![[H]ard|Forum](/styles/hardforum/xenforo/logo_dark.png){kind=logo}
Someone I do some IT work for had their bank account info stolen and whoever did it transferred some money to a PayPal account. Since it was PayPal it sounds like it was recovered fairly easily. But we are trying to figure out how they might have found out the information.
He has RDP open up on his personal computer, not on the default port but his user account has a short password which probably could be brute forced quickly.
I looked at event logs and see many events for remote desktop connections. I am trying to determine if this attacker was actually in the system or these were just the typical bots trying to connect to RDP.
It says "user authentication succeeded" in the events, but "User: user". If I RDP into his system it shows a real user name. Even if it says "User: user" could they have gotten into the system? The events with "User: user" and "user authentication succeeded" repeated over and over for several hours. Seems like they would not keep reconnecting if they had gotten in.
I put a firewall entry on the router to only allow RDP from valid IPs, set up a password lockout policy, and he is going to change all his passwords. I am no security expert and am not sure how to detect if any keylogger might have been installed. Malwarebytes picked up some stuff, but nothing that looked out of the ordinary (typical advertising garbage). No running processes looked suspicious. Will need to take a closer look at his system tonight, but for now he is changing his passwords and hoping they aren't being recorded by any key logger.
OS is Windows 7 Pro.
He has RDP open up on his personal computer, not on the default port but his user account has a short password which probably could be brute forced quickly.
I looked at event logs and see many events for remote desktop connections. I am trying to determine if this attacker was actually in the system or these were just the typical bots trying to connect to RDP.
It says "user authentication succeeded" in the events, but "User: user". If I RDP into his system it shows a real user name. Even if it says "User: user" could they have gotten into the system? The events with "User: user" and "user authentication succeeded" repeated over and over for several hours. Seems like they would not keep reconnecting if they had gotten in.
I put a firewall entry on the router to only allow RDP from valid IPs, set up a password lockout policy, and he is going to change all his passwords. I am no security expert and am not sure how to detect if any keylogger might have been installed. Malwarebytes picked up some stuff, but nothing that looked out of the ordinary (typical advertising garbage). No running processes looked suspicious. Will need to take a closer look at his system tonight, but for now he is changing his passwords and hoping they aren't being recorded by any key logger.
OS is Windows 7 Pro.
