Windows 10 Help with finding backdoor

L

LT72884

Senior Member
Joined
Dec 19, 2017
Messages
177
Ok, so i have been hacked. Even with rsa key, this person still gets in into my ssh server. I watched bitvise popup and say "accepting connection from china on ip 111.x.x.x"

So somehow they are getting in and i do not know how. As of now, the server is turned off.

here is a pic. So how do i remove the Trojan or back-door he/she is using to bypass the key?

thanks
 

Attachments

  • hacked.webp
    272.7 KB · Views: 282
Solution

Block that Chinese IP address on all ports in your firewall while you investigate.

It doesn't necessarily have to be a trojan. He could have scanned the network, found your public IP address, scanned for open ports, detected port 22 (ssh) open and guessed your...
Sort by date Sort by votes
Do you not have a firewall on your router?
If you do have one, it means the hacker has managed to pass through your firewall and you should start by fixing your firewall first, then reinstall Windows, change passwords etc.
Have you not changed the default username/password on your router when you first installed it?
 
Upvote 0 Downvote
Yes i do have a firewall and it has been configured properly. I dis change default username and password.

He must have put the back door in a couple of weeks ago when i found a poorly configured ssh account on my server.

Here is the thing, i want to find the backdoor before going nuclear and reinstalling. Reason being, i hope the backdoor is not on my microsoft onedrive folder, that would suck because no matter if i did reinstall, they could still get in.

Thanks

Sent from my SM-S920L using Tapatalk
 
Upvote 0 Downvote

Block that Chinese IP address on all ports in your firewall while you investigate.

It doesn't necessarily have to be a trojan. He could have scanned the network, found your public IP address, scanned for open ports, detected port 22 (ssh) open and guessed your password.
 
Upvote 0 Downvote
Solution
Thats exactly how he did it. Ok, dont laugh but i know its my fault for this. Let me explain, but first, i did block that ip on all lvls as soon as i saw it. I did that before starting threqd. Should have mwntioned that. Next, the server is now a dummy. No internet connection.

Ok, back story.

Two weeks ago, i set up new ssh server on port 8022. I create a main account to test local connections. It has strong username and password.

Next i creatrd a second account to test again, this time username is john, pass is 1234john. Ok, stupid, i completly agree. My intent was to test conectivity. Well, everything worked and i was distracted by the awesomness of my new server that i forgot to delete that account and thats how he got in.



Sent from my SM-S920L using Tapatalk
 
Upvote 0 Downvote
livix07 said:
You should take it as a lesson on security, you have practical experience now
Click to expand...
Damn straight i do. Here is the irony.... i tell everyone else NOT to use simple passworxs. What do i do?? Use a simple password for a demo and forget about hahaha.

Ok, now what should i do about that backdoor? I dont want to jave to go nuclear and wipe everything haha

Sent from my SM-S920L using Tapatalk
 
Upvote 0 Downvote
Further investigation.. i jave blocked ip in both fw's the ssh server and made sure ssh server was turned off. Here is what i have discovered. In my microsoft onedrivr, any time i open up any of my 3d printing stl files into the slicer i use, folders start populating in chinease.

So, i turned off internet and tried again.... no folders created. Turned internet back on, opened a random stl file and boom, chinease folders appearing. I have opened up other programs and no folders. Which could tell me that maybe the exe for the slicer is the backdoor or the stl is.

So, i thought, let me try another slicer program and no folders.

One more test, i opened the "bad" slicer without doubl clicking an stl. Did an import and no folders made.

Conclusion, only when i double click the stl and it opns to its default proprietery slicer, does the folders populate.

This has been fun, believe it or not haha

Sent from my SM-S920L using Tapatalk
 
Upvote 0 Downvote

Did you contact Microsoft to let them know about your problem with OneDrive?
Your files are on one of their servers. They can help you find and get rid of that backdoor (if there is one).
 
Upvote 0 Downvote
livix07 said:
Did you contact Microsoft to let them know about your problem with OneDrive?
Your files are on one of their servers. They can help you find and get rid of that backdoor (if there is one).
Click to expand...
I have called and been on forums but i think they are confused haha. Im going to try again tomorrow and see if they can fix it

Thanks for the tip and encouragement

Sent from my SM-S920L using Tapatalk
 
Upvote 0 Downvote
Ok, just for kicks and giggles, here is a screen cast of it happening. I deleted all registry keys, uninstalled anything to do with my 3d printer software from the company. I do not have issues with other slicers. Theni re-installed and it happens. So i have contacted the company. Maybe its a backdoor from them since they are based in china. I am not profiling. just saying that it can happen. Maybe a mad employee.
 

Attachments

  • folders created.gif
    2 MB · Views: 258
Upvote 0 Downvote
You must log in or register to reply here.

Similar threads

  • Featured
  • Article Article
GhostContainer Backdoor Malware: The Rising Threat to Microsoft Exchange Security
Replies
0
Views
188
ChatGPT
  • Solved
i'm not a programmer but i'm looking for help to secure a physical server i have.
Replies
7
Views
2K
90Ninety
TA18-149A: HIDDEN COBRA – Joanap Backdoor Trojan and Brambul Server Message Block Worm
Replies
0
Views
1K
News
AA18-284A: Publicly Available Tools Seen in Cyber Incidents Worldwide
Replies
0
Views
2K
News
  • Solved
Windows 10 Request Help in finding a way to Clean install windows 10 form a USB Drive
Replies
1
Views
1K
Mike