I was setting in my office at home and noticed someone using my desktop to log into their ebay account and place bids. I have disabled remote desktop at the moment, but am wondering what I should do? This is the log I have. Any advice is greatly appreciated.
Feb 1 22:42:57 localhost nmbd[1668]: Unable to sync browse lists in this workgroup.
Feb 1 22:42:57 localhost nmbd[1668]: Unable to find the Domain Master Browser name HOME<1b> for the workgroup HOME.
Feb 1 22:42:57 localhost nmbd[1668]: find_domain_master_name_query_fail:
Feb 1 22:42:57 localhost nmbd[1668]: [2011/02/01 22:42:57, 0] nmbd/nmbd_browsesync.c:350(find_domain_master_name_query_fail)
Feb 1 22:34:42 localhost dhcpd: DHCPACK to 192.168.1.102 (00:16:44:c6:55:b0) via eth0
Feb 1 22:34:42 localhost dhcpd: DHCPINFORM from 192.168.1.102 via eth0
Feb 1 22:33:30 localhost named[1551]: success resolving 'www.iexploit.org/AAAA' (in '.'?) after disabling EDNS
Feb 1 22:33:30 localhost named[1551]: success resolving 'www.iexploit.org/A' (in '.'?) after disabling EDNS
Feb 1 22:27:52 localhost nmbd[1668]: Unable to sync browse lists in this workgroup.
Feb 1 22:27:52 localhost nmbd[1668]: Unable to find the Domain Master Browser name HOME<1b> for the workgroup HOME.
Feb 1 22:27:52 localhost nmbd[1668]: find_domain_master_name_query_fail:
Feb 1 22:27:52 localhost nmbd[1668]: [2011/02/01 22:27:52, 0] nmbd/nmbd_browsesync.c:350(find_domain_master_name_query_fail)
Feb 1 22:21:53 localhost system-config-network[31857]: ln //etc/resolv.conf //etc/sysconfig/networking/profiles//default/resolv.conf
Feb 1 22:21:53 localhost system-config-network[31857]: ln //etc/hosts //etc/sysconfig/networking/profiles//default/hosts
Feb 1 22:19:12 localhost dhcpd: DHCPACK to 192.168.1.102 (00:16:44:c6:55:b0) via eth0
Feb 1 22:19:12 localhost dhcpd: DHCPINFORM from 192.168.1.102 via eth0
Feb 1 22:17:59 localhost gnome-keyring-ask: could not grab keyboard: 3
Feb 1 22:17:18 localhost gnome-keyring-ask: could not grab keyboard: 3
Feb 1 22:15:16 localhost dhcpd: DHCPACK to 192.168.1.102 (00:16:44:c6:55:b0) via eth0
Feb 1 22:15:16 localhost dhcpd: DHCPINFORM from 192.168.1.102 via eth0
Feb 1 22:12:47 localhost nmbd[1668]: Unable to sync browse lists in this workgroup.
Feb 1 22:12:47 localhost nmbd[1668]: Unable to find the Domain Master Browser name HOME<1b> for the workgroup HOME.
Feb 1 22:12:47 localhost nmbd[1668]: find_domain_master_name_query_fail:
Feb 1 22:12:47 localhost nmbd[1668]: [2011/02/01 22:12:47, 0] nmbd/nmbd_browsesync.c:350(find_domain_master_name_query_fail)
Feb 1 22:07:05 localhost smbd[31451]: call_nt_transact_ioctl(0x90078): Currently not implemented.
Feb 1 22:07:05 localhost smbd[31451]: [2011/02/01 22:07:05, 0] smbd/nttrans.c:2119(call_nt_transact_ioctl)
Feb 1 22:02:42 localhost dhcpd: DHCPACK to 192.168.1.102 (00:16:44:c6:55:b0) via eth0
Feb 1 22:02:42 localhost dhcpd: DHCPINFORM from 192.168.1.102 via eth0
Feb 1 21:57:40 localhost nmbd[1668]: Unable to sync browse lists in this workgroup.
Feb 1 21:57:40 localhost nmbd[1668]: Unable to find the Domain Master Browser name HOME<1b> for the workgroup HOME.
Feb 1 21:57:40 localhost nmbd[1668]: find_domain_master_name_query_fail:
Feb 1 21:57:40 localhost nmbd[1668]: [2011/02/01 21:57:40, 0] nmbd/nmbd_browsesync.c:350(find_domain_master_name_query_fail)
Feb 1 21:57:08 localhost dhcpd: DHCPACK on 192.168.1.102 to 00:16:44:c6:55:b0 (Chad-PC) via eth0
Feb 1 21:57:08 localhost dhcpd: DHCPREQUEST for 192.168.1.102 (192.168.1.10) from 00:16:44:c6:55:b0 (Chad-PC) via eth0
Feb 1 21:57:08 localhost dhcpd: Wrote 4 leases to leases file.
Feb 1 21:57:08 localhost dhcpd: added reverse map from 102.1.168.192.in-addr.arpa to Chad-PC.home.com
Feb 1 21:57:08 localhost named[1551]: client 127.0.0.1#46566: updating zone '1.168.192.in-addr.arpa/IN': adding an RR at '102.1.168.192.in-addr.arpa' PTR
Feb 1 21:57:08 localhost named[1551]: client 127.0.0.1#46566: updating zone '1.168.192.in-addr.arpa/IN': deleting rrset at '102.1.168.192.in-addr.arpa' PTR
Feb 1 21:57:08 localhost named[1551]: client 127.0.0.1#46566: signer "ddnskey" approved
Feb 1 21:57:08 localhost dhcpd: Added new forward map from Chad-PC.home.com to 192.168.1.102
Feb 1 21:57:08 localhost named[1551]: client 127.0.0.1#45939: updating zone 'home.com/IN': adding an RR at 'Chad-PC.home.com' TXT
Feb 1 21:57:08 localhost named[1551]: client 127.0.0.1#45939: updating zone 'home.com/IN': adding an RR at 'Chad-PC.home.com' A
Feb 1 21:57:08 localhost named[1551]: client 127.0.0.1#45939: signer "ddnskey" approved
Feb 1 21:57:08 localhost dhcpd: DHCPOFFER on 192.168.1.102 to 00:16:44:c6:55:b0 (Chad-PC) via eth0
Feb 1 21:57:07 localhost dhcpd: DHCPDISCOVER from 00:16:44:c6:55:b0 via eth0
Feb 1 21:42:36 localhost nmbd[1668]: Unable to sync browse lists in this workgroup.
Feb 1 21:42:36 localhost nmbd[1668]: Unable to find the Domain Master Browser name HOME<1b> for the workgroup HOME.
Feb 1 21:42:36 localhost nmbd[1668]: find_domain_master_name_query_fail:
Feb 1 21:42:36 localhost nmbd[1668]: [2011/02/01 21:42:36, 0] nmbd/nmbd_browsesync.c:350(find_domain_master_name_query_fail)
Feb 1 21:27:30 localhost nmbd[1668]: Unable to sync browse lists in this workgroup.
Feb 1 21:27:30 localhost nmbd[1668]: Unable to find the Domain Master Browser name HOME<1b> for the workgroup HOME.
Feb 1 21:27:30 localhost nmbd[1668]: find_domain_master_name_query_fail:
Feb 1 21:27:30 localhost nmbd[1668]: [2011/02/01 21:27:30, 0] nmbd/nmbd_browsesync.c:350(find_domain_master_name_query_fail)
Feb 1 21:12:27 localhost nmbd[1668]: Unable to sync browse lists in this workgroup.
Feb 1 21:12:27 localhost nmbd[1668]: Unable to find the Domain Master Browser name HOME<1b> for the workgroup HOME.
Feb 1 21:12:27 localhost nmbd[1668]: find_domain_master_name_query_fail:
Feb 1 21:12:27 localhost nmbd[1668]: [2011/02/01 21:12:27, 0] nmbd/nmbd_browsesync.c:350(find_domain_master_name_query_fail)
Feb 1 20:57:24 localhost nmbd[1668]: Unable to sync browse lists in this workgroup.
Feb 1 20:57:24 localhost nmbd[1668]: Unable to find the Domain Master Browser name HOME<1b> for the workgroup HOME.
Feb 1 20:57:24 localhost nmbd[1668]: find_domain_master_name_query_fail:
Feb 1 20:57:24 localhost nmbd[1668]: [2011/02/01 20:57:24, 0] nmbd/nmbd_browsesync.c:350(find_domain_master_name_query_fail)
Feb 1 20:42:07 localhost nmbd[1668]: Unable to sync browse lists in this workgroup.
Feb 1 20:42:07 localhost nmbd[1668]: Unable to find the Domain Master Browser name HOME<1b> for the workgroup HOME.
Feb 1 20:42:07 localhost nmbd[1668]: find_domain_master_name_query_fail:
Feb 1 20:42:07 localhost nmbd[1668]: [2011/02/01 20:42:07, 0] nmbd/nmbd_browsesync.c:350(find_domain_master_name_query_fail)
Feb 1 20:27:16 localhost nmbd[1668]: Unable to sync browse lists in this workgroup.
Feb 1 20:27:16 localhost nmbd[1668]: Unable to find the Domain Master Browser name HOME<1b> for the workgroup HOME.
Feb 1 20:27:16 localhost nmbd[1668]: find_domain_master_name_query_fail:
Feb 1 20:27:16 localhost nmbd[1668]: [2011/02/01 20:27:16, 0] nmbd/nmbd_browsesync.c:350(find_domain_master_name_query_fail)
Feb 1 20:12:13 localhost nmbd[1668]: Unable to sync browse lists in this workgroup.
Feb 1 20:12:13 localhost nmbd[1668]: Unable to find the Domain Master Browser name HOME<1b> for the workgroup HOME.
Feb 1 20:12:13 localhost nmbd[1668]: find_domain_master_name_query_fail:
Feb 1 20:12:13 localhost nmbd[1668]: [2011/02/01 20:12:13, 0] nmbd/nmbd_browsesync.c:350(find_domain_master_name_query_fail)
Feb 1 19:57:09 localhost nmbd[1668]: Unable to sync browse lists in this workgroup.
Feb 1 19:57:09 localhost nmbd[1668]: Unable to find the Domain Master Browser name HOME<1b> for the workgroup HOME.
Feb 1 19:57:09 localhost nmbd[1668]: find_domain_master_name_query_fail:
Feb 1 19:57:09 localhost nmbd[1668]: [2011/02/01 19:57:09, 0] nmbd/nmbd_browsesync.c:350(find_domain_master_name_query_fail)
Feb 1 19:45:04 localhost dhcpd: DHCPREQUEST for 192.168.1.2 from 00:21:bd:ac:74:f0 via eth0: unknown lease 192.168.1.2.
Feb 1 19:42:50 localhost dhcpd: DHCPREQUEST for 192.168.1.2 from 00:21:bd:ac:74:f0 via eth0: unknown lease 192.168.1.2.
Feb 1 19:42:02 localhost nmbd[1668]: Unable to sync browse lists in this workgroup.
Feb 1 19:42:02 localhost nmbd[1668]: Unable to find the Domain Master Browser name HOME<1b> for the workgroup HOME.
Feb 1 19:42:02 localhost nmbd[1668]: find_domain_master_name_query_fail:
Feb 1 19:42:02 localhost nmbd[1668]: [2011/02/01 19:42:02, 0] nmbd/nmbd_browsesync.c:350(find_domain_master_name_query_fail)
Feb 1 19:37:50 localhost dhcpd: DHCPREQUEST for 192.168.1.2 from 00:21:bd:ac:74:f0 via eth0: unknown lease 192.168.1.2.
Feb 1 19:31:50 localhost dhcpd: DHCPREQUEST for 192.168.1.2 from 00:21:bd:ac:74:f0 via eth0: unknown lease 192.168.1.2.
Feb 1 19:29:50 localhost dhcpd: DHCPREQUEST for 192.168.1.2 from 00:21:bd:ac:74:f0 via eth0: unknown lease 192.168.1.2.
Feb 1 19:27:50 localhost dhcpd: DHCPREQUEST for 192.168.1.2 from 00:21:bd:ac:74:f0 via eth0: unknown lease 192.168.1.2.
Feb 1 19:26:59 localhost nmbd[1668]: Unable to sync browse lists in this workgroup.
Feb 1 19:26:59 localhost nmbd[1668]: Unable to find the Domain Master Browser name HOME<1b> for the workgroup HOME.
Feb 1 19:26:59 localhost nmbd[1668]: find_domain_master_name_query_fail:
Feb 1 19:26:59 localhost nmbd[1668]: [2011/02/01 19:26:59, 0] nmbd/nmbd_browsesync.c:350(find_domain_master_name_query_fail)
Feb 1 19:25:50 localhost dhcpd: DHCPREQUEST for 192.168.1.2 from 00:21:bd:ac:74:f0 via eth0: unknown lease 192.168.1.2.
Feb 1 19:16:50 localhost dhcpd: DHCPREQUEST for 192.168.1.2 from 00:21:bd:ac:74:f0 via eth0: unknown lease 192.168.1.2.
Feb 1 19:13:50 localhost dhcpd: DHCPREQUEST for 192.168.1.2 from 00:21:bd:ac:74:f0 via eth0: unknown lease 192.168.1.2.
Feb 1 19:11:57 localhost nmbd[1668]: Unable to sync browse lists in this workgroup.
Feb 1 19:11:57 localhost nmbd[1668]: Unable to find the Domain Master Browser name HOME<1b> for the workgroup HOME.
Feb 1 19:11:57 localhost nmbd[1668]: find_domain_master_name_query_fail:
Feb 1 19:11:57 localhost nmbd[1668]: [2011/02/01 19:11:57, 0] nmbd/nmbd_browsesync.c:350(find_domain_master_name_query_fail)
Feb 1 19:05:50 localhost dhcpd: DHCPREQUEST for 192.168.1.2 from 00:21:bd:ac:74:f0 via eth0: unknown lease 192.168.1.2.
Feb 1 19:01:49 localhost dhcpd: DHCPREQUEST for 192.168.1.2 from 00:21:bd:ac:74:f0 via eth0: unknown lease 192.168.1.2.
remote desktop hacked
Re: remote desktop hacked
Sorry to hear you got hit. Casting an inexperienced eye over the log I see few clues as to how it happened. Doesn't sound like an Amahi problem so I can only quote a few tips to help you with the Micro$oft end. I can only assume it was a windows hack and the log is perhaps from a linux machine. Its difficult to put the limited information you have given about your setup in to some sort of context. So I can only give some personal advice and pointers for your security checklist.
- Firstly change all your passwords in case you have been exploited, inform your Bank to put your account on a watch list.
Use a firewall, most good AV program supply a soft firewall service for your machine.
If you have a WiFi, check the security is on = WMA2 with a strong password.
On your router, switch off uPnP and check for for service ports left open. You can do an online check for this at https://www.grc.com/x/ne.dll?bh0bkyd2. You will find some good advice there of how to button down your router.
Personally I would dump Internet Exploder and use Firefox with the 'NoScript' extension. That will kill a lot of the java scripts executing in your browser and cross scripting stuff without permission.
Beware of flash and online 'Free AV scans of your machine'. When it comes to internet security, 'Trust No One'!
Do a good AV scan for any payloads left on the system. Preferably scan from an alternative bootable source like a floppy or CD.
Keep your windoze up to date with upgrades.
"All answers have been checked and rechecked to be highly questionable" 
ZX81, wobbly 16mb RAM, 4mhz CPU, Bluetac and a dead skin keyboard

ZX81, wobbly 16mb RAM, 4mhz CPU, Bluetac and a dead skin keyboard
Re: remote desktop hacked
I registered just to give you a little info and advice.
I am only an amateur in security area. However, I do know enough to help you out.
Exploits are prevalent on any Operating System. Linux has them. Mac's have them. Windows based machine have tons of them. Mainly because they have the largest target audience. That being said.
Your PC definitely has been infected with some kind of malware.
This is line in your log pretty much proof of that.
Feb 1 22:33:30 localhost named[1551]: success resolving 'www.iexploit.org/AAAA' (in '.'?) after disabling EDNS
The line above is most likely is resolving an address referencing an exploit to gain remote access to your machine.
The nmbd and smdb are Samba related which is the linux alternative for windows networking. These particular log entries look like a possible misconfiguration of Samba or someone poking around your internal network looking for the target machine or maybe others on the network.
Feb 1 22:17:59 localhost gnome-keyring-ask: could not grab keyboard: 3
This one is an odd entry. Are you running gnome on the same machine? If not this is a security issue. If so it is either a bug or a misconfiguration.
There are so many questions I have at this point. How do you have everything interconnected in your network? Are you relying on this machine to act as a firewall or to pass traffic through? If so that is not really "secure".
Feb 1 21:57:08 localhost dhcpd: added reverse map from 102.1.168.192.in-addr.arpa to Chad-PC.home.com
Feb 1 21:57:08 localhost named[1551]: client 127.0.0.1#46566: updating zone '1.168.192.in-addr.arpa/IN': adding an RR at '102.1.168.192.in-addr.arpa' PTR
Feb 1 21:57:08 localhost named[1551]: client 127.0.0.1#46566: updating zone '1.168.192.in-addr.arpa/IN': deleting rrset at '102.1.168.192.in-addr.arpa' PTR
Feb 1 21:57:08 localhost named[1551]: client 127.0.0.1#46566: signer "ddnskey" approved
Feb 1 21:57:08 localhost dhcpd: Added new forward map from Chad-PC.home.com to 192.168.1.102
Feb 1 21:57:08 localhost named[1551]: client 127.0.0.1#45939: updating zone 'home.com/IN': adding an RR at 'Chad-PC.home.com' TXT
Feb 1 21:57:08 localhost named[1551]: client 127.0.0.1#45939: updating zone 'home.com/IN': adding an RR at 'Chad-PC.home.com' A
Feb 1 21:57:08 localhost named[1551]: client 127.0.0.1#45939: signer "ddnskey" approved
This is usual when a hacker has a successful compromised machine. They will add dynamic DNS (ddns) software so they can connect to your computer no matter what IP is assigned to it.
What I recommend doing is installing Anti-Malwarebytes and Spybot Search & Destroy. Do updates and do full scans. They usually get most of the known exploits. However, there is no software that finds 100% of everything out there. If your PC can not access the internet successfully or is redirected through a proxy then I recommend you find a bootable solution. Avira and AVG have free bootable solutions. If possible I suggest you use a bootable flash drive solution available at www.pendrivelinux.com
Also I wouldn't say that it is just your Windows pc. The more services a computer runs the more vulnerable it is. Especially one with ports exposed to the internet. Because all software has bugs. Any of it can be exploited and compromised. None is immune. Some just make it harder and have a better track record. That being said I would make sure EVERY pc has ALL the latest updates.
Even the one running Amahi.
I am only an amateur in security area. However, I do know enough to help you out.
Exploits are prevalent on any Operating System. Linux has them. Mac's have them. Windows based machine have tons of them. Mainly because they have the largest target audience. That being said.
Your PC definitely has been infected with some kind of malware.
This is line in your log pretty much proof of that.
Feb 1 22:33:30 localhost named[1551]: success resolving 'www.iexploit.org/AAAA' (in '.'?) after disabling EDNS
The line above is most likely is resolving an address referencing an exploit to gain remote access to your machine.
The nmbd and smdb are Samba related which is the linux alternative for windows networking. These particular log entries look like a possible misconfiguration of Samba or someone poking around your internal network looking for the target machine or maybe others on the network.
Feb 1 22:17:59 localhost gnome-keyring-ask: could not grab keyboard: 3
This one is an odd entry. Are you running gnome on the same machine? If not this is a security issue. If so it is either a bug or a misconfiguration.
There are so many questions I have at this point. How do you have everything interconnected in your network? Are you relying on this machine to act as a firewall or to pass traffic through? If so that is not really "secure".
Feb 1 21:57:08 localhost dhcpd: added reverse map from 102.1.168.192.in-addr.arpa to Chad-PC.home.com
Feb 1 21:57:08 localhost named[1551]: client 127.0.0.1#46566: updating zone '1.168.192.in-addr.arpa/IN': adding an RR at '102.1.168.192.in-addr.arpa' PTR
Feb 1 21:57:08 localhost named[1551]: client 127.0.0.1#46566: updating zone '1.168.192.in-addr.arpa/IN': deleting rrset at '102.1.168.192.in-addr.arpa' PTR
Feb 1 21:57:08 localhost named[1551]: client 127.0.0.1#46566: signer "ddnskey" approved
Feb 1 21:57:08 localhost dhcpd: Added new forward map from Chad-PC.home.com to 192.168.1.102
Feb 1 21:57:08 localhost named[1551]: client 127.0.0.1#45939: updating zone 'home.com/IN': adding an RR at 'Chad-PC.home.com' TXT
Feb 1 21:57:08 localhost named[1551]: client 127.0.0.1#45939: updating zone 'home.com/IN': adding an RR at 'Chad-PC.home.com' A
Feb 1 21:57:08 localhost named[1551]: client 127.0.0.1#45939: signer "ddnskey" approved
This is usual when a hacker has a successful compromised machine. They will add dynamic DNS (ddns) software so they can connect to your computer no matter what IP is assigned to it.
What I recommend doing is installing Anti-Malwarebytes and Spybot Search & Destroy. Do updates and do full scans. They usually get most of the known exploits. However, there is no software that finds 100% of everything out there. If your PC can not access the internet successfully or is redirected through a proxy then I recommend you find a bootable solution. Avira and AVG have free bootable solutions. If possible I suggest you use a bootable flash drive solution available at www.pendrivelinux.com
Also I wouldn't say that it is just your Windows pc. The more services a computer runs the more vulnerable it is. Especially one with ports exposed to the internet. Because all software has bugs. Any of it can be exploited and compromised. None is immune. Some just make it harder and have a better track record. That being said I would make sure EVERY pc has ALL the latest updates.
Even the one running Amahi.
Who is online
Users browsing this forum: No registered users and 29 guests