Windows XP Remote Desktop - Intrusion!

[Ichinisan]

I was at work using WinXP Pro's Remote Desktop Connection to access software tools on my home computer. Suddenly, I was "disconnected by means of an administrative tool" (the message you receive when someone else logs into your computer).

[edit]
Intrusion confirmed. A serious flaw in Windows XP allowed someone full remote access to all accounts on my system!
[/edit]

Creepy.

 

[Ichinisan]

[damn glitchy browser]

A text file was later added to my desktop by the intruder.

Filename:
hax.by.china.txt

Contents:
"mail at haxbychina@yahoo.com , no harm to you pc, just test"

My system is fresh, clean, and up-to-date. This must be a recently-discovered flaw in Windows, and some kiddies are going crazy with their "good-natured" intrusions.

 

[Ichinisan]

Yikes. Another text file on my password-protected administrator desktop. No backdoors installed.

This must be a new exploit.

 

[Ichinisan]

"No harm to you PC" - My ass!

I can now log in remotely as Guest...with no password.

>EVEN THOUGH I DISABLED THE GUEST ACCOUNT<

What the hell did those little bastards do?!?

 

[mcveigh]

it's gremlins!!!


seriously, what is your network setup like? firewalls, anitvirus, etc?
try scanning your PC here: http://www.blackcode.com/scan/
this should list most open ports.

 

[CZroe]

I knew he'd get one of these. Firewalls are not for everyone! Firewalls protect PCs by interfering with alot more than just hackers. Pretty much any Internet application can run into trouble. Connection issues with P2P networks, Remote Desktop (Which is what he 's using), games, you name it. It's alot more trouble than it's worth for a PC that's going to be used for SOMETHING ELSE than troubleshooting network issues and connection problems. Just think about how many times you've just had to give up on something just because you didn't want to screw around with the router or find & open up ports and port ranges.

DMZ is supposed to fix that, but in a multiple PC gaming household like ours, it adds even more problems. What about when all of us want to play ZSNES over ZBATTLE.net but the command line front-end matchmaking application is not smart enough to use anything but the IP address connected to the ZBATTLE server? Because all PCs are connected from behind the same router, the front-end application passes the same IP address to the command line and ZSNES unsuccessfully tries to connect to itself. To make matters worse, some ISPs FORCE their customers behind NAT and firewalls. As a result, I can't play my friend from the other side of town without manually changing (forcing) the horrible-performing UDP option, something THOUSANDS of ZSNES players never figured out and even then doesn't help in some cases.

If the PC is intended to be visible and accessible to the Internet as a server, then what good does it do to "hide" behind a firewall? If the necessary ports are open, it will be "found" anyway, especially if it's running something like a webserver. Blocking/closing the unused ports may prevent certain exploits (Like my brother's case above) but if the PC is fully updated and doesn't contain anything you don't mind loosing (He restores an image every week) it's not worth the trouble as it will certainly cause more headaches. Besides, how else might we have discovered the exploit to know it needs fixin' Any intrusion changes, backdoors, DoS zombie applications etc will be wiped over with the HDD image.

He's not worried about what a hacker may do to him, but worried that it apparantly hasn't been detected/fixed by Microsoft.


Oops, you asked what the setup was like

Cable ISP with unlimited (?!) IP address assignments (Assigns randomly to differnt subnets. Bleh)
Linksys Wireless-G Router w/ DHCP disabled (Just using it as an access point / hub)
Cable modem and PCs all connected to auto-crossover local port (Instead of Cable-to-WAN port. This lets my ISP assign IPs)
Wireless-G card for the laptop, 3com & Intel NICs for the desktops + 802.11b PCI cards (we move them around alot)
No software firewalls except on the fileserver, all other unprotected gaming PCs
All password protected renamed Administrator accounts with no network shares.
Restricted Guest account recently enabled with no password on hacked PC to keep guests from requesting the password

 

[Ichinisan]

Any ideas for why the Guest account is accessible when it is disabled?

 

[Ichinisan]

After communicating through email, it does not seem that the group is willing to reveal their exploit to Microsoft. How can I enable detailed-logging so that their methods can be determined?

It seems that my system is more vulnerable than it was before the intrusion (I can now log in remotely as "Guest" with no password), MS needs to know so that an update can be created!

 

[mcveigh]

OK so you pretty much several pc's running w/o a firewall..so you can't play a game. cry me a river... :| you need to protect your machines somehow!
you need to do a thorough port scan to look for open ports on the attacked machine. how do you know they broke in externally? it could be a trojan running on the box. that came in through a user.
http://www.anti-trojan.net/en/

as for restoring an image each week, how long do you know the box has been hacke, they could have been waiting a while.

can you at least port scan it and post what ports are open.

 

[mcveigh]

DP

 

[CZroe]

I know what you're saying. but requiring a technology that interferes with nearly everything else to stop this is shifting the blame. If there's a hole, they should fix it. If my PC is visible because I have open ports but not vulnerable thanx to having no known exploits, there should be no reason to use a firewall (Unless you're really anal and scared that just having a visible PC will make you subject to a DoS attack).

Virtually anything and everything brings the firewall into question. We have a notoriously flaky Internet connection and I have yet to find a trouble free application other than Quake3. I can't access cetain FTP's from school but I can access others because of the firwall not handling something right. I've NEVER been able to connect to eDonkey. Half the IRC networks are inaccessible. KaZaa has serious problems with connecting to other users (Other than the fact that it's craptastic software to begin with). ZSNES is just one minor example. I have enough connection trouble like it is without a firewall (ie, two users of the SAME cable ISP can transfer files with ICQ while two others always time out! I've never been able to transfer files with yet another local user whose cable co puts him behind a firewall). When all we are doing is sharing a real genuine Internet connection with every intention of using it to the fullest extent with the benefit of multiple IP addresses, why would I force everyone behind a NAT router? I would be PISSED OFF if I paid for WiFi or cable access and was doomed to application incompatability forever thanks to a manditory firewall. Untill someone makes a cheap home wireless router with multiple DMZ capability this is the way we'll do it. Leave it up to the PC user to install a software firewall or not.

BTW, I haven't even touched on the Zone Alarm, Norton Personal Firewall, and MS Windows XP Firewall-specific connection issues but I'm sure you've seen all the "known problems" from all the FAQs, fixes, & readme.txt's out there

If a popular standard dial-up ISP (ie, nearly any ISP OTHER than AOL) forced every user behind a NAT router / firewall there'd be outrage! Sometimes, even I have to resort to dial-up to get through because of my damn cable ISP (I think they interfere with connection between users of their service to prevent browsing the cable network for shares).

 

[mcveigh]

so what is the post about? I assume you know Ichinisan? you blame the OS for being insecure? if you want a secure OS out of the box use openBSD. if you want to use windows then accept the security risks that come with it.

 

[CZroe]

For one thing we'd like to know exactly what the guy left changed and how to change it back. ie, how do I disable password-less remote access for the Guest account? Was it enabled through some undocumented but legitimate method but not part of the hack? No one said that it couldn't happen to someone with a firewall because we don't know what kind of exploit it was. If I ever see this again (Considering how many dial-up users there are out there which I see in the shop every day, I may), I'd like to know how to deal with it. Ignoring a problem by side-stepping it with an alternative OS does not solve the problem for everyone else, identifying the flaw and alerting MS will. That is another objective. In fact, this thread was originally to identify which of three possabilities had occured. Because that was discovered, I started another thread.

And yes I do know him. He's my brother.

Thnx for the link! The Blackcode scan didn't find anything suspicious. Now I need to find out how to safely use Remote Desktop without inciting more connection issues (MS doesn't outright tell you what port(s) to open for it when enabling it, it just says the remote port must be open. Windows Update already had some old updates to resolve SOME of the Remote Desktop + firewall issues.)

 

[skyking]

the port needed for remote assistance and remote desktop is 3389.
here is a list of other popular ports.
Special applications- ports list

 

[prosaic]

I'm probably misunderstanding, and I'll admit that I didn't read through this thread carefully. But I can't help wondering if there is anything wrong with Windows XP in this case at all. Just to check, you say that the Guest account on the machine is "disabled". What exactly do you mean by that? HOW was it disabled?

WinXP has the ability to turn the Guest account on and off, but that just controls whether or not the machine is accessible through the Guest account LOCALLY. When Guest is turned off, you can still access the machine remotely via the Guest account. As long as the machine is not a member of a domain, it is designed to be accessed remotely through the Guest account (at least as long as Simple File Sharing is enabled). My understanding is that WinXP normally NEEDS to have the Guest account enabled at all times to allow remote access.

Have you tried changing the Guest account's name and placing a strong password on it?

If you have WinXP sitting with shares open on the Internet and with no firewall, no NAT, standard Guest account not renamed, no password on the Guest account -- then I would think that you could expect to have lots of "visitors". I don't see this as being Windows XP's fault. Any OS I've used would be similarly compromized if placed out on the Web wide open. It's just that Windows XP starts off pretty much unprotected by default and that you have to apply protection to keep it from being compromised. Some other operating systems start off locked down to various degrees by default.

- prosaic

 

[skyking]

I firewall off my machine to allow remote access from a few IP's only, and that still makes me nervous.
here is a thought to ponder: if you say your machines have randomly assigned dynamic IP's from different subnets, has your brother's IP remained unchanged through this little intrusion episode? Check that out. If the IP has changed, you have a trojan or other embedded bad thing, for sure.

 

[Ichinisan]

Long story, but it turns out I was not hacked afterall. My friend did nothing to my computer or it's settings, but I am concerned about the coincidental discovery of a major hole in my system.

Windows XP clearly states when you enable Remote Desktop Connection:

Some accounts might not have passwords.
Accounts used for remote connections must have passwords.
.
.
.

I want to keep my Guest account with no password for friends using my computer locally.

How can I fix RDC?

 

[CZroe]

No IP change. In fact, we got a friend to "confess" to the "whole thing" but he says he didn't do anything but log in locally as guest & drop those files on the desktop. He got in as Admin because my brother gave him the password to check for "hacker damage" when he was supposedly there to check out the apartment for intruders

Oh, and Prosaic, when ENABLING Remote Desktop XP will tell you that any non-password protected account will be inaccessible. However, mine is still perfectly accessible without a password. This is WIDE OPEN, and has nothing to do with firewall protection. I created other accounts with no password for testing purposes and they will not work through Remote Desktop. Somehow, Guest is different...

 

[prosaic]

Yes, Guest behaves differently in WinXP than it does in Win2K and NT.

I strongly suggest renaming the Guest account and applying a password. Depending upon the OS from which the remote connection is made there are various ways of setting things up so that the remote user won't have to actually enter a password.

Under the circumstances I'd set up hidden share names, too.

If you were behind a box running a firewall with proper settings and NAT no one would be getting onto that Guest account from the Web. If you just turn on the built-in Windows ICF no one will be able to connect to the Guest account, locally or from outside, for that matter.

- prosaic

 

[CZroe]

The only shares are the default hidden shares creatued during installation.

There is no domain system to control user logins.

If you were behind a box running a firewall with proper settings and NAT no one would be getting onto that Guest account from the Web.

Huh?! How could a firewall prevent access to a certain account and not others? I don't see what you mean about ICS either. I'm connecting to the computer via Remote Desktop from work, an entirely different Internet connection. I'm able to log in as Guest with no password when XP is not supposed to allow that. If you're saying a firewall would fix my problem, how could I possibly configure it to allow me to connect to my other accounts? Restricting access to certain user accounts is NOT the functionality of a firewall.

Also, the purpose of the Guest account on this computer is to allow friends and family members to use the PC when we are not there so that they will not need our password. Giving it a password defeats the purpose Of course, it can be a freely-known password but for an account that is only supposed to be accessible locally I shouldn't have to.

 

[prosaic]

The firewall is there to prevent you from advertising the shares. That's all that I meant. Of course, if a firewall is set up to prevent ingress/egress there won't be any, either.

As I said earlier, the Guest account in this OS is different. It always allows remote access unless you use a policy to prevent that. (Not available in Home Edition, of course.) If you want local login with Guest and no remote login with Guest the answer is to use the policy editor. I thought you wanted other machines on the LAN to be able to use the Guest account.

- prosaic

 

[CZroe]

Well, it's purely for sharing an Internet connection, so there are no shares or network users (Only local accounts). The thing is, when enabling Remote Desktop, XP Pro will outright tell you:

"Some local accounts might not have passwords.
Accounts used for remote connections must have passwords.

If you are using internet connection sharing or a personal firewall, the correct port must be open to enable remote connections.

For more information, visit the Help and Support Center."

There is NO mention of the Guest account being different, which is a HUGE security hole. That means anyone can log into any computer taking advantage of this built-in "open" account then run viri, backdoors and what-not just by knowing that you have Remote Desktop enabled at that IP address.

Thnx for clearing the Guest stuff up for me. Is there any way to restore Guest to being a purely local account? Why isn't it that way to begin with? If a network has permissions for guests, I guess they should set up Guest accounts manually, right?

Note, they don't tell you WHICH port so you have to play detective with yet another application that needs access.

 

[prosaic]

Originally posted by: CZroe

Is there any way to restore Guest to being a purely local account? Why isn't it that way to begin with? If a network has permissions for guests, I guess they should set up Guest accounts manually, right?

I was confounded when I first started realizing how different WinXP was from Win2K and NT4, and I only started using Windows a couple of years ago.

Here's my take on the way Microsoft has set this up. I think they intend for us to use ICS on one PC to share the connection with a home LAN. The world-facing NIC gets ICF, and the internal one doesn't. So the way the Guest account is set up isn't a security problem for the people on the LAN. In Home Edition (and on any Professional system not attached to a domain) you are intended to use Simple File Sharing, and the Guest account provides authentication for all remote access on the LAN. This all makes sense if you look at the way the (dreaded) networking wizard works. (Go ahead. Use it. I dare you! But seriously, it actually works if you use it the way Microsoft envisioned it.)

If you don't use a Windows XP box running ICS you have a number of choices, but you have to be careful not to leave yourself open, and you have to understand how the Guest account works. You can use the security policy that prevents remote logon to the Guest account to protect a Professional machine that is exposed to the Web, but a Home Edition machine is a different matter. Without a router and external firewall on the network you just have to leave the ICF, or another software firewall, up on HE systems, I guess. Or you could unbind sharing and the networking client from TCP/IP, using NetBEUI for local file sharing and still preventing interlopers from outside getting access to shares. Or you can change the name of the Guest account and put a strong password on it, and that will work for Home Edition as well as for Professional.

The really funny thing about all of this is that a lot of people I've talked with thought that they were disabling the Guest account when they turned if off. In point of fact that just turns of local use of the account. It still works for remote access! I know that has blown a lot of minds. It also bugs people that you're not supposed to actually disable the account. Supposedly, if you manage to do so, you'll screw up the operating system's security paradigm, at least for non-domain application.

I hope I'm not rambling as much as I fear. Trying to do two things at once here, and probably not doing either one very well.

- prosaic

 

[cleverhandle]

Originally posted by: prosaic
Or you can change the name of the Guest account and put a strong password on it, and that will work for Home Edition as well as for Professional.

If I'm following this at all, that seems like the best solution. Name-change, password protect, and "turn off" the original Guest account. This does not technically disable it, which is good because the OS needs it as part of the security structure. Create a new Limited account, rename it to Guest, and leave it password-less. Because 1) this is not the "special" Guest account and 2) the account has no password, it will be inaccessible via Remote Access. But your family can still log in as "Guest," as before, without a password.

Is that right?

 

[prosaic]

Well...

My skin crawls when I think of any account on any Internet-facing machine not being at least protected by NAT, a firewall, and a password. I'd let family and friends learn to use a password, and a strong one at that, on whatever account they use. Furthermore, I'd give each person his own account (within the bounds of reason) and teach them the use of the shared documents folder and how to keep data they don't intend to share in their own folders. I think it's a good idea to inculcate the habits that support security, even in casual users of PCs. The use of enforced passwords, Ctrl-Alt-Del being required for logon, and some common sense file management concepts are really necessary for people who use Internet-connected PCs -- especially if the connection is broadband.

- prosaic