Someone has Remoted into a PC on my network!

Janning · 04 Mar 2017

I have an urgent situation. I have several PC at home on a network. I'm lazy so I use Real VNC
from one PC, to hit my other PC on the netork (all password protected). I VNC onto one of my PC
and noticed the lock/logon screen was up, and a message "The PC is logged on remotly by
bobs-MacBook-Pro.local
Ut oh!! so I put in my password, and I see my mouse moving, its on a paypal page, he logged out!
(lucky for him!)...the user id was Richard@arrowpointint.com (not me see below).

http://www.aanning.com/ajissues/Hacked/Hacked1.jpg

He also was on this page:

http://www.aanning.com/ajissues/Hacked/Hacked2.jpg

I have the lot file from windows "HAcked.evtx", i'm not sure what to make of it.
(I was unable to upload the "HAcked.evtx" file here, so I attached screen shots
of one of the 20+ events there he logged in)
My only guess is, he RDP into my PC, but I have no idea as to his end game.

I have turned OFF RDP on all my PC, and made the locked screen come up after 1 minute of inactivity
for all PC.

Any advice, clues or suggestions is greatly needed here!

Fafhrd · 04 Mar 2017

You may need to read up on securing VNC. As it comes "out of the box" as it were, it has large security holes.

This will get you started:

password management - What are RealVNC 5.0 Authentication Protocol Security Limitations? - Information Security Stack Exchange

Janning · 04 Mar 2017

What makes you think he used VNC as opposed to RDP? Was there something in the screenshots I sent? (I did have RDP enabled until this)

bro67 · 04 Mar 2017

Janning said:

What makes you think he used VNC as opposed to RDP? Was there something in the screenshots I sent? (I did have RDP enabled until this)

You stated that you use VNC and had possibly someone on your computer. If RDP service was enabled, they would not be able to use it unless you have allowed outside access by enabling to allow people in.

You need to secure VNC and also use a VPN when connecting to computers on your network from the outside world. The better and strongest option is to use Teamviewer and it has its own built in VPN system and is very secure.

Janning · 05 Mar 2017

1) can you define more specifically "Secure VPN"?
2) "The PC is logged on remotely by bobs-MacBook-Pro.local"...so he was tunneling in via RDP (which I have now disabled) or VNC...those are the only two methods I can think of he would have had. honestly, on that PC, I am not 100% the RDP was password protected. I did change the default RDP port to custom of my choosing.
If I remember correct, by default, RDP uses the windows login password...so it should have been "passworded" there.

From the event logs, I can tell "bobs-MacBook-Pro.local" logged in 21 times, from Feb 27, till last nite. I spot checked 2 other (of my 12 physical and 10 Virtual PC on network) and "bobs-MacBook-Pro.local" is not in the event logs. Of all the PC on my network, he was on THE worse, slowest junker I have (a 14 yr old notebook, with only 2 gig ram, and a PATA - yes pata, SSD)...its so so so very slow physically on it, and remoting in is a nite mare slower than a dail up in 1992...I almost feel sorry for him. I can't imagine what his end game was...using someone else's pay pal, on my network? surely not his own. I've alerted pay pal of these details, for all the good that will do.

What I want to know is if somehow from the screen shots or any other method, (I'm open to try anything) his exact point of entry...to prevent re-entry. I've disabled RDP completely...I have to have Real VNC for myself...which is password protected.
I've attahce s screenshot of how my RDP was set, before I disabled it (also seen at below link)

http://www.aanning.com/ajissues/Hack...P_settings.jpg

I am not too familiar with all of the ins and outs of RDP like I am with REAL VNC (with exception of what is "secure VPN")

Someone has Remoted into a PC on my network!-old_rdp_settings.jpg

bro67 · 05 Mar 2017

Read the information in the link that was posted and also the information is on VNC's website. This has zero to do with RDP. Concentrate only on VNC or just make your life easy and use Team Viewer.

Janning · 05 Mar 2017

Looking at "password management - What are RealVNC 5.0 Authentication Protocol Security Limitations? - Information Security Stack Exchange" This post is......what 4-5 years old? The sample, looks like thats for linux. As for the rest, I have the latest version of Real VNC, and its a "paid for copy"...now, I'm not saying I know Real VNC, inside out, and I may have holes, but I for certain have an encrypted password set up with it.

Now, Team Viewer...I'm looking at this...getting it installed and will see if it will do what I need. I have not seen so far where I have to pay for it? Is there a $ fee?

bro67 · 05 Mar 2017

It does not matter how old that it is. It gives you a starting point in understanding how to lock down VNC, same as the documentation that VNC has on their website. Teamviewer has always been free for how users. It states that on their website.

Janning · 05 Mar 2017

That is for linux (xvncviewer), as for the other portion, I am using an encrypted password, However, proof is in the pudding...someone got it. I'm looking into Team viewer...hoping to find things like capability to autostart the service on reboot, address book, for one click access to the remote pc...surly it has this.

Janning · 05 Mar 2017

Ok, I'm digging in deeper....Team viewer....REALLY liking this, how have I never heard of it, is odd. I can tell I'm going to be forgetting all about Real VNC. I opened a ticket with Real VNC, asking how this could have happened request they tell me why I don't dump them for Team Viewer. I havn't gotten there, yet, but hoping its supported on Linux too.