Was hacked via Team Viewer, gutted, need help

Combat squirrel · 30 Apr 2016 at 07:21

Hi all, so completely randomly my windows 2012 server got hacked that was running team viewer :mad:

- i have no idea how they found it, and why someone took the time to hack it.

WEIRDLY THOUGH, it seemed to be a sloppy hacker, i logged into my server (locally) to find it with a web browser open with its history as paypal and found some software on the desk top that seemed to be something that extracts passwords from web browser history and/or 'saved passwords' section of the browser - they had opened opera but i never used it really

My server ran pure VPN and was used to send files to crashplan.

Further to my shock I remembered around 20 days ago i got an email from paypal saying i had chosen to stay logged into a device called 'windows 8 safari'.......which i didnt, so i reported that to paypal and changed my password.

Discovering this yesterday really shook me up to be honest - I have also changed my teamviewer password etc

So im left confused and upset as to HOW, WHY, and WHAT?! :mad:

I dont run any dodgy software, iv never done anything regarding personal info on my server - and the fact they used team viewer makes me think its a team viewer problem ? Any info guys?

FYI I have shut the server down and will be formatting now - im not sure weather to use windows again or not really, and defo not with team viewer

Mei · 30 Apr 2016 at 07:50

could have just been a port scan thing?
i wouldnt count out some1 got in thru the router
i read some scary easy ways to break into some routers, id look there too!

tribz · 30 Apr 2016 at 08:12

Was teamviewer on already or was it put on by the intruder?

joey1211 · 30 Apr 2016 at 08:18

Easily cracked password or one that use use across multiple sites/applications?

Combat squirrel · 30 Apr 2016 at 08:20

team viewer was already running as I used it to get to my server off site - I guess thats how

just shocked, I mean, where would they even be able to guess the password? Off team viewers database?!

Destination · 30 Apr 2016 at 08:26

Had you set a long coded password, or just set the standard four digit one?

They set a timeout for login with incorrect guesses, so it shouldn't actually be easy to guess.

Cromulent · 30 Apr 2016 at 08:54

Any machine that is connected to the internet is constantly scanned to see if it has any vulnerabilities. Being hacked isn't something weird or odd. If I put a clean linux virtual machine up on the internet and didn't secure it it would be hacked within an hour.

Every time I hear about Team Viewer it just makes me think what a bad idea it is. What is wrong with the Microsoft Remote Desktop application? Does its job just fine and is probably a better solution than Team Viewer.

I have Linux boxes up where people try and log in as root every second of the day and night so most people disable password based logins entirely and use SSH keys instead since they offer much better security.

Rroff · 30 Apr 2016 at 11:10

Cromulent said:
I have Linux boxes up where people try and log in as root every second of the day and night so most people disable password based logins entirely and use SSH keys instead since they offer much better security.

The sshd logs on my old dedicated servers were crazy especially for root which wasn't even enabled for logging in via ssh. The interesting thing was the small number of attempts to brute force specific ids which meant someone actually took the time to research me as generic attacks wouldn't have tried them at random.

Combat squirrel · 30 Apr 2016 at 16:11

Yeh it's just odd because of the billions of pcs on earth, they had to manually use my server to do what they did, I want to switch to Linux and a high security one but I know nothing about it, I used windows as I know the software

KIA · 30 Apr 2016 at 17:33

Combat squirrel said:
My server ran pure VPN and was used to send files to crashplan.

Why was PureVPN on the server?
Are you using the server to browse the web?
Are you patching the server every patch Tuesday?
Has your router been configured to allow direct connections to the server?

Combat squirrel said:
Further to my shock I remembered around 20 days ago i got an email from paypal saying i had chosen to stay logged into a device called 'windows 8 safari'.......which i didnt, so i reported that to paypal and changed my password.

So you might have been compromised way before someone took control of the server using TeamViewer, if the email was legit.

Combat squirrel said:
So im left confused and upset as to HOW, WHY, and WHAT?!

I dont run any dodgy software, iv never done anything regarding personal info on my server - and the fact they used team viewer makes me think its a team viewer problem ? Any info guys?

A few possibilities:

a) You gave a contact access. TV contact spam has been doing the rounds.
b) Weak password
c) Password reuse
d) The server was already compromised. The attacker hoped to use TV to access your financial accounts.

Does your TV account have two-factor authentication enabled?

Combat squirrel · 30 Apr 2016 at 23:08

Fair does

well, linux now, any guides? I Need a security camera application for my cctv and the ability to use crash plan AND other cloud back up software, I know nothing about linux, halp

BluD · 30 Apr 2016 at 23:14

Ive been getting laods of emails recently from people wanting to join my teamviewer, thought it was a bit odd.

something daft already!! · 30 Apr 2016 at 23:17

I ditched Team Viewer a few months ago when I too was hacked. I had no simple passwords and I don't use the same passwords over different sites and I have never been compromised before or since.
They accessed my PC using Team Viewer and logged onto Paypal and transferred money. I was lucky as I caught them in the act as I was working late that day and got up to see my PC being controlled. They had some scanning software running too. I stopped them right away and disconnected team viewer. I changed all my passwords after this.

When I contacted Team Viewer, I was brushed off and never replied to again. I won't use that software again. Fortunately Paypal refunded me fully but it certainly shook me up a bit.

I nuked the install immediately and recommend you do the same as well as change all your passwords and stop using TV.

Edit: Here is their reply. Bare in mind the log file was plain text and perfectly readable.

We are sorry to hear, that your PC was accessed without your approval and we will gladly assist you.

The log you sent us is corrupted.

We had a few cases where users used the same email address and password, which they used in TeamViewer, also in other websites / software / accounts.
So to be on the safe side, please change your password, if you did not do it yet.

To enhance security, we recommend using our whitelist feature and also our two factor authentication to manage access to your account.

Whitelist:
https://www.teamviewer.com/en/help/...ess-for-TeamViewer-connections-to-my-computer

Two factor authentication
https://www.teamviewer.com/en/help/398-What-is-two-factor-authentication-for-your-TeamViewer-account

We only save the IP address of a TeamViewer ID, of its last contact with our master server.

opethdisciple · 1 May 2016 at 00:08

What was the security like on this box?

Did you have a firewall running and antivirus?

Also what services where running on this box?

Combat squirrel · 1 May 2016 at 09:16

Thanks howie.... My plan is to start the server but offline, then run the software to scan what passwords are indeed on the system or not, as I said I'm fairly sure I never logged into any accounts on my server, once iv done that I'm nuking the install.

Security was standard av, Windows firewall, spybot anti beacon etc.... However as they used TV I think it by passes it all anyway.

darael · 1 May 2016 at 10:17

I'd at least consider beefing up your antivirus to something like ESET.

Combat squirrel · 1 May 2016 at 15:48

darael said:
I'd at least consider beefing up your antivirus to something like ESET.

True, but it being TV it didnt matter what i ran, what i really need is to get software that only lets me use the pc (like it wont run any software without a password or something)

KIA · 1 May 2016 at 17:43

Combat squirrel said:
Fair does well, linux now, any guides? I Need a security camera application for my cctv and the ability to use crash plan AND other cloud back up software, I know nothing about linux, halp

Linux isn't more secure than Windows. You are less likely to make a mistake using Windows because you have more experience with the operating system.

howiepoohs said:
logged onto Paypal and transferred money. I was lucky as I caught them in the act as I was working late that day and got up to see my PC being controlled.

Never let your browser remember financial website passwords. Do use PayPal 2FA.

Combat squirrel · 1 May 2016 at 22:38

Well im finally back home (nightmare happened when i had to work away for the weekend), and removed the network plug off the affected system and ran the software they used which was 'web browser pass view' and it turns out it was my password i use for 'useless stuff' ........ i.e. nothing serious just for the 'sake of putting a word in a password box' password............and it was one browser only, the others didnt have saved passwords thankfully (not that i used this box for anything)

Luckily all my 'serious' stuff doesnt contain this password so I got away with it so to speak, however its taught me a MASSIVE LESSON here.........im still nuking the install now i know what he saw.

Why is windows as secure KIA ? I guess it was done via TV so yeah that makes sense, is there any locked down versions of windows available ?, any guides to make the most secure always on server?

What is the best way to remote access my server when i need to ?

I have also deleted my TV account.

m4cc45 · 2 May 2016 at 10:34

Why would you go to PayPal on a server? That's what is making my mind boggle. For gods sake at least don't save the passwords in the browser. Use something like KeePass and make them 20 characters long with special characters. Every account you make on a website should have a different password - that means if it gets compromised then you don't have to change all of your passwords.

If you're going to want remote access to a server then make sure you keep up to date on the latest patches, applications, etc. as they're all entry points. Have a VPN but make sure it's a complex password. Same with the Windows password - it should be different to the VPN password.

TV is a useful thing for one of support - not as an always on access. You could have used your TV username and password elsewhere (i.e. a login to a forum) and then someone who has exploited that database can find the passwords. It's then not much effort to try those passwords on common sites such as PayPal, TV, LogMeIn, etc. and then they have complete access to your system - it makes a VPN pointless as you're completely bypassing the VPN with TV.

The best way would be a secure VPN and then you could use RDP with a secure password once connected to the VPN. I'd probably suggest not letting the server have internet access as such (Windows and Application patching sure). Get into the habit of using a non-administrative account if you've no need - this adds another layer on top. I can't stress enough on how much you need to keep all software up to date. Including the VPN software and other tools you are using.

Saying it's Windows fault is just pushing the blame. You have to take responsibility for what you install and manage it. Moving to Linux, for you, would probably be less secure as you won't have the experience of locking it down as well. Windows Baseline Security Analyser would help you as it will tell you what patches, mis-configurations, etc. you have:

https://www.microsoft.com/en-gb/download/details.aspx?id=7558

M.