How did this guy hack my system?

[Sharks445]

So I run a web server, so my computer stays on all night. I also have RDP (remote desktop) on as well. So one day I wake up and see that some dude from Africa created a new account on my computer through RDP. I only had a guest account on, and my main one has a password, so I was wondering how the * did he create a new account? It gets worse. The new account he created was ADMIN. This dude made himself admin on my PC. So I figured maybe he cracked my password. So that day I deleted his account, turned off guest account, and changed my password. The next day I see this dude created a new admin account AGAIN. Unless he has some logging software, (which he doesn't on my PC) I am still trying to figure out how the * someone achieved a huge feat in hacking. Anyone got any ideas?

 

[i7Baby]

He got through your firewall.

 

[McHenryB]

There are several programs that will allow brute-force password attacks on Windows systems. Opening RDP to the Internet is the equivalent of leaving your front door open and inviting hackers to sit down at your computer and try to log on. Actually, it's worse than that because it's easier to run a brute-force attack over a network that sitting at a keyboad and doing the same thing.

I'd say that your password isn't complicated enough and your Internet security is non-existant. And, just as an aside, how can you say that the hacker hasn't installed logging software on your computer? It sounds as if he's a lot more astute when it comes to low-level attacks than you are, and he has had unrestricted access to your computer.

I would format your hard disk and reinstall Windows. Even that might not be enough against a good hacker.

Bottom line - it's not a "huge feat in hacking", it's something that the average script kiddie can do with the appropriate software.

 

[i7Baby]

Yes - you need to beef up your security - software and practices - considerably.

 

[Sharks445]

There are several programs that will allow brute-force password attacks on Windows systems. Opening RDP to the Internet is the equivalent of leaving your front door open and inviting hackers to sit down at your computer and try to log on. Actually, it's worse than that because it's easier to run a brute-force attack over a network that sitting at a keyboad and doing the same thing.

I'd say that your password isn't complicated enough and your Internet security is non-existant. And, just as an aside, how can you say that the hacker hasn't installed logging software on your computer? It sounds as if he's a lot more astute when it comes to low-level attacks than you are, and he has had unrestricted access to your computer.

I would format your hard disk and reinstall Windows. Even that might not be enough against a good hacker.

Bottom line - it's not a "huge feat in hacking", it's something that the average script kiddie can do with the appropriate software.

But the thing is that my passwords are complicated enough for protection against any bruteforce attack. I even checked, my password would take thousands of years to crack, so password's not the problem. I also have firewall enabled, any logging alware won't be able to access the internet anyways

 

[i7Baby]

Have you found what data he's mined? Anything that can cost you?

 

[Icaraeus]

Any encryption can be bypassed rather quickly. It certainly would not take even a month.

 

[Sharks445]

Have you found what data he's mined? Anything that can cost you?

Aside from him creating the accounts, he has not touched any file inside the system. I have his IP address, so I can just block him if he does something again.

 

[Icaraeus]

If the hacker, boy or girl, has a dynamic IP it isn't that simple to block the IP.

 

[Sharks445]

If the hacker, boy or girl, has a dynamic IP it isn't that simple to block the IP.

Simple, just block the IP range of his ISP. It's probably not a big ISP anyways, it's situated in Africa

 

[Icaraeus]

Then why don't you just block it instead of waiting for another system breach?

 

[Sharks445]

Then why don't you just block it instead of waiting for another system breach?

Security testing. Besides, I don't have important data on this server

 

[McHenryB]

But the thing is that my passwords are complicated enough for protection against any bruteforce attack. I even checked, my password would take thousands of years to crack, so password's not the problem.

The facts would appear to prove that that is not true. Either that or what you are reporting happened didn't.

BTW, how do you know that he is from Africa? Do you have a room-mate? It could be a simple case of social engineering, or you've written the password down somewhere. If it's as complicated as you say, how do you remember it?

 

[Sharks445]

But the thing is that my passwords are complicated enough for protection against any bruteforce attack. I even checked, my password would take thousands of years to crack, so password's not the problem.

The facts would appear to prove that that is not true. Either that or what you are reporting happened didn't.

BTW, how do you know that he is from Africa? Do you have a room-mate? It could be a simple case of social engineering, or you've written the password down somewhere. If it's as complicated as you say, how do you remember it?

His IP Address traces to a country in Africa. It might not be him, but could be a VPN server. As for the password, it's not very hard to create a password that is hard to brute-force.
check out the site : https://howsecureismypassword.net/
the password 'password12345' would take a thousand years to bruteforce

 

[McHenryB]

Have you found what data he's mined? Anything that can cost you?

Aside from him creating the accounts, he has not touched any file inside the system.

As far as you know.

I have his IP address,

That's what you think. You may not be right.

so I can just block him if he does something again.

So block him and forget it.

 

[McHenryB]

the password 'password12345' would take a thousand years to bruteforce

I'd say that must be a pretty useless website. You wouldn't even need to do a brute-force attack on that password. It's one of the first ones that any half-decent password-cracking program would try.

Your password looks like it might just be a word and a few digits. This is a very common pattern and would be cracked very quickly.

So, not a thousand years.

 

[USAFRet]

the password 'password12345' would take a thousand years to bruteforce

Bruteforce, maybe. But that is probably #3 in a dictionary attack.

 

[Sharks445]

the password 'password12345' would take a thousand years to bruteforce

I'd say that must be a pretty useless website. You wouldn't even need to do a brute-force attack on that password. It's one of the first ones that any half-decent password-cracking program would try.

Your password looks like it might just be a word and a few digits. This is a very common pattern and would be cracked very quickly.

So, not a thousand years.

My password contains 3 numbers and and 9 letters, and is uncommon, and it is almost impossible to bruteforce that in less than a day, which is what you're thinking the hacker might have done. And on top of that, he would be bruteforcing over the Internet, which is Orders of Magnitude slower than a local bruteforce.

If anything, I think we can leave bruteforce out of the possibilities.

 

[USAFRet]

How do you know, that after the first intrusion, he did not install any logging software?

And why haven't you blocked him out yet?

 

[Sharks445]

How do you know, that after the first intrusion, he did not install any logging software?

And why haven't you blocked him out yet?

Even if he has, I have a firewall that prevents any applications other than those permitted, to access the internet. All anti-virus scans are clean.
I have now toughened security and I want to test it by leaving it open to hackers. Not much important data's in the server anyways

 

[McHenryB]

If anything, I think we can leave bruteforce out of the possibilities.

OK. Despite the "thousand-year password that would in fact be crackable in a second or so, I'll accept what you say. In that case, the only logical conclusionmis that the guy has put a keylogger on your system. Obviously, he has hidden it so that it doesn't show in the list of processes - not difficult to do. Your system is compromised.

 

[alpha27]

hmm I had 42,000 hits in 1 week on my firewall a few yrs back in xp
lol ive seen some funny * happen to my pc
like symatec disabled be4 my eyes a few hrs after reinstalling everything
the one I like most was a hax on my pc where every where I clicked it said "access denied" even on the start bar... lmao

 

[McHenryB]

To come back to social engineering, here's a little theoretical scenario:

Being a nasty sort of guy I want to capture people's passwords and IP addresses so that I can try hacking into their computers. But surely people aren't going to just give me their password, are they? So, being devious, I set up this web site that offers to check passwords to see how secure they are. And indeed, it does that, and does a very good job of it. But that's not all it does; let's look at what information I am now getting:

The IP address of a computer.
The operating system being used on that computer (from the http headers).
A password that is very likely to be set on that computer.

OK, so I won't hit the jackpot every time, but it's a nice little scheme. Who says people won't just give me their password?

Of course, no-one would fall for a scheme like that, would they?

 

[alpha27]

so are u a red, black or grey type of haxor....why does this not supprize meh
but as u know haxors love haxing other haxors don't they?

 

[Sharks445]

To come back to social engineering, here's a little theoretical scenario:

Being a nasty sort of guy I want to capture people's passwords and IP addresses so that I can try hacking into their computers. But surely people aren't going to just give me their password, are they? So, being devious, I set up this web site that offers to check passwords to see how secure they are. And indeed, it does that, and does a very good job of it. But that's not all it does; let's look at what information I am now getting:

The IP address of a computer.
The operating system being used on that computer (from the http headers).
A password that is very likely to be set on that computer.

OK, so I won't hit the jackpot every time, but it's a nice little scheme. Who says people won't just give me their password?

Of course, no-one would fall for a scheme like that, would they?

Damn, I never thought of it that way. Surely this is a viable means of attack.

The NSA probably buys Google's and Facebook's data, including passwords, so really something like this is not unheard of.