't rule it out.
                      As mention, try to tighten security and check the logs, enable auditing .
                      It can only take someone minutes to scan the ports your machines are listening on, and maybe a bit longer to get access.
                      Caesar's cipher - 3

                      ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

                      SFX JNRS FC U6 MNGR

                      Comment


                      • #12
                        Re: Advanced Mass Sender On Client's Computer(GOT TO READ THIS!!!)

                        nothing else was comprimised. what is a keylogger, and how do you check for auditing on a xp desktop?
                        Last edited by Kobe 310; 5th September 2011, 15:50.

                        Comment


                        • #13
                          Re: Advanced Mass Sender On Client's Computer(GOT TO READ THIS!!!)

                          i found out what event viewer is, turned it on 2 machines in 2 diffrent locations. The one which was not hacked just showed my log username logon.

                          The one that was, has a bunch of anonymous logon recorded for the time that i trned it on??? Is that how this person got on?

                          Comment


                          • #14
                            Re: Advanced Mass Sender On Client's Computer

                            Keylogger - http://www.google.com.au/search?hl=en&q=keylogger
                            1 1 was a racehorse.
                            2 2 was 1 2.
                            1 1 1 1 race 1 day,
                            2 2 1 1 2

                            Comment

                            Working...
                            X