Remote Desktop weird problem

[WanderALot]

Ok, so this one's got me REAL nervous.

We have a desktop PC in our office that we rarely login to using Remote Desktop. Remote Desktop is the only way we login to this PC since we don't have a keyboard/monitor hooked up to it.

Today, when I tried to login to it, the Remote Desktop connection logged in and it didn't have the usual username prefilled in in the Username box. It had some weird name: mohammed.mah something or other. The question is, how did it get there?!? We only have one username defined there and we never change it.

The other thing that has me nervous is that we got a weird DHCP address from our router and to make things worse, I had WEP/WAP turned off on my wireless router since we had some visitors and they wanted to get onto the net (I know, I took the easy way out!)

I'm scared to death of keyloggers, so I'm frantically running AVG my laptop to see if it sees anything.

Any ideas? Thanks.

 

[cute fuzzy bunny]

Sounds like someone got into your network and logged into your remote desktop machine.

Wouldnt have mattered much if you had WEP enabled. WEP sucks. There are turnkey software packages you can load on a laptop that'll identify networks and crack the WEP key in a matter of minutes. WPA is a lot harder.

I'd turn the router off, thoroughly virus scan all the machines, reset the router to its factory defaults, change its name and then reconfigure it for WPA or WPA2 with a different key. Set it for invisible mode and mac filtering.

If the machine that you're using for remote desktop has any stored user/password info for any important sites like financial institutions, I'd change my password on those asap.

As far as the weird DHCP address...maybe you got it from someone elses router?

Also, see this:
http://www.mobydisk.com/techres/securing_remote_desktop.html

 

[WanderALot]

Thanks for the reply Bunny. A full scan is now running on both our laptops and the wireless network is turned off.

Yeah, I usually have invisible mode and mac filtering enabled, but got lazy when a visitor had to use our network. I'm hoping that maybe someone on my street got onto the wireless (since it didn't have any security enabled) and mistakenly thought our that PC was their PC and tried to login to it. If I was a hacker, I wouldn't try to login to a compromised PC using my username, so I'm hoping it's just a case of my network being open.

We actually use an old access point (Linksys) for our wireless and it only supports WEP. I need to see if I can get a firmware upgrade to get WAP.

I know I didn't get the DHCP address from another router since I checked to see which wireless network I had connected to.

I'm getting that sick feeling knowing that our data might have been compromised. And it's probably all due to my negligence.

 

[cute fuzzy bunny]

Buy a new router. Current models that support wpa or better are <$25 after rebates.

Newegg.com - ZyXEL P-320W IEEE 802.3/3u, IEEE 802.11b/g Wireless Firewall Router (Secure Broadband Sharing) - Wireless Routers
CP Technologies WBR-6001 N_Max Wireless Broadband Router - WBR-6001 - Buy.com

 

[JB]

Maybe you can check the log file on the remote access machine. Perhaps another valid user typed this name in. Or you may see a zillion attempts to log in, none successful.

If the machine was compromised I wouldn't trust an antivirus program to fix it. Install from a backup, or do a fresh install. Otherwise, you never know what's on there.

 

[JB]

Buy a new router. Current models that support wpa or better are <$25 after rebates.

Newegg.com - ZyXEL P-320W IEEE 802.3/3u, IEEE 802.11b/g Wireless Firewall Router (Secure Broadband Sharing) - Wireless Routers
CP Technologies WBR-6001 N_Max Wireless Broadband Router - WBR-6001 - Buy.com

Hey Bunny.
I have an old router and replaced it with the Zyxel a friend gave me. Looked like a great router with lots of useful features. A few days later I noticed that my internet connection was slow. I reset the router to the default config and it's still slow. I tried looking at the settings and couldn't find anything abnormal. I even updated to the latest firmware. Then I swapped it out for my old router and bingo, fast again. A quick google search indicates that others have the same issue. I would not recommend the 320SW.
--JB

 

[cute fuzzy bunny]

No experience with this model, but I've used Zyxel products before with good luck.

Off the top of my head it sounds like maybe it shifted from full duplex to half duplex.

Remote access isnt logged on XP by default, you have to turn it on.

Found this other more expensive option. This is a great router, usually runs $100...with no moving parts I'm not concerned about it being a refurb.

Amazon.com: Linksys WRT150N-RM Refurb Wireless-N Home Router: Electronics

Hey wanderalot...check out the dd-wrt firmware for an open source firmware option that may support WPA on your older hardware...

Supported Devices - DD-WRT Wiki

 

[cute fuzzy bunny]

BTW, I bought one of those WRT150N's from amazon. Cheapest price by far that I've seen for a wireless-n router, and it'll take dd-wrt firmware.

 

[donheff]

Save your important data from the headless machine and then reformat it. If you don't want to do that right away set your routers to prevent connections to or from that machine to the outside world. It doesn't sound like Mohammad was a skilled hacker or he wouldn't have left evidence of his visit. He may have just poked around or left packaged scripts. Cut off the machine and it can't communicate with it's mother ship.