Someone has Remoted into a PC on my network!


I have an urgent situation. I have several PC at home on a network. I'm lazy so I use Real VNC
from one PC, to hit my other PC on the netork (all password protected). I VNC onto one of my PC
and noticed the lock/logon screen was up, and a message "The PC is logged on remotly by
Ut oh!! so I put in my password, and I see my mouse moving, its on a paypal page, he logged out!
(lucky for him!)...the user id was (not me see below).
He also was on this page:
I have the lot file from windows "HAcked.evtx", i'm not sure what to make of it.
My only guess is, he RDP into my PC, but I have no idea as to his end game.
I have turned OFF RDP on all my PC, and made the locked screen come up after 1 minute of inactivity
for all PC.
Any advice, clues or suggestions is greatly needed here!


He can only get in if a you have port forwarding on the router to allow access via the net or b he is getting in locally via wireless.

so change wireless passwords and remove any port forwarding

I replied from my phone, not sure it posted.. Absolutely I do have port forwarding, its required for VNC...default is 5900...which I have changed to an "off the wall" port number I chose. I'm relatively certain that WIFI is not in this equation, cause it stated on the lock screen
"The PC is logged on remotely by bobs-MacBook-Pro.local" he was tunneling in via RDP (which I have now disabled) or VNC...those are the only two methods I can think of he would have had. honestly, on that PC, I am not 100% the RDP was password protected. I did change the default RDP port to custom of my choosing.
If I remember correct, by default, RDP uses the windows login it should have been "passworded" there.
From the event logs, I can tell "bobs-MacBook-Pro.local" logged in 21 times, from Feb 27, till last nite. I spot checked 2 other (of my 12 physical and 10 Virtual PC on network) and "bobs-MacBook-Pro.local" is not in the event logs. Of all the PC on my network, he was on THE worse, slowest junker I have (a 14 yr old notebook, with only 2 gig ram, and a PATA - yes pata, SSD)...its so so so very slow physically on it, and remoting in is a nite mare slower than a dail up in 1992...I almost feel sorry for him. I can't imagine what his end game was...using someone else's pay pal, on my network? surely not his own. I've alerted pay pal of these details, for all the good that will do.
What I want to know is if somehow from the screen shots or any other method, (I'm open to try anything) his exact point of prevent re-entry. I've disabled RDP completely...I have to have Real VNC for myself...which is password protected.
I've attahce s screenshot of how my RDP was set, before I disabled it (also seen at below link)
I am not too familiar with all of the ins and outs of RDP like I am with REAL VNC, so I'm hoping disabling RDP and making the lock screen come up after one minute of inactivity will resolve this.
But, as I said I'm open to other thing...however, deleting all port forwarding ...I may as well turn off the PC

Previous RDP setting, which is now disabledold_RDP_settings.jpg

You could check with ports open to see if you have any other ports open what is your setup are you using a NAT router or modem and if wireless what encryption are you using

You lost me in that one!! Check with ports open to see if any other ports open? Can't is see that regardless? I have a Uverse gateway modem router... and I know it in my sleep... I don't need to check what ports I have open.... they are listed in an excel sheet with descriptions... I'm a software engineer... and, one that documents. I have ... well had over 70 port forwarding rules... with vnc gone.. that gave back 20 + ports .

And? If I do NOT , ha e ports forwarded how do you propose the web server(s) and email servers function ? If there is another way? I'm all ears!!

You never mentioned web server email server etc but 70 ports is a lot why do you ned all them? Are servers patched for all know vunrabilities is this a company unfortunatly not being able to see and not being able to mind read we only know what you tell us

This is true...I suppose there are "those out there" ...well I know there are, who would go through the effort and forward, or have forwarded ports for no reason. I assumed being on a technical forum, you guys would know...if I had all this going on...there had to be a reason for each port forward. Bad of me to assume, you guys would auto-know, I do have reason for each port forward. I have 2 WEB servers, and 3 mail servers, and 2 NAS on my network. This is not commercial and not for any type of business, "I" am the only "user"....The answer to your next question (Why do you have all this.....?).. Hey? its what we do, is it not ?,,I have it all "just because" ..and because I can. It is critical to me, because, I to as paperless as I can, I have notes from work, notes from personal projects, etc, security cameras recording back to 1996.

As far as virus, I don't think I've been lucky...I don't download "crap" and do not go to porn sites. "Jokes forwarded" etc and porn sites have been the two common thread, of all my friends who get virus. As far as being randomly hacked, due to open ports ? Yeah that is luck or.....something? I've had this system a LONG time and this is the first. I started the network, with two PC and IIS back in 1999,

Its a very high risk setup any un patched server is liable to be infected very quickley and mail servers are great for spamming and web servers great for malaware. Normally all these servers would be on different subnets and ip ranges so if an attacker gets in he cant take over all the network its isolated to one server. Running security checks against all servers often is needed as new vunrabilites are discovered

Maybe high risk...but, how do you explain two decades, and this is the first issue ? that "Luck"? Really.....if it is, I need to be buying lotto tickets. I do get a lot of spam emails......I auto delete. The WEB server doesn't get that much outside traffic...I'd say 20% of my outside traffic would be when I links with screen shots here. Frankly this issue, my own fault for getting lazy...I simple screen lock on that one PC and the guy who remoted in, would of been dead n the water. I do see my IIS logs, where some, are obviously trying something....but, get no where. I'm quadruple backed up on important data, and for a hacker to get anything remotely important he'd have to sift through a lot of boring meaning less things to him, a lot of silly photos...and I do have a couple of tricks up my sleeve I won't divulge publically to throw off track, should anyone get deep enough. It's quite possible I have been hacked..the hacker got tired of finding anything of interest and didn't have any malicious intent.

The risk isnt hackers after data they would be after using mail as spam bot and webservers for other nasty stuff I worked for Barclay Bank and ICI and putting a new server on within mins there were thousands of people running kidy scripts against it checking for opening

I don't know what to my IIS logs reflect, that simply hasn't happened to me. Mathematically...statistically speaking...either I'm about to get rained on like Noah ...or, the past levels of intrusion (or lack there of), will remain the same. guess what my money is on ?

What's saving you is bandwidth if you want to hack a server for open relay you need one that can pump out millions of spam very fast so yours may be no good for that

