Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

How HACKED am I


  • Please log in to reply
15 replies to this topic

#1 appletown

appletown

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:25 AM

Posted 21 October 2013 - 03:39 PM

Dear Bleeping computers folks.   You helped me a while back with combofix and solving problems on my computers which were generated by a renter on my network.  Many thanks for that.  I would like some assistance on a new topic.  Thanks in advance  

 

I have done research on the internet and been on Bleeping Computer to see if I could find an answer to this problem.  I have been online trying to find an answer to this problem.  It is hard for me to find and answer to this.  If you can help me that would be great . 

 

 

My question is related a renter, 

 

  He has a Linux operating system on his computer as well as windows.  I understand that Linux is a very efficient way of hacking and that there are programs such as John the Ripper which make it easy for Linux users to compromise computers and networks.

 

Last Sunday he downloaded some form of malware that made it impossible for him to connect to a java download site. It disabled his net phone from connecting also.  It also made my laptop and a desktop inoperable in downloading from this site. 

 

He came out several hours later and said that he removed the virus from his computer and that he could now download java.  Something did not feel right to me. 

 

I went onto both my desktop and my laptop.  With out running anti-virus or malware bytes on my laptop or desktop, I could immediately connect to the java download site. 

 

I have two sons that have shared the network with me for ten years.  At time we have all had malware and pups on our computers.  We have never transferred them from one computer to another computer.  Ever.  

 

My concern is that the renter has used Linux to compromise my computers and the network.  That he has some how assigned himself administrative privileges over the network and its computers with his knowledge of Linux.  

 

How is it possible that he deletes malware from his computers and that I can then get to a web site and download from it when I was blocked from it prior to his removing it from his computer. After he removes the malware from his computer, I can get to the website from which I was previously blocked. As noted i did not run malwarebytes, which i have or avast virus scans before I connected to that site from which his virus was blocking me.  

 

How likely is it that he has used Linux to compromise my computers?  I had this problem several years ago when I rented to a person who considered himself a hacker and he was.  I found some of my data on his computer when he was showing my some stuff on his computer.    

 

If there is any light you can shed on this, I would greatly appreciate your help.

 

Sincerely,

 

A TOWN



BC AdBot (Login to Remove)

 


#2 Netghost56

Netghost56

  • Members
  • 973 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:11:25 AM

Posted 21 October 2013 - 04:54 PM

What he got (if he's being truthful) sounds like a Zero Access Rootkit. I'm not familiar with one that denies access to the java page, however there has been a Fake Java Update virus going around for a long time.

 

That you were affected is troubling...do you know if other users on the network were affected as well? I also wonder if you, being the admin of the network, were affected because you sit at the backbone to the LAN that you provide. I would suggest you investing in some security of some sort- not a free one but a paid subscriber based AV and antimalware. It would probably protect your other users as well, to a certain degree.

 

I don't think I would be quick to say he superseded your admin. It's possible that whatever he downloaded affected everyone on the network equally, and by removing it from his computer (the source) that it restored everyone on the network.

 

If you haven't already done so I would turn on or double check your Windows Firewall. If you have it on then you might need to invest in a 3rd party firewall, like Kaspersky.

 

There's also Comodo Internet Security. It has a Firewall and Intrusion Protection.



#3 appletown

appletown
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:25 AM

Posted 21 October 2013 - 08:08 PM

Many thanks for this reply.  I am troubled by the actions of his computer on the network.  I have shut down the wireless and unplugged him from the router.  The only computers that I am aware of that were infected by his computer were my two computers.  What makes this all the more suspicious to me is that other computers on the network have all been hit by viruses and pups numnerous times.  We used malware bytes, avast and norton to scan the computers. We have never passed malware across the network, from computer to computer, except for the time we had a serious gamers and p2per here, and he was proud of his hacking skills.  That is when I had to get help from you great people at Bleeping. 

 

I ran a scan on one of my son's computers, after he did not do so for several months and found 550, not 55, pups and malware.   My son had had them for months.  NONE of them got into the netwrok and infected the other computers. 

 

I thought that viruses went to registry files or memory files on each individual computer. 

 

I have found nowhere on the net that it says to remove viruses like he removed the viruses.  They always say that you have to remove the infected machine from the network, scan and remove the malware and then reconnect them do the network. 

 

I did get notifications from comcast that there was a bot on our system.  I scanned all four computers that were on the system with the exception of his which I do not have access to.  ALL these 4 computers were clean. 

 

I also got notice from comcast that there were problems with networks on my side of the connection with a server.  I have used comcast for a year and I never had these problems before.  Not until he got his desktop into the house did I start getting notifications of bots and trouble with our house server/router.

 

Is it possible that he is running something such a "John the Ripper", for Linux to get access to the computers and control the network and its computers?

 

I told him to run malwarebytes on his computer.  He downloads massively from torrent sites.  68 GIGs in in one day, etc..  He told me he had NO pups or malware.  I did not believe this for a second. I went and downloaded one episode of GLEE from a site. Scanned my computer with malware bytes and had 131 pups and malware.  So no he is not being truthful.

 

Is there any way I can do an anaylsis of his controlling the network after I have disconnected him from the network.  Can I track anything back to his mac address or something like that.

 

 

Thank folks, Very much

 

A Town


Edited by appletown, 21 October 2013 - 08:19 PM.


#4 Netghost56

Netghost56

  • Members
  • 973 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:11:25 AM

Posted 21 October 2013 - 08:31 PM

if he is using that much bandwidth, and you have had these issues during the time that he has been a tenant, why haven't you confronted him about it? Do you not have some provision in your renters contract that stipulates proper usage guidelines of the Internet? I would have put that in motion after the first time you have this problem.

#5 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:02:25 AM

Posted 21 October 2013 - 11:26 PM

Hello -

These are just a few basics that have helped many people understand their problems .....

 

Start here Windows Forensics: Have I been Hacked?
Move on to Tracing a hacker Both by Lawrence Abrams a.k.a. Grinler.
 

Good Luck (kick them out)



#6 appletown

appletown
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:25 AM

Posted 22 October 2013 - 04:34 AM

Thanks folks you replies are helpful. 

 

One question that I have that I would like some feedback upon.

 

How did he delete viruses from my two computers unless he had access to them

 

About confrontimg him, which I will.  I want to determine if has he hacked me.  That is a HUGE issue. 

 

I know that he is a bandwidth hog.  Hacking my computers is an issue at a much higehr level of malfeasance

 

Many Thanks for your replies. 

 

A Town. 

 

I did try wires shark and a couple other programs yet I am not an IT person so much of it is hard for me to decipher. 


Edited by appletown, 22 October 2013 - 04:40 AM.


#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,117 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:25 PM

Posted 22 October 2013 - 12:34 PM

I have been hacked...What should I do?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 hackerkiller

hackerkiller

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:25 AM

Posted 23 October 2013 - 01:52 PM

Ok Look at the non technical forensics.  It is impossible for any person/machine to p2p massive gig downloads and not have all sorts of malware.  Dude, if he says he has no malware after extensive piracy and running even a quick scan with malware bytes, the guy is a liar.  He  ain't stupid cause he plays with Linux.  So yeah he is lying about the malware scans.  Just to verify this, you can download something from a torrent site, run malware bytes ans see what trojans, pups and other sorts of garbage you will find.  There is no way a torrenter, p2per, or pirate will have a clean report from malware bytes.  Get on the net and cruise around, not at torrent and piracy site, run a malware bytes scan and you will see that you have pups etc. 

 

Ok onto the java thing.  Routers will not get infected; they are dumb. the do only what they are told.  His malware went to your computers from his computers.  Malware and executables have to get to registries or hide in other locations on a given machine in a network.  Ok that happens all the times.  I have programmed and administered systems for 30 years. Cisco certified forever.   The only time I can delete programs/malware from a network computer is when i have administrative control over that machine via the network.  There is no doubt about it he had administrative control over your machines,

if you can get to that java site and begin a download when you could not do so before and you ran no virus scans of any sorts.  People make virus so the get into registries and other files.  The only way they can be deleted is for  anti virus programs to delete them.  To do that, from a network systems framework, the only way you can do that is with admin control. 

 

I will stop here and go back and read the rest of the issues again  H-Killer

 

Ok, I see that you are very up to date with you knowledge of malware bytes and understand networking at a reasonable level and that you downloaded a torrent file already to check it out.  Good you are doing your forensics correctly,  I also note that one of your sons had about 500 trojans and pups on his computer.  You state that none of these ever spread through your network.  That is because your son did not have ADMIN Control of the other computers. 

 

In reference to the BOT notices you got from Comcast, and you checked all computers on the network, with the exception of his tells you that the BOT was resident to his computer.  I bet that you quit getting any notices of any kind about your network and server problems when you took his computer offline. 

 

Yes he hacked your two computers if not your entire network.  Change all your passwords EVERYWHERE. 

 

Good Luck. Hit me back if you want. 

 

H-Killer

 

 

 

If you google "hacking" you will see hundreds of hacking tools that can be downloaded for windows as well Linux. 


Edited by hackerkiller, 23 October 2013 - 02:09 PM.


#9 Netghost56

Netghost56

  • Members
  • 973 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:11:25 AM

Posted 23 October 2013 - 02:29 PM

I have Backtrack 5 Live USB, for one.

 

Install-Backtrack-Live-to-USB-Step-6.jpg



#10 appletown

appletown
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:25 AM

Posted 23 October 2013 - 03:59 PM

Many Many Thnaks to the responders. You are very helpful.  

 

Hacker Killer.  Thank you.  Yes torrent and Piracy sites are so full of trojans and stuff it is ridiculous.

 

To run a bit of a test, my son downloaded a torrent two days ago.  We left all our computers online.

 

After we down loaded it we ran a deep malwarebytes scan.  He had 168 trojans and other junk in his registries.  His Norton Security Suite detect 32 HIGH LEVEL threats after this download and after the malware bytes scan.  None of these got into the network.  I thank you very much for the inclusiveness of your response.

 

Many thanks to all of You and Bleeping Computer.  Thanks for the analysis of the java malware and the issues it brought up.  All that you said is very logical to me. 

 

You are correct, after his computer has been offline, I have gotten no notices from Comcast that there are any "server" problems on our side of the net. 

 

Sincerely,

 

A_Town


Edited by appletown, 23 October 2013 - 04:03 PM.


#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,117 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:25 PM

Posted 23 October 2013 - 06:28 PM

You're welcome on behalf of the Bleeping Computer community.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#12 appletown

appletown
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:25 AM

Posted 24 October 2013 - 09:59 PM

Just wanted to let you all know that, before we downloaded to my son's computer, we deep scanned it with malaware bytes and deep scanned it with Norton.  That computer downloaded to was CLEAN...Those 168 malwarebyte found infections, and the 32 high level risk trojans found by Norton, were due to ONE download from a piracy site.

 

Those sites are horrendous for passing malware.

 

As before.

 

Thank you very much

 

A Town



#13 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:02:25 AM

Posted 25 October 2013 - 04:50 AM

To run a bit of a test, my son downloaded a torrent two days ago.  We left all our computers online.

After we down loaded it we ran a deep malwarebytes scan.  He had 168 trojans and other junk in his registries.  His Norton Security Suite detect 32 HIGH LEVEL threats after this download and after the malwarebytes scan.  None of these got into the network.  I thank you very much for the inclusiveness of your response.

 

Thank you for posting this, and I can relate this post to others (if needed)........



#14 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,117 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:25 PM

Posted 25 October 2013 - 07:51 AM

...Those 168 malwarebyte found infections, and the 32 high level risk trojans found by Norton, were due to ONE download from a piracy site.
 
Those sites are horrendous for passing malware.

Yes, the practice of downloading and even visiting such sites is a serious security risk which can turn a computer into a virus honeypot or zombie.
 

...warez and crack web pages are being used by cybercriminals as download sites for malware related to VIRUT and VIRUX. Searches for serial numbers, cracks, and even antivirus products like Trend Micro yield malcodes that come in the form of executables or self-extracting files...quick links in these sites also lead to malicious files. Ads and banners are also infection vectors...

Keygen and Crack Sites Distribute VIRUX and FakeAV


...warez/piracy sites ranked the highest in downloading spyware...just opening the web page usually sets off an exploit, never mind actually downloading anything. And by the time the malware is finished downloading, often the machine is trashed and rendered useless.

University of Washington spyware study


...One of the most aggressive and intrusive of all bad websites on the Internet are serial, warez, software cracking type sites...they sneak malware onto your system...Where do trojan viruses originate? One of the biggest malware distributors on the Internet are serial/warez/code cracking sites.

Bad Web Sites: Malware

Some of the worst types of malware infections can be contracted and spread by visiting crack, keygen, warez and other pirated software sites. In many cases, those sites are infested with a smörgåsbord of malware and an increasing source of system infection. Those who attempt to get software for free can end up with a computer system so badly damaged that recovery is not possible and it cannot be repaired. When that happens there is nothing you can do besides reformatting and reinstalling the OS.

Using these types of programs or the websites visited to get them is almost a guaranteed way to get yourself infected!!
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#15 hackerkiller

hackerkiller

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:25 AM

Posted 25 October 2013 - 03:38 PM

Yes Bleeping Computer says it all. 

 

For Appletown, you have a couple issues.  It seems you have good reason not to trust the renter.  His statement to you that he did not have ANY malware on his computer check with malware bytes, after extensive p2p and piracy downloading, strains reality testing.  He is either dumber than the a post with an IQ lower that room temperature, or his is lying.  Pick one. 

 

Either way his computers sharing on your router/network is a DISTINCT problem.  Your issues will be, how do you determine that he is running secure systems that do not infect the rest of the network and computers. 

 

How do you insure that we not attempt or achieve admin control again.  My instincts tell me he is smart. 

 

Interesting thing, most people hacking home networks are not nearly as smart as they perceive themselves to be.  Somehow they always do something to trip themselves up. 

 

As has been indicated above, by the BP moderators, that are right on the money and are very knowledgeable, he is an EXTREME WEAKNESS, and point of entry for any bot, trojan, virus, or worm known to mankind which reside on the internet. He may have been zombiefied and not able to recognize that reality. 

 

If this was my network, he would never get back on it.

 

Gotta dash.

 

I am a Big believer in Bleeping Computer..

 

H Killer


Edited by hackerkiller, 25 October 2013 - 03:47 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users