Am I getting hacked.

[alanwest09872]

Ok I bet I am being over paranoid here but I need to ask or it will drive me crazy.
I have 2 pc's 1 - WHS 2 Windows 7 64bit
On the WHS pc I have set it up with passwords so they need them before they can access it
(I think the WHS is the one that got broke into)
Reason Why I think I might have been
1. My username has worked fine ofr the last 2 months no issues at all. Well today I went on and it said incorrect username. I ended up having to delete that user and create a new one with a different password to get it to work again.
2. When I went to restart my whs computer it stated other people are currently logged on this action will cause them to log out. My windows 7 pc was turned off when I went to do this.
3. I had no firewall up on my router. I did have one on the whs but the router was off.
4. I had my wireless turned on and no security on it. (ya I know smooth move exlax lol)

So what do you guys think did some D0ych bag get into my pc or am I being over retentive. Oh is there anyway that I can validate if an un known pc did get in. Via a log or anything.

Thanks for your help sorry for being a pain

 

[Raduque]

event log on the WHS might show you when people logged in.

 

[Genx87]

I am unfamiliar with WHS. Does it have a remote desktop like server? Could be you had two sessions running.

 

[notposting]

Was the PC you got the different username warning on the one you had to restore recently (did you ever get it restored or just reinstall it?) if you had made new accounts they need to match exactly. And there's some other pita steps sometimes to do also.

 

[MStele]

Well, I would hope the first thing you would to is fix your security situation. Setup your firewall, setup wireless encryption/mac filtering, and change all the passwords. Your account/password must match the WHS server in order for it to work. Good luck!

 

[alanwest09872]

Q1. I am unfamiliar with WHS. Does it have a remote desktop like server? Could be you had two sessions runnin
A1. Yes it does

Q2. Was the PC you got the different username warning on the one you had to restore recently (did you ever get it restored or just reinstall it?) if you had made new accounts they need to match exactly. And there's some other pita steps sometimes to do also.
A2. Yes it was the same excact I always use the same for everything I do.

Q3. Well, I would hope the first thing you would to is fix your security situation. Setup your firewall, setup wireless encryption/mac filtering, and change all the passwords. Your account/password must match the WHS server in order for it to work. Good luck!
A3. I turned on the firewall on the router. I turned off the wireless all togeather. I changed the one password I use for WHS. (I dont know how to setup MAC FILTERING. (in not yelling just making it stick out lol)

The next post will be what was in my Event Viewer

 

[alanwest09872]

WHAT WAS IN MY EVENT VIEWER. (not yelling again just making it stick out lol)



Userenv - Windows saved user SERVER\Administrator registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.

This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

For more information, see Help and Support Center at


AFTER I CLICKED HELP AND SUPPORT IT STATED.

Details
Product: Windows Operating System
ID: 1517
Source: Userenv
Version: 5.2
Symbolic Name: EVENT_HIVE_SAVED
Message: Windows saved user %1 registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.

This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Explanation
Windows unloads each user's profile and user's section of the registry when the user logs off. This message indicates that Windows could not unload the user's profile because a program was referencing the user's section of the registry. This locked the profile. The registry cannot unload profiles that are locked and in use. When the program that is locking the profile is no longer referencing the registry, the profile will be unloaded.


User Action
No user action is required.



--------------------------------------------------------------------------------

Related Knowledge Base articles
You can find additional information on this topic in the following Microsoft Knowledge Base articles:
• Event ID 1054 is logged in the Application log in Windows Server 2003 or in Windows XP Professional
The following event may be logged in the Application log: The client computer may also experience a very slow logon.
• Error Messages About User Profile Appear in Several Logon Situations
Explanation
Windows unloads each user's profile and user's section of the registry when the user logs off. This message indicates that Windows could not unload the user's profile because a program was referencing the user's section of the registry. This locked the profile. The registry cannot unload profiles that are locked and in use. When the program that is locking the profile is no longer referencing the registry, the profile will be unloaded. • Using the Symantec W32.Nimda.A@mm Virus Removal Tool Affects the Sysvol and Netlogon Share Permissions
When you use the Symantec W32.Nimda.A@mm virus removal tool on a domain controller, the share permissions for shares such as Sysvol and Netlogon may be changed from the default share permissions. The application log may display the following error...
• Cannot connect to domain controller and cannot apply Group Policy with Gigabit Ethernet devices
Windows XP-based systems that use Gigabit Ethernet devices may not be able to log on to an Active Directory domain, which aborts the Group Policy download process. When this occurs, a series of events are written to the event log. For example: -and-
• DNS, Intersite Messaging, Global Catalog, NTFRS, and "Invalid Credentials" Error Messages on Domain Controller
On a domain controller that runs Windows 2000, Event Viewer may log the following Domain Name System (DNS) events every 12 to 15 minutes: These events are logged even though Active Directory (AD) appears to be running, logons are successful, and...
• Event ID: 1517 occurs when users who use roaming profiles encrypt files on a Windows Server 2003-based file server
Fixes the problem in which Event ID 1517 occurs on a Windows Server 2003-based file server. When users who use roaming profiles encrypt files on the file server, miniprofiles are created. These profiles may not be deleted.
• Warning error 1517 in Event Viewer after first restart
Explains the presence of an event log warning that appears when you first restart the computer after you install Windows XP.
• The user profile may not be correctly unloaded when you log off from a Windows Server 2003-based computer, and event 1517 is logged
When this problem occurs, you cannot resolve it by using the User Profile Hive Cleanup Service. Occurs regardless of whether you log on to the computer directly, in a terminal server session, or in a remote console session.
• Windows 2000 Roaming Profiles May Not Synchronize with Windows NT 4.0 Shares
When you log on to a domain using a computer running Windows 2000 and your profile is located on a computer running Microsoft Windows NT 4.0, the local and server-based profiles may not synchronize and the following event may be logged in Event...
• You cannot start the Live Communications Server service on a Live Communications Server 2005 access proxy server
Describes an issue in which you cannot start the Live Communications Server service on a Live Communications Server 2005 access proxy server. Provides a resolution.
• You experience log off problems on a Windows XP-based, Windows Server 2003-based, Windows 2000-based, or Windows NT 4.0-based computer
Discusses log off problems in Windows XP, in Windows Server 2003, in Windows 2000, and in Windows NT 4.0
• Error Messages When You Open or Copy Network Files on Windows XP SP1 Clients That Require SMB Signing
Client computers that are running Windows XP Service Pack 1 (SP1) and that are configured to require Server Message Block (SMB) signing may drop SMB signing and may have problems communicating over your network. For example, you may experience any of...
• Cannot Access Group Policy Objects--Event ID 1000 and Event ID 1001 Logged
If the primary network adapter in a multihomed domain controller does not have File and Printer Sharing bound to it, multiple problems are logged or displayed when you attempt to work with Group Policy objects on the domain controller. The...
• You may receive an "Object not a collection" error message when you try to use the stdregprov class in WMI to read values in the HKEY_CURRENT_USER (HKCU) registry hive in Windows Server 2003
Describes a problem that may occur in Windows Server 2003. You may receive an "Object not a collection" error message when you try to use the stdregprov class in WMI to read values in the HKEY_CURRENT_USER (HKCU) registry hive
• The DNS suffix of the computer name of a new domain controller may not match the name of the domain after you upgrade a Windows NT 4.0 primary domain controller to Windows 2000
Describes a problem where a domain controller's domain name system suffix does not match the domain name. To resolve this issue, install the latest service pack for Windows 2000, or upgrade the domain controller to Windows Server 2003.

 

[JackMDS]

OK let say the conclusion is that you were hacked.

Then what would you plan do?


.

 

[RebateMonger]

WHAT WAS IN MY EVENT VIEWER.

Userenv - Windows saved user SERVER\Administrator registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.

This warning is common in Windows. It's not evidence of hacking.

 

[alanwest09872]

What security messages can I take to make sure this doesnt happen again. I did everything but the mac filtering. Not sure how to do this.

 

[JackMDS]

This statement I do not understand.

"3. I had no firewall up on my router. I did have one on the whs but the router was off."

As for the Wireless.

From the weakest to the strongest, Wireless security capacity is.
No Security
Switching Off SSID (same has No Security. SSID can be easily sniffed even if it is Off)
MAC Filtering______(Band Aid if nothing else is available, MAC number can be easily Spoofed).
WEP64____(Easy, to "Break" by knowledgeable people).
WEP128___(A little Harder, but "Hackable" too).
-------------------
The three above are Not considered safe.
Safe Starts here at WPA.
-------------------
WPA-PSK__(Very Hard to Break).
WPA-AES__(Not functionally Breakable)
WPA2____ (Not functionally Breakable).

Note 1: WPA-AES the the current entry level rendition of WPA2.

Note 2: If you use WinXP bellow SP3 and did not updated it, you would have to download the WPA2 patch from Microsoft, http://support.microsoft.com/kb/893357

The documentation of your Wireless devices (Wireless Router, and Wireless Computer's Card) should state the type of security that is available with your Wireless hardware.

All devices MUST be set to the same security level using the same pass phrase.
Therefore the security must be set according what ever is the best possible of one of the Wireless devices.

I.e. even if most of your system might be capable to be configured to the max. with WPA2, but one device is only capable to be configured to max . of WEP, to whole system must be configured to WEP.

If you need more good security and one device (like a Wireless card that can do WEP only) is holding better security for the whole Network, replace the device with a better one.

Setting Wireless Security - http://www.ezlan.net/Wireless_Security.html

The Core differences between WEP, WPA, and WPA2 - http://www.ezlan.net/wpa_wep.html


.

 

[RebateMonger]

As Jack notes, WiFi encryption is very important. I won't use WEP encryption anymore. If you have very low WiFi traffic, it might be OK, but it's definitely breakable. Use at least WPA/TKIP and use a LONG (20 characters-plus) password. Folks have been breaking into WPA-protected WiFi networks using some brute-force techniques that can be prevented with a long password.

Personally, I DO broadcast my SSID, but rename it with a random name. I don't bother with MAC restrictions. Too much work for too little benefit.

If you think your WHS server has been broken into, you can do a Re-Installation of the OS. This will retain your backups and shared folders, but will reset the Administrator and User accounts. Set WHS to demand strong passwords from the Administrator and Users.

Note: As always, making a significant modification of your OS without first making backups of important data is risky. If WHS tells you it's going to format your data disks and erase your data during the re-installation, then STOP and ask for help. A WHS Server re-installation shouldn't lose data.

 

[alanwest09872]

I turned off all wireless on my router. Before it was on N, B+G, I turned it to disabled. So wireless isnt the issue anymore.

So I guess all I need to do is reinstall WHS and use strong passwords this time and make sure that I have my firewalls on. Am I right. Some of what you typed didnt make sense.

As for the wireless I dont need protection if I turn that part off on my router right. Or is there still a way to get into it.

 

[Emulex]

many routers have had firmware backdoors or holes that allowed entry remotely. check your firmware for known security issues.

WPA-AES
WPA2-AES

those are safe - for now - but use a strong password (32 characters or more) that isn't easily dictionary guessed. i know it sucks - i've got an iphone - typing in a complex key on that is bout the worst - but you can have safe wireless.

 

[alanwest09872]

many routers have had firmware backdoors or holes that allowed entry remotely. check your firmware for known security issues.

WPA-AES
WPA2-AES

those are safe - for now - but use a strong password (32 characters or more) that isn't easily dictionary guessed. i know it sucks - i've got an iphone - typing in a complex key on that is bout the worst - but you can have safe wireless.

Wait I thought WPA and wpa2 was for wireless only. if I turned off my wifeless do I still need to setup that security. If So I will but if not I would prefer not having to

 

[JackMDS]

WPA/WPA2 are only for Wireless.

WPA= Wi-Fi Protected Access

Firmware's Back Door can create problem with anything connecting to the Router, whether it is from the Internet, LAN, Wire or Wireless, and it has nothing to do with WPA or Wireless per-se.

However it is very rare issue that it can Not happen unless you let other people (with bad intention) install firmware on your Router.

.