PLEASE Help! Someone just took control of my PC! I'm freaked out!

[jamezjunk]

Hello, I just got a massive fright! I was just about to skype someone on our family HTPC and suddenly the cursor started moving. I moved the mouse and it moved again to chrome and opened a web page, I moved it again and it was forcefully moved back to opening a dropto webpage where it began to download an exe file that is 1mb. I fought with the cursor for a few seconds and they kept moving it back, at this point I ran and shut of the computer and disconnected my Router.

I am a above average knowledgeable techy. We have about 4 computers in the house, one HTPC with windows 10 that was hacked, 2macbooks a macpro, a few phones and ipads, kindle fires, etc and a synology nas as well as a number of IP security cameras.

I had previously been a bit lax as I wanted to access blue iris remotely so I had forwarded ports to my security cameras. Also, to control the HTPC I had tight vnc installed and unified remote so I could remotely control the pc from anywhere in the house.

before turning the internet back on, I changed my router password, removed all port forwarding in the router, through my cell connection changed my email and online password manager passwords and setup 2 factor authentication for both. I also removed my dynamic dns settings in my router in case they found me through that and twice reset to switch IP's. I also confirmed that my email had not been accessed by anyone outside my home.

I am currently wiping and reinstalling the HTPC completely from scratch and am running antivirus on each of my macs at the moment. I have disabled screen sharing on all my macs and will remove remote desktop management in my new windows install. I will also bypass the convenience of vnc and not be using it again and will forego remote access to my security cameras.

I have the 1mb exe file he downloaded and before I wiped the machine I scanned it with three different antivirus softwares and none of them picked anything up on it.

Obviously this leaves me a bit freaked out and would really appreciate any other advice on how to lock down my home computers and make sure this never happens again. Half an hour later my xbox one turned on by itself, first time that has ever happened, so I unplugged it from the wall. I know I can wake it through a windows xbox app connection, but nothing was messed with. Has me pretty on edge as they could have had access to everything on my computers and I don't know if this is the first time they have accessed it.

Any security guys out here have any recommendations?

Thanks!

 

[dunkyd]

Cat on the keyboard ?

 

[itareanlnotani]

They logged in via VNC most likely if cursor was moving.

Was VNC accessible remotely? over the internet - i.e port forwarded on the router?
or is the htpc in the dmz?

Other possibilities -they got in through the ipcams. They're notoriously leaky, never put those on the internet...

Yet another possibility is router. Quite a few routers have iffy firmware thats hackable, some even remotely.
I would first have checked logs to see how they likely got in, before nuking from orbit.

 

[Corelli]

Its soo easy to get in any of your systems its a real joke. However are you hiding anything specific that they may come after is the real question. I would put a more internet security or total protection app on and the disable remote desktop, etc.

Getting in via the mac is easier than via the pc though by the way

 

[TheMightyQuinn]

Any security guys out here have any recommendations?

Thanks!

Yep...skip the "scorched earth policy" next time.

 

[Twisted_Mike]

Change your passwords on your cameras. 90% of people leave the passwords as default...

 

[RoganDawes]

Please post the binary, I'm sure some would be interested in taking a look at it.

Obviously, consider the services that were exposed to the internet - firstly, check your router by portscanning it from the internet. That should show all the available services that are exposed to attack, whether on the router itself (admin interfaces), or port forwarded through to internal devices (Blue Iris, etc). There may be things there that you were not expecting.

Then, consider the passwords that you used to protect the various exposed services. Are they guessable?

Also, do searches for each app or service exposed, to check for known vulnerabilities. Keep in mind that things like the Synology NAS may also have been the entry point, there are known vulns in that product. Also, as mentioned, the IP cameras, etc often also have common passwords.

 

[jamezjunk]

They logged in via VNC most likely if cursor was moving.

Was VNC accessible remotely? over the internet - i.e port forwarded on the router?
or is the htpc in the dmz?

Other possibilities -they got in through the ipcams. They're notoriously leaky, never put those on the internet...

Yet another possibility is router. Quite a few routers have iffy firmware thats hackable, some even remotely.
I would first have checked logs to see how they likely got in, before nuking from orbit.

Thanks for the input, the vnc was not forwarded which is confusing to me. The IPcams were, though each of them have quite complex passwords. It is a newer dlink vdsl router. I tried to check logs before I nuked it, but couldn't find anything at my novice level. I am thinking it could be my Synology NAS provided access, as I am using an old Hp proliant xpenology for the server that can't update past 5.2, when current version is 6. Seems there are a number of exploits out there for that.

Any suggestions on a secure way to view my cameras remotely without compromising my safety?

Change your passwords on your cameras. 90% of people leave the passwords as default...

Thanks, all of them have quite complex passwords that are different from one another.

Please post the binary, I'm sure some would be interested in taking a look at it.

Obviously, consider the services that were exposed to the internet - firstly, check your router by portscanning it from the internet. That should show all the available services that are exposed to attack, whether on the router itself (admin interfaces), or port forwarded through to internal devices (Blue Iris, etc). There may be things there that you were not expecting.

Then, consider the passwords that you used to protect the various exposed services. Are they guessable?

Also, do searches for each app or service exposed, to check for known vulnerabilities. Keep in mind that things like the Synology NAS may also have been the entry point, there are known vulns in that product. Also, as mentioned, the IP cameras, etc often also have common passwords.

Thanks, how would I post the binary? I have the exe file on an sd card, I'm nervous about connecting it to anything as I have no idea what it is or what it does. Thought I would love for a security guy to look at it and tell me what it is capable of.

by portscanning, do you mean something like "shieldsup"? I used that one and came out clean.
As for passwords, they would not be guessable, all are quite random with numbers, letters, and symbols

I know very little about network security, are there any good firewall solutions that would protect my network? like setting up openvpn or something so I could still be able to access the cameras without creating a security risk and that could secure my synology even it is an older model with potential known vulnerabilities? Thank you for your help.

 

[RoganDawes]

The binary will be inert unless you actively try to execute it.

If you have the URL that the original person tried to download it from, that is one way - just share the URL, assuming it is still valid.

Otherwise, pop the file up on dropbox or similar, basically any file sharing site will do.

Even better would be to upload the file to virustotal.com, and then share the checksums that virustotal gives you. That would have the effect of running the file through all of the virus checkers that VirusTotal supports (in the order of 40 or more, I believe).

Rogan

 

[DMNknight]

Get a decent firewall. You would be surprised at what defaults are left in place after you install those router/modem jobbies.

If you want access to your home network, set up a VPN Server and secure it with a certificate. That way, only people with the certificate can actually try to access and authenticate to your network.

 

[OCP]

I'm willing to bet money it is a ransomware deployment you stopped

 

[SauRoNZA]

Getting in via the mac is easier than via the pc though by the way

Bull****.

 

[Alton Turner Blackwood]

How sure are you that nobody else were in the house or connected to your router locally when this happened?

 

[jamezjunk]

The binary will be inert unless you actively try to execute it.

If you have the URL that the original person tried to download it from, that is one way - just share the URL, assuming it is still valid.

Otherwise, pop the file up on dropbox or similar, basically any file sharing site will do.

Even better would be to upload the file to virustotal.com, and then share the checksums that virustotal gives you. That would have the effect of running the file through all of the virus checkers that VirusTotal supports (in the order of 40 or more, I believe).

Rogan

Sorry, i have been on vacation and haven't checked the site. Thank you for all of your help. I really appreciate it!

Thanks! I did that. I had never heard of that site. I used three antivirus programs but none of them recognized it. This site 16 of the 60 saw it for what it is and give all the info regarding it, I don't really understand all of the info, but from looking at the details it seems it does a whole lot of nasty stuff. Is anyone able to make sense of this report?

https://www.virustotal.com/en/file/...fe71d16e039a1228f2a549f097626f885cc/analysis/

Get a decent firewall. You would be surprised at what defaults are left in place after you install those router/modem jobbies.

If you want access to your home network, set up a VPN Server and secure it with a certificate. That way, only people with the certificate can actually try to access and authenticate to your network.

any recommendations of which is a better option? A firewall or a vpn or both? Also any specific one you would recommend?

Also with a VPN is that something I would just set up on my synology and tunnel into with openvpn or something? Thanks1

How sure are you that nobody else were in the house or connected to your router locally when this happened?

I'm quite confident, no one that lives here would have any clue and neigbors are definitely not the hacking type.

I'm willing to bet money it is a ransomware deployment you stopped

Thanks, looking at the virustotal.com info above it seems that it sets up a lot of popups and takes control of the screen so that could be it, but it looks like it does a ton of other stuff too. Thanks.