Navigation section

Windows 10 Help with finding backdoor

L

LT72884

Senior Member
Joined
Dec 19, 2017
Messages
176
Ok, so i have been hacked. Even with rsa key, this person still gets in into my ssh server. I watched bitvise popup and say "accepting connection from china on ip 111.x.x.x"

So somehow they are getting in and i do not know how. As of now, the server is turned off.

here is a pic. So how do i remove the Trojan or back-door he/she is using to bypass the key?

thanks
 


Attachments

  • hacked.webp
    hacked.webp
    272.7 KB · Views: 282
Solution
livix07
LT72884 said:
Yes i do have a firewall and it has been configured properly. I dis change default username and password.

He must have put the back door in a couple of weeks ago when i found a poorly configured ssh account on my server.

Here is the thing, i want to find the backdoor before going nuclear and reinstalling. Reason being, i hope the backdoor is not on my microsoft onedrive folder, that would suck because no matter if i did reinstall, they could still get in.
Click to expand...

Block that Chinese IP address on all ports in your firewall while you investigate.

It doesn't necessarily have to be a trojan. He could have scanned the network, found your public IP address, scanned for open ports, detected port 22 (ssh) open and guessed your...
Sort by date Sort by votes
Do you not have a firewall on your router?
If you do have one, it means the hacker has managed to pass through your firewall and you should start by fixing your firewall first, then reinstall Windows, change passwords etc.
Have you not changed the default username/password on your router when you first installed it?
 


Upvote 0 Downvote
livix07 said:
Do you not have a firewall on your router?
If you do have one, it means the hacker has managed to pass through your firewall and you should start by fixing your firewall first, then reinstall Windows, change passwords etc.
Have you not changed the default username/password on your router when you first installed it?
Click to expand...
Yes i do have a firewall and it has been configured properly. I dis change default username and password.

He must have put the back door in a couple of weeks ago when i found a poorly configured ssh account on my server.

Here is the thing, i want to find the backdoor before going nuclear and reinstalling. Reason being, i hope the backdoor is not on my microsoft onedrive folder, that would suck because no matter if i did reinstall, they could still get in.

Thanks:)

Sent from my SM-S920L using Tapatalk
 


Upvote 0 Downvote
LT72884 said:
Yes i do have a firewall and it has been configured properly. I dis change default username and password.

He must have put the back door in a couple of weeks ago when i found a poorly configured ssh account on my server.

Here is the thing, i want to find the backdoor before going nuclear and reinstalling. Reason being, i hope the backdoor is not on my microsoft onedrive folder, that would suck because no matter if i did reinstall, they could still get in.
Click to expand...

Block that Chinese IP address on all ports in your firewall while you investigate.

It doesn't necessarily have to be a trojan. He could have scanned the network, found your public IP address, scanned for open ports, detected port 22 (ssh) open and guessed your password.
 


Upvote 0 Downvote
Solution
livix07 said:
Block that Chinese IP address on all ports in your firewall while you investigate.

It doesn't necessarily have to be a trojan. He could have scanned the network, found your public IP address, scanned for open ports, detected port 22 (ssh) open and guessed your password.
Click to expand...
Thats exactly how he did it. Ok, dont laugh but i know its my fault for this. Let me explain, but first, i did block that ip on all lvls as soon as i saw it. I did that before starting threqd. Should have mwntioned that. Next, the server is now a dummy. No internet connection.

Ok, back story.

Two weeks ago, i set up new ssh server on port 8022. I create a main account to test local connections. It has strong username and password.

Next i creatrd a second account to test again, this time username is john, pass is 1234john. Ok, stupid, i completly agree. My intent was to test conectivity. Well, everything worked and i was distracted by the awesomness of my new server that i forgot to delete that account and thats how he got in.



Sent from my SM-S920L using Tapatalk
 


Upvote 0 Downvote
You should take it as a lesson on security, you have practical experience now;)
 


Upvote 0 Downvote
livix07 said:
You should take it as a lesson on security, you have practical experience now;)
Click to expand...
Damn straight i do. Here is the irony.... i tell everyone else NOT to use simple passworxs. What do i do?? Use a simple password for a demo and forget about hahaha.

Ok, now what should i do about that backdoor? I dont want to jave to go nuclear and wipe everything haha

Sent from my SM-S920L using Tapatalk
 


Upvote 0 Downvote
Further investigation.. i jave blocked ip in both fw's the ssh server and made sure ssh server was turned off. Here is what i have discovered. In my microsoft onedrivr, any time i open up any of my 3d printing stl files into the slicer i use, folders start populating in chinease.

So, i turned off internet and tried again.... no folders created. Turned internet back on, opened a random stl file and boom, chinease folders appearing. I have opened up other programs and no folders. Which could tell me that maybe the exe for the slicer is the backdoor or the stl is.

So, i thought, let me try another slicer program and no folders.

One more test, i opened the "bad" slicer without doubl clicking an stl. Did an import and no folders made.

Conclusion, only when i double click the stl and it opns to its default proprietery slicer, does the folders populate.

This has been fun, believe it or not haha

Sent from my SM-S920L using Tapatalk
 


Upvote 0 Downvote
LT72884 said:
Further investigation.. i jave blocked ip in both fw's the ssh server and made sure ssh server was turned off. Here is what i have discovered. In my microsoft onedrive, any time i open up any of my 3d printing stl files into the slicer i use, folders start populating in chinease.
...
Click to expand...

Did you contact Microsoft to let them know about your problem with OneDrive?
Your files are on one of their servers. They can help you find and get rid of that backdoor (if there is one).
 


Upvote 0 Downvote
livix07 said:
Did you contact Microsoft to let them know about your problem with OneDrive?
Your files are on one of their servers. They can help you find and get rid of that backdoor (if there is one).
Click to expand...
I have called and been on forums but i think they are confused haha. Im going to try again tomorrow and see if they can fix it:)

Thanks for the tip and encouragement

Sent from my SM-S920L using Tapatalk
 


Upvote 0 Downvote
Ok, just for kicks and giggles, here is a screen cast of it happening. I deleted all registry keys, uninstalled anything to do with my 3d printer software from the company. I do not have issues with other slicers. Theni re-installed and it happens. So i have contacted the company. Maybe its a backdoor from them since they are based in china. I am not profiling. just saying that it can happen. Maybe a mad employee.
 


Attachments

  • folders created.gif
    folders created.gif
    2 MB · Views: 258
Upvote 0 Downvote
You must log in or register to reply here.

Similar threads

News
AA18-284A: Publicly Available Tools Seen in Cyber Incidents Worldwide
Replies
0
Views
2K
News
News
News
TA18-149A: HIDDEN COBRA – Joanap Backdoor Trojan and Brambul Server Message Block Worm
Replies
0
Views
1K
News
News
wilspeak
  • Solved
Windows 10 Request Help in finding a way to Clean install windows 10 form a USB Drive
Replies
1
Views
1K
Mike
Mike
L
  • Solved
Windows 7 Need help with finding and deleting program or file
Replies
4
Views
1K
Neemobeer
Neemobeer
gerasmus
  • Solved
Windows 7 SSL VPN: Help need in setup or finding a suitable candidate
Replies
1
Views
3K
ChatGPT
ChatGPT
Back
Top