Computer security question.

[Nocturnal]

I just had a question regarding security, as most of you know I work in a kiosk in a supermarket selling cellular phones. I?m hooked up to the internet via DSL. We often connect to a main server hosted at our main office. The boss of the company keeps saying that we?ve been hacked and it came through my login and password. Now I know a fair amount of computers and about security. I know that I don?t have a virus due to keeping up to date with the Norton definitions and what not. I also scan daily for spyware or adware and I rid of it as soon as adware picks it up.

So what I?m getting at is how do these supposed hackers keep coming through my computer? I?m only hooked up to the internet through a regular DSL phone line connection, nothing else. I?m not on a network or anything. So is it really possible that my login and password have been compromised and that the hackers are using my login and password to get to our main server? What would the purpose of getting to our main server be? I don?t know. I don?t see anything worth snooping through as there isn?t important info that would better a hacker or anything like that.

So if I scan daily and I scan with adware daily how can my l/p be compromised???????????

I would also like to mention that I don't download any programs to this computer. I visit websites but nothing out of the ordinary in which could possibly force a dl on me. I visit this site and another forum, yahoo.com, cnn.com, the usual. My boss thinks and has told me to tell other employees to stop surfing the internet because pages like musicguitars.com often times have viruses on them.

 

[her209]

Brute force

 

[Nocturnal]

Originally posted by: her209
Brute force

How would they get the main servers IP address though?

Oh n/m we use remote desktop connection, therefore I guess someone could easily just scan IPs for ones that would pop up a remote desktop connection box.

 

[her209]

Originally posted by: Nocturnal

Originally posted by: her209
Brute force

How would they get the main servers IP address though?

Oh n/m we use remote desktop connection, therefore I guess someone could easily just scan IPs for ones that would pop up a remote desktop connection box.

If they are real good, they could be running some kind of backdoor along with a keylogger and a sniffer.

 

[SagaLore]

Well for one, are you logging off when you're not using the computer?

Do you change your password often?

Are they just giving you simple user permissions, or are they giving your admin permissions?

Who cares about the adware. Sounds like a trojan virus. Probably Bugbear or something. Why not just play it safe and format the machine, then install a good antivirus and personal firewall.

 

[her209]

Are you sure the "hackers" are logging in from your IP (ie, using your computer) and not just using their own computer to login using your login and pass?

 

[Nocturnal]

I really don't know as I didn't get the details. All he told me was "They're using your login/pw all the time, everytime we've been hacked."

 

[FoBoT]

is he saying your internal credentials to the company resources have been compromised or your dsl account?

if they are saying its the dsl, then they would need physical access to the line as well as the credentials, if you are in a supermarket, that doesn't make sense

how do you connect from your kiosk to the company servers? VPN ? or are the company servers SSL? what is the security model?

i am confused

 

[Nocturnal]

We use Windows remote desktop connection.

 

[her209]

Wow, so is your IP static or dynamic?

 

[Nocturnal]

I don't know.

 

[FoBoT]

Originally posted by: Nocturnal
We use Windows remote desktop connection.

:Q
you are saying they have an MS server running terminal server on the open internet !!!!!!! :Q :Q :Q

no firewall/VPN or anything? ! !?!??!?!? :Q :Q :Q]

are they crazy?!?!?!

ok, if i understand you right, it is irrelevent how they got your credentials, if that terminal server is out in the open, then however they got your username/password, they can use it. i assume you already changed it? right?

your company should add a VPN layer before they are fully compromised

 

[her209]

Do you have some sort of firewall installed on your computer?

Use it to see if you can catch any suspicious connections and outbound traffic.

 

[her209]

Originally posted by: FoBoT

Originally posted by: Nocturnal
We use Windows remote desktop connection.

:Q
you are saying they have an MS server running terminal server on the open internet !!!!!!! :Q :Q :Q

no firewall/VPN or anything? ! !?!??!?!? :Q :Q :Q]

are they crazy?!?!?!

ok, if i understand you right, it is irrelevent how they got your credentials, if that terminal server is out in the open, then however they got your username/password, they can use it. i assume you already changed it? right?

your company should add a VPN layer before they are fully compromised

Or at least limit the connections to port 3389 by IP or something.

 

[SagaLore]

Originally posted by: Nocturnal

Originally posted by: her209
Brute force

How would they get the main servers IP address though?

Oh n/m we use remote desktop connection, therefore I guess someone could easily just scan IPs for ones that would pop up a remote desktop connection box.

nbtstat -c
ipconfig /displaydns
arp -a

will show them every machine you've been connected to at one point or another.

ipconfig /all

will show them the IP you use, and the subnet mask gives them what range of IP's to look for. Default gateway will show them your router. DHCP server will... show them your dhcp server. DNS will show them your dns server.

net view

Will give them a list of all the machines within your workgroup/domain.

There is also a chance your manager is just confusing something he's seeing.

 

[SagaLore]

Originally posted by: FoBoT

Originally posted by: Nocturnal
We use Windows remote desktop connection.

:Q
you are saying they have an MS server running terminal server on the open internet !!!!!!! :Q :Q :Q

no firewall/VPN or anything? ! !?!??!?!? :Q :Q :Q]

are they crazy?!?!?!

ok, if i understand you right, it is irrelevent how they got your credentials, if that terminal server is out in the open, then however they got your username/password, they can use it. i assume you already changed it? right?

your company should add a VPN layer before they are fully compromised

I totally agree. Your main headquarters needs at least a firewall with most ports shut off, and connect remote machines that run over dsl via IPSEC. You could use a linksys vpn router as an inexpensive device.

 

[Soybomb]

Another thing to note is if multiple people use the machine maybe one of your coworkers is using a keystroke logger to capture your user/pass.

 

[FoBoT]

Originally posted by: her209

Originally posted by: FoBoT

Originally posted by: Nocturnal
We use Windows remote desktop connection.

:Q
you are saying they have an MS server running terminal server on the open internet !!!!!!! :Q :Q :Q

no firewall/VPN or anything? ! !?!??!?!? :Q :Q :Q]

are they crazy?!?!?!

ok, if i understand you right, it is irrelevent how they got your credentials, if that terminal server is out in the open, then however they got your username/password, they can use it. i assume you already changed it? right?

your company should add a VPN layer before they are fully compromised

Or at least limit the connections to port 3389 by IP or something.

yeah, at least, but that would requrire the dsl in the kiosk to be static ip, if they have static ip on the dsl , that would be a big improvement

 

[slycat]

lighten up...so what if they have TS on the BIG internet with no firewall.
TS is encrypted u know, even when loggin in...not like its plain text.
according to the manager they login via his u/p so this is not a network compromise.
someone got your u/p and is loggin in plain and simple is all. Its more a problem of
information leak than 'let's overhaul the network' to fix this.

change your pass...and if it happens again...welp, someone is snooping on your machine ..or
u gotta be more tightlipped.

...or maybe ur logging in legit but your manager can't tell the difference. Ask him how he knows its
a hack vs a legit logon.

 

[Soybomb]

so what if they have TS on the BIG internet with no firewall

The big deal is if they have a properly configured firewall he could post the username and password here and we couldn't login with it. Yes its a problem if he someone is compromising his password, but more protection is easily put into place and obviously would be benificial.

 

[FoBoT]

i am just used to a certain type of setup/security

all our corporate/internal stuff is totally isolated (pix/dmz, etc) from the few boxes that are open to the internet

everyone uses a proxy server for internet access, the pix is tight both ways so you have no choice

remote users have to vpn (cisco) in to get to any internal resources, like terminal servers



SagaLore's idea above is a simple/relatively inexpensive fix

but of course, nocturnal isn' t going to be able to tell the company IT weiners to make changes, so i guess we are off on a tangent. so just change the password, blow up the PC in the kiosk to make sure there is no trojan giving away the credentials and try again

have a nice day!