1
Today I opened TCPView to see what was causing a lot of outbound network activity and could only identify svchost.exe on port 3389 (which i understand to be the port used by remote desktop).
I ended the process almost immediately.
I've searched for the IP address it was connected to, and discovered it originates in South Korea.
I have just discovered in the Windows Event Viewer under "Applications and Services Log > Microsoft > Windows > TerminalServices-RemoteConnectionManager" almost 2,000 events which read similar to:
Remote Desktop Services: User authentication succeeded:
User: administrator
Domain:
Source Network Address: 1.214.253.235
This goes on with users such as sales3, secret3, shop3 - all succeeded.
I wanted to know as it seems my system has been compromised; is at all possible for me to track any activity, such as file access/modification.
And can anyone advise on the best course of action to take to prevent this happening in future?
Bummed me out of my festive spirit
Assuming this is a home system, you might want to look at the port forwarding settings on your DSL router to restric external sources initiating a connection to your computer. – daya – 2012-12-23T18:56:18.240
http://www.bleepingcomputer.com/tutorials/list-services-running-under-svchostexe-process/ "How to determine what services are running under a SVCHOST.EXE process" Maybe this gets you some more info – Jan Doggen – 2012-12-23T19:43:41.253
Running a scan with avg in safe mode. I've disabled remote desktop even though I used it often while away from home. I find it strange that the logs report successful logon for users that don't exist on my system. – TerryProbert – 2012-12-23T19:48:14.460