DrayTek UK Users' Community Forum

Help, Advice and Solutions from DrayTek Users

PC compromised ?

  • jamman
  • Topic Author
  • Offline
  • Junior Member
  • Junior Member
More
29 Nov 2011 21:48 #70260 by jamman
PC compromised ? was created by jamman
Just checked my draytek user logs and a PC is basically scanning through IPs trying to connect via port 3389.

This looks awfully like it has been compromised ?

1502011-11-29 21:46:27Nov 29 21:46:26 webLocal User (MAC= xx-xx-xx-xx-xx-xx): 10.10.10.12:57607 -> 195.113.164.170:3389 (TCP)
1502011-11-29 21:46:31Nov 29 21:46:29 webLocal User (MAC= xx-xx-xx-xx-xx-xx): 10.10.10.12:57608 -> 195.113.164.170:3389 (TCP)
1502011-11-29 21:46:31Nov 29 21:46:29 webLocal User (MAC= xx-xx-xx-xx-xx-xx): 10.10.10.12:57610 -> 159.71.210.230:3389 (TCP)
1502011-11-29 21:46:31Nov 29 21:46:29 webLocal User (MAC= xx-xx-xx-xx-xx-xx): 10.10.10.12:57609 -> 123.189.84.0:3389 (TCP)
1502011-11-29 21:46:31Nov 29 21:46:29 webLocal User (MAC= xx-xx-xx-xx-xx-xx): 10.10.10.12:57611 -> 45.212.43.87:3389 (TCP)
1502011-11-29 21:46:31Nov 29 21:46:29 webLocal User (MAC= xx-xx-xx-xx-xx-xx): 10.10.10.12:57612 -> 45.185.83.110:3389 (TCP)
1502011-11-29 21:46:31Nov 29 21:46:29 webLocal User (MAC= xx-xx-xx-xx-xx-xx): 10.10.10.12:57613 -> 223.174.218.174:3389 (TCP)
1502011-11-29 21:46:31Nov 29 21:46:29 webLocal User (MAC= xx-xx-xx-xx-xx-xx): 10.10.10.12:57614 -> 47.255.162.139:3389 (TCP)
1502011-11-29 21:46:31Nov 29 21:46:29 webLocal User (MAC= xx-xx-xx-xx-xx-xx): 10.10.10.12:57615 -> 47.29.200.123:3389 (TCP)
1502011-11-29 21:46:31Nov 29 21:46:29 webLocal User (MAC= xx-xx-xx-xx-xx-xx): 10.10.10.12:57616 -> 100.116.117.99:3389 (TCP)
1502011-11-29 21:46:31Nov 29 21:46:30 webLocal User (MAC= xx-xx-xx-xx-xx-xx): 10.10.10.12:57618 -> 52.45.186.62:3389 (TCP)
1502011-11-29 21:46:31Nov 29 21:46:30 webLocal User (MAC= xx-xx-xx-xx-xx-xx): 10.10.10.12:57617 -> 114.208.119.40:3389 (TCP)
1502011-11-29 21:46:31Nov 29 21:46:30 webLocal User (MAC= xx-xx-xx-xx-xx-xx): 10.10.10.12:57619 -> 175.135.15.112:3389 (TCP)
1502011-11-29 21:46:31Nov 29 21:46:30 webLocal User (MAC= xx-xx-xx-xx-xx-xx): 10.10.10.12:57620 -> 38.141.80.190:3389 (TCP)
1502011-11-29 21:46:31Nov 29 21:46:30 webLocal User (MAC= xx-xx-xx-xx-xx-xx): 10.10.10.12:57621 -> 97.182.255.249:3389 (TCP)
1502011-11-29 21:46:31Nov 29 21:46:30 webLocal User (MAC= xx-xx-xx-xx-xx-xx): 10.10.10.12:57622 -> 212.18.79.103:3389 (TCP)
1502011-11-29 21:46:31Nov 29 21:46:30 webLocal User (MAC= xx-xx-xx-xx-xx-xx): 10.10.10.12:57623 -> 31.75.68.152:3389 (TCP)
1502011-11-29 21:46:31Nov 29 21:46:30 webLocal User (MAC= xx-xx-xx-xx-xx-xx): 10.10.10.12:57624 -> 49.133.113.220:3389 (TCP)
1502011-11-29 21:46:31Nov 29 21:46:30 webLocal User (MAC= xx-xx-xx-xx-xx-xx): 10.10.10.12:57625 -> 53.189.253.37:3389 (TCP)
1502011-11-29 21:46:32Nov 29 21:46:30 webLocal User (MAC= xx-xx-xx-xx-xx-xx): 10.10.10.12:57626 -> 76.92.137.205:3389 (TCP)

Please Log in or Create an account to join the conversation.

More
30 Nov 2011 10:12 #70263 by voodle
Replied by voodle on topic Re: PC compromised ?
It certainly looks like it :(
That list of access suggests your PC is either brute forcing or scanning those IPs

Please Log in or Create an account to join the conversation.

  • jamman
  • Topic Author
  • Offline
  • Junior Member
  • Junior Member
More
30 Nov 2011 14:58 #70272 by jamman
Replied by jamman on topic Re: PC compromised ?
Indeed. A bit of googling and found win95.mort does it.

Was running avast on PC and detected nothing, installed Microsoft Security Essentials and bingo, detected it instantly.

Lessons learnt :

1. Avast is rubbish
2. Need a stronger password on a PC with rdp enabled!

Please Log in or Create an account to join the conversation.

More
30 Nov 2011 15:46 #70275 by voodle
Replied by voodle on topic Re: PC compromised ?
Hehe, that's what I've found pretty much as well, MSE is about the best AV there is right now in my opinion, though maybe I like it more cos it's free.

Please Log in or Create an account to join the conversation.

Moderators: ChrisSami