Scray....or Is It Just Me

[iphonogasm]

so i just RDPed into my server to restart it and it said there are currently other users online or whateva. Im the only one who has access to my server and i use the admin account?

so is there someone else on my server, and how can i view a list of active users?

thats pretty freaky

Thanks!!

 

[ICTCity]

Login, right click on the start bar > task manager > select USER tab and check who's online.

 

[iphonogasm]

when i try to restart my server, its says are you sure you want to restart, there are other users logged on still....

????

freaky lol

 

[ICTCity]

Have you anything on USERS tab? Maybe the other user is still you but logged in from "console".

 

[iphonogasm]

well nothing shows in the user tab on task manager...but im only logged in on RDP, and it never used to say this, it would just end my RDP session

 

[ICTCity]

This is ok, "local shutdown" with "remote user".

 

[iphonogasm]

so im using a protocol sniffer to monitor traffic, and have just found a active RDP connection from a random IP

also just got a email saying ive used 80% of my 10GB plan, and all i do it RDP?

is there a way i can view active RDP sessions and connections, i know the way through Terminal Services Client but it only shows "Administrator" logged on which is me. And not being able to have to active RDP sessions on one account, but i dont see another account active, but im deffinitly getting scrolling RDP and TCP pointing towards some random IP just as it does when i RDP into the server?

Any other ideas? Im sure im a easy target HAHA!

 

[ICTCity]

From what I know, is not possibile to connect via RDP and hide the name... ok... you may be victim of a MITM RDP but if so, your session will be disconnected.

Write down the "strange" IPs and PM me. Also, when you notice this, open a command prompt and type: netstat -an |find /i ":3389" so you can see all the RDP connection opened.

Remember that RDP is not a lightweight protocol!

 

[iphonogasm]

Remember that RDP is not a lightweight protocol!

Thats exactly what i thought, however its definitly not a IP i know, and if i do a tracert on it it takes about 20 hops then times out, which leads me to beleive its behind a proxy

ill PM you the IP the next time it happens.

Thanks!

 

[iphonogasm]

Ok im sure i got hacked now, not my server but another PC on my network...
It had a screen saying only the administrator can logon, and its never dont that before, also now its prompting me for my password for outlook express and it never did this before. (different incident to before)

I need to start working on some security

I have my router (192.168.0.1) connected straight to my server and then out of my server via a bridged connection to the switch, then out to everything. So theoretically, all internet traffic is going through the server.

Question, can i setup firewall rules on the server to act for all devices connected to the switch via the server? will it intercept via the bridge or can i not manage the traffic going through the bridge?

example, can i block all connections to 192.168.0.24, 192.168.0.54, 192.168.0.125, 192.168.0.12 on ports 3389, 80, 21 etc by setting rules in my firewall on 192.168.0.2 (my server)?

lets start with that,

THANKS!!

 

[iphonogasm]

can someone please help me, would it be possible to setup firewall rules for other computers via my "Network Bridge"

Thanks

 

[ICTCity]

Yea you can, google: windows firewall block port. In admin tool there's firewall with advanced.security. There's a wizard to create rules.