Tagged: incident response
January 27, 2019 at 10:17 am #170285LT72884Participant
Ok, here is the issue. 2 weeks ago i set up an ssh server on port 8022. I created a test account with strong user name and pass. I tested conectivity all was good. I switched over to keys.
Ok, now, i wanted to test something so i created a user account with weak password for testing. Well, me being excited that things worked out the way i wanted, forgot about the stupid test account. 3 days go by and all of a sudden i have about 2500 empty folders in chinese on my desktop. I panic, cant see anything in the logs, untill i realize that the weak account was the one that was hacked. I deleted the account imeditally
I know he has a backdoor cuz anytime i go to my microsoft onedrive folder, all of a sudden, random chinease folders start appearing.
Ok, so last night im chillin on the couch workin on my thermodynamics and ccna, then bitvise server popsup saying “accepted ssh connection from 188.8.131.52 china” then it was disconected. I blocked the ip but that will only last so long.
What scanner can i use for windows 10 to find the back door? I have ran avast and spybot both in safe mode and nothing.
Thanks. Yes, i know its my fault because i was forgetful and forgot to delete test account
January 28, 2019 at 7:22 am #170305Don DonzalKeymaster
Unfortunately, looks like a rebuild is in your future. You could always try cleaning up everything you find, but that’s no guarantee that you found it all especially with root kits. Better safe than sorry. Is this just a test machine or do you use it for all personal things? You may want to consider changing passwords to anything you might have on that machine or for any sites you visited.
January 30, 2019 at 5:57 pm #170329LT72884Participant
Ok, i wanted to update you on my findings. It may not even be hack, but rather a bug in a software slicer for my 3d printer.
I have noticed that anytime i open ANY stl file with the associated software, the folders get created. Now, if i open ANY stl file with any other slicer, no folders…. I have uninstalled xyzprint, the bad stuff, and no folders have been made. I cleaned all registry entries of xyz and so far so good. So, this morning i did a test, installed newest version of xyzprint and it all of a suden creates the folders when i open the stl. HOWEVER, if i open program first, then import, no folders are created. I have contacted the company. i may not have to go nuclear just yet haha. During these test, i had the ssh server off.
Ill keep you up todate as well. thank you:)
- You must be logged in to reply to this topic.