Someone controlling PC without permission

  • Thread starter Thread starter Pug
  • Start date Start date

Pug

Pug

Soldato
Joined
20 Oct 2002
Posts
5,184
Location
Over there...
My brother has rung up just now, and told me his pc was left alone for a while, and he came back and saw the mouse moving slowly, but with a purpose, and it was rooting round in their NOD & ZoneAlarm configs...

He asked me what to do, and i said unplug the modem, and on another PC (someone else) reset/change all online banking passwords.

Ultimately i'll wipe their system, but is their anything that can be done to scan, remove or investigate further?

They do install stuff on occasion, and i've told them about it. They dont have wireless, Virgin cable plugged into their modem.

tips, advice?
 
the least i would do is a clean format and a fresh install and make sure i have a secure firewall running if that happened to me.

*sounds kinda freaky though*
 
saw the mouse moving slowly, but with a purpose

I like the way you phrased that. :D


Does he currently have a firewall? Which OS is it? If all he does is surf, he should try Linux. ( Don't crucify me :p )

1. If he has other computers in a LAN, then assume the intruder has compromised those as well. Unplug them from hub/switch/main PC while reinstalling on main PC.

2. I would unplug from the internet ; reinstall the OS + AV + firewall ; Mostly use User account , separate to Administrator.

3. Check the cable modem settings to make sure that they have not been tampered with ( DNS, e.t.c. ) ; Turn off UPnP on the cable modem. ; Change the login username and password.

4. Ideally, repeat steps 2 & 3 for other LAN PCs.

5. Configure outbound filtering on the firewall. Yes, it's a pain initially, but you can then detect such compromises much more easily.
 
it's probably a vnc varient on there, a router would prevent that from being able to connect in the first place (unless ports are forwarded)

getting a router in place and formatting is the best way to go about it
 
get a router, done

not using a router is mental

Agreed. Because of NAT being integrated into Routers now it is almost impossible to route ports (such as VNC/RDP) to a machine due to the IP being on a different range to the routers IP Address.

Router firewalls aren't bad either.
 
cheers fellas

its XP, using NOD32 and Zonealarm - probably not been updated since i installed it.

Think we've found the issue/point of entry - i installed VNC on it for them years ago with a password, and i suspect thats been compromised.

Removed VNC now, and gonna try using spybot/adaware/other stuff/new firewall to make it cleaner until i can get up there and reinstall...

suggestions on cleaning proggies?

It is connected directly to the modem, so a router wouldnt be a bad idea - and something they want to do now they have a PS3 (wireless)
 
Last edited:
cheers fellas

its XP, using NOD32 and Zonealarm - probably not been updated since i installed it.

Think we've found the issue/point of entry - i installed VNC on it for them years ago with a password, and i suspect thats been compromised.

Removed VNC now, and gonna try using spybot/adaware/other stuff/new firewall to make it cleaner until i can get up there and reinstall...

suggestions on cleaning proggies?

It is connected directly to the modem, so a router wouldnt be a bad idea - and something they want to do now they have a PS3 (wireless)

Hi Pug,

Can you check what version of VNC was installed on this machine? VNC Free/Enterprise Edition E4.1.1 had a serious exploit in it (this release was only available for a couple of days before a patch was issued, but its possible you got unlucky) that would allow someone with the right know how / modified VNC Viewer to connect without a password.
 
I had a similar experience - sort of.

Went to sign in on facebook and in the log in part was my wife's brother e-mail address!!! Why would that be there? He has used my pc in the past but that was about 1 month ago and I use Ccleaner to get rid of any temp stuff?

any ideas?
 
VNC also stores it's passwords in the registry with really weak encryption. If the attacker's IP isn't listed in VNCs own log file try looking in the Windows application event log.

If using VNC Free Edition yes, if they were using VNC EE he may have been using NT Logon Authentication, in which case the password is only used in the temporary session, not stored.

VNC (depending again on the version) if FE/EE should log to the Application Event Log by default, it'll only log to a file if the Log parameter is explicitly created/set to do so.
 
I had a similar experience - sort of.

Went to sign in on facebook and in the log in part was my wife's brother e-mail address!!! Why would that be there? He has used my pc in the past but that was about 1 month ago and I use Ccleaner to get rid of any temp stuff?

any ideas?

This doesn't sound related at all, most likely to do with an old cache of when your wife's brother used facebook on your machine. IIRC the saved username is stored as a cookie?
 
not as cookies in firefox....they are stored seperately so even if he had deleted cookies the password would still be there....there is the option to delete saved passwords though which requires and extra tick in firefox.
also he would need to tick the auto complete form on crap cleaner to get rid of saved passwords and usernames.
 
thanks guys

for now i have updated them to sp3, removed their AV, put a new, updated one, updated ZA, removed any exceptions that shouldn't be there and blocked all incoming UDP/TCP ports and a suggested (loads) range of outgoing UDP/TCP ports.

VNC has been nuked, (cant recall version, about 3 years old install), and adaware & Spybot scans have been run, and isssues deleted.

For now i cant do much, and should hold them off until i can wipe it the install
 
Back
Top Bottom