Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I'm Either Being Hacked Or Raving Mad


  • Please log in to reply
6 replies to this topic

#1 Jurrr

Jurrr

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:43 PM

Posted 31 July 2008 - 12:54 AM

Summary: I get e-mail of a failed Moneybookers login that arrived while I was surely sleeping. I cannot login to MB. I change MB password. Funds still there. Gmail glitches. E-mail of failed login disappears from Gmail. I cannot login to MB again. Impossible to change password again. Malware detectors show nothing. I'm not sure what to think.

I play online poker and use a Moneybookers online wallet to deposit and withdraw.

Tonight I wake up at 3:30 am (neighbors woke me) and check my e-mail. An hour ago I have gotten a message from Moneybookers saying I have a failed login.

Now, I may have had a failed login earlier during the day but an hour ago I was soundly sleeping.

Something's up. I try to login to Moneybookers and it fails. Now, maybe I have forgotten my password, but I think not. I go through the "change password" deal and get a link to change the password at. I change the password. My money is still there.

Suddenly my Gmail acts up a bit, not refreshing correctly and the earlier e-mail telling of the failed login disappears. Hmmm, I didn't delete it as far as I remember. And it's not in trash. I change my Gmail password wondering if it will do me any good.

I try logging in to Moneybookers. It fails again. I try to change the password again through the "failed login" option. It fails this time as it says it sent me the link and it didn't in the end.

I feel like more of the Moneybookers notifications from Gmail have disappeared, but since I didn't take screenshots and was pretty frantic I don't know how many. Either way the first one has definitely disappeared and it was there, I had even a draft of a reply that hadn't disappeared and when I sent it then it started a new thread so the old one's gone.

I get my primary poker account locked. I e-mail MB as they have no phone number for such cases.

I run AVG Free (nothing), Ad-Aware (nothing), MBAB (nothing), SAS (nothing), HijackThis (nothing wrong I can see). I check "netstat -a" and see nothing I can identify as immediately wrong. My router/firewall seems fine but I don't know where OpenWRT keeps logs.

My gf's desktop computer's AVG Free had been reporting some strange Trojan in the strangest places that I felt must be false positives; repeat scans revealed nothing. Nothing reported at any point on my laptop where this was happening. I doubt I've used the MB account from that computer in the last few weeks, but I have certainly used the Gmail account a few days ago.

Now, my Gmail password is a very old one and it is saved in my Firefox password store (which was probably not a good idea). That doesn't give one an easy way to guess at my Moneybookers password (which also wasn't a very complex one but still). So what could be going on?

a) Someone has a keylogger with me and has logged both MB and Gmail (and probably other) passwords. He mistypes the MB one once and forgets to remove the e-mail from Gmail. But he changes the MB password. Then before he can steal the funds, when I change it back he decides to remove selective e-mails from Gmail (parallel sessions with me so glitches appear for me) and change the MB password again.

This makes very little sense but is the best explanation so far.

b ) Moneybookers software glitches and sends me a notification late. I get it late and imagine it was a hacking account. In my panic I forget the password. I change it and in my panic delete some e-mails from Gmail. In my panic I forget the MB password again. Gmail glitches for no good reason.

c) I'm a raving lunatic with paranoia and am starting to imagine things due to minor sleep deprivation.


Any ideas will be appreciated.

Edited by Jurrr, 31 July 2008 - 01:09 AM.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,530 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:43 PM

Posted 31 July 2008 - 04:05 PM

Not sure what is going on either. But is this an XP PC?
Let's see what this shows.
Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Reagardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Jurrr

Jurrr
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:43 PM

Posted 01 August 2008 - 11:10 AM

Here is the report:

Malwarebytes' Anti-Malware 1.24
Database version: 1015
Windows 5.1.2600 Service Pack 2

7:07:46 PM 8/1/2008
mbam-log-8-1-2008 (19-07-46).txt

Scan type: Quick Scan
Objects scanned: 53474
Time elapsed: 6 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



-------

Yes, it is a Windows XP PC with the latest updates and Service Packs.

Also, I called Moneybookers and they confirmed login attempts from another IP address had been made on my account. They said that they are not permitted to tell me were those logins successful or not. They also confirmed my MB password had been changed multiple times (I only changed it once myself).

This is most bizzarre as there is no evidence of any malware on my system, but evidently both my MB and GMail passwords were stolen. I don't know what to think.

Edited by Jurrr, 01 August 2008 - 11:11 AM.


#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,530 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:43 PM

Posted 01 August 2008 - 03:04 PM

Although this perhaps not a malware issue. What firewall do you use and is this a wireless connection??
If some one is changing things. Perhaps you have a security hole.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 Jurrr

Jurrr
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:43 PM

Posted 01 August 2008 - 07:04 PM

Although this perhaps not a malware issue. What firewall do you use and is this a wireless connection??
If some one is changing things. Perhaps you have a security hole.


I use a Windows Firewall BUT there is also a Linksys WRT 54G wireless router w/ firewall in front of my home LAN running OpenWRT. I'm afraid it does allow all outgoing connections, but filters most incoming ones.

There is a WIFI and it has WPA (I vaguely recall problems configuring WPA).

How would I go about investigating this?

#6 Jurrr

Jurrr
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:43 PM

Posted 01 August 2008 - 07:34 PM

My best guess at what would have happened:

Some site I register with a secondary e-mail address (e.g., random forums) is rogue and notes my password for the secondary e-mail address. They see it is forwarded to my primary e-mail and note that it is the same password there (it was , not any more obv). They log in and find notifications that I have money on Moneybookers. They figure they could maybe hack that. Using Google and known information in my GMail account they find out what my date of birth and zip code (2 things MB asks for to reset the password) is. They change my MB password, delete that e-mail from MB and are taking their time in stealing the money as they have all night. They make the mistake in making an invalid login attempt and not removing that alert e-mail immediately. I thwart their plans by waking up at a very unusual time, noticing that alert e-mail and managing to get the MB account locked and the GMail password changed.


Alternative theories:

* Keylogger that I've either not found or that they removed when I got too close.
* Hacked network at some point (my local apartment block level or my WIFI level) that somehow does it without triggering fake certificate alarms.

Does this make sense?

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,530 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:43 PM

Posted 02 August 2008 - 09:58 AM

Hi,they have some great info and instructions here at LInksys

How to Secure Your Network

Check out the Learning Center tab at top of the page..
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users