Windows 10 Help with finding backdoor

L

LT72884

Senior Member
Ok, so i have been hacked. Even with rsa key, this person still gets in into my ssh server. I watched bitvise popup and say "accepting connection from china on ip 111.x.x.x"

So somehow they are getting in and i do not know how. As of now, the server is turned off.

here is a pic. So how do i remove the Trojan or back-door he/she is using to bypass the key?

thanks
 

Attachments

  • hacked.jpg
    hacked.jpg
    331.8 KB · Views: 282
Do you not have a firewall on your router?
If you do have one, it means the hacker has managed to pass through your firewall and you should start by fixing your firewall first, then reinstall Windows, change passwords etc.
Have you not changed the default username/password on your router when you first installed it?
 
livix07 said:
Do you not have a firewall on your router?
If you do have one, it means the hacker has managed to pass through your firewall and you should start by fixing your firewall first, then reinstall Windows, change passwords etc.
Have you not changed the default username/password on your router when you first installed it?
Click to expand...
Yes i do have a firewall and it has been configured properly. I dis change default username and password.

He must have put the back door in a couple of weeks ago when i found a poorly configured ssh account on my server.

Here is the thing, i want to find the backdoor before going nuclear and reinstalling. Reason being, i hope the backdoor is not on my microsoft onedrive folder, that would suck because no matter if i did reinstall, they could still get in.

Thanks:)

Sent from my SM-S920L using Tapatalk
 
LT72884 said:
Yes i do have a firewall and it has been configured properly. I dis change default username and password.

He must have put the back door in a couple of weeks ago when i found a poorly configured ssh account on my server.

Here is the thing, i want to find the backdoor before going nuclear and reinstalling. Reason being, i hope the backdoor is not on my microsoft onedrive folder, that would suck because no matter if i did reinstall, they could still get in.
Click to expand...

Block that Chinese IP address on all ports in your firewall while you investigate.

It doesn't necessarily have to be a trojan. He could have scanned the network, found your public IP address, scanned for open ports, detected port 22 (ssh) open and guessed your password.
 
livix07 said:
Block that Chinese IP address on all ports in your firewall while you investigate.

It doesn't necessarily have to be a trojan. He could have scanned the network, found your public IP address, scanned for open ports, detected port 22 (ssh) open and guessed your password.
Click to expand...
Thats exactly how he did it. Ok, dont laugh but i know its my fault for this. Let me explain, but first, i did block that ip on all lvls as soon as i saw it. I did that before starting threqd. Should have mwntioned that. Next, the server is now a dummy. No internet connection.

Ok, back story.

Two weeks ago, i set up new ssh server on port 8022. I create a main account to test local connections. It has strong username and password.

Next i creatrd a second account to test again, this time username is john, pass is 1234john. Ok, stupid, i completly agree. My intent was to test conectivity. Well, everything worked and i was distracted by the awesomness of my new server that i forgot to delete that account and thats how he got in.



Sent from my SM-S920L using Tapatalk
 
livix07 said:
You should take it as a lesson on security, you have practical experience now;)
Click to expand...
Damn straight i do. Here is the irony.... i tell everyone else NOT to use simple passworxs. What do i do?? Use a simple password for a demo and forget about hahaha.

Ok, now what should i do about that backdoor? I dont want to jave to go nuclear and wipe everything haha

Sent from my SM-S920L using Tapatalk
 
Further investigation.. i jave blocked ip in both fw's the ssh server and made sure ssh server was turned off. Here is what i have discovered. In my microsoft onedrivr, any time i open up any of my 3d printing stl files into the slicer i use, folders start populating in chinease.

So, i turned off internet and tried again.... no folders created. Turned internet back on, opened a random stl file and boom, chinease folders appearing. I have opened up other programs and no folders. Which could tell me that maybe the exe for the slicer is the backdoor or the stl is.

So, i thought, let me try another slicer program and no folders.

One more test, i opened the "bad" slicer without doubl clicking an stl. Did an import and no folders made.

Conclusion, only when i double click the stl and it opns to its default proprietery slicer, does the folders populate.

This has been fun, believe it or not haha

Sent from my SM-S920L using Tapatalk
 
LT72884 said:
Further investigation.. i jave blocked ip in both fw's the ssh server and made sure ssh server was turned off. Here is what i have discovered. In my microsoft onedrive, any time i open up any of my 3d printing stl files into the slicer i use, folders start populating in chinease.
...
Click to expand...

Did you contact Microsoft to let them know about your problem with OneDrive?
Your files are on one of their servers. They can help you find and get rid of that backdoor (if there is one).
 
livix07 said:
Did you contact Microsoft to let them know about your problem with OneDrive?
Your files are on one of their servers. They can help you find and get rid of that backdoor (if there is one).
Click to expand...
I have called and been on forums but i think they are confused haha. Im going to try again tomorrow and see if they can fix it:)

Thanks for the tip and encouragement

Sent from my SM-S920L using Tapatalk
 
Ok, just for kicks and giggles, here is a screen cast of it happening. I deleted all registry keys, uninstalled anything to do with my 3d printer software from the company. I do not have issues with other slicers. Theni re-installed and it happens. So i have contacted the company. Maybe its a backdoor from them since they are based in china. I am not profiling. just saying that it can happen. Maybe a mad employee.
 

Attachments

  • folders created.gif
    folders created.gif
    2 MB · Views: 258
You must log in or register to reply here.

Similar threads

R
Why are Credentials never working properly on Win 10 Pro?
Replies
2
Views
392
ussnorway
ussnorway
R
Need Help With Removing an Image From a Website Screen
Replies
3
Views
498
ChatGPT
ChatGPT
News
Remote work challenges inspire Windows 11 updates to increase productivity and lessen distractions
Replies
0
Views
2K
News
News
News
Announcing Windows 11 Insider Preview Build 25281
Replies
0
Views
2K
News
News
News
Gaming opens doors to hosting and streaming for OMEN Squad’s CupAhNoodle
Replies
0
Views
1K
News
News
Back
Top