Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Client hacked: some kind of silent remote


  • Please log in to reply
No replies to this topic

#1 zingo156

zingo156

  • BC Advisor
  • 3,333 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:19 PM

Posted 04 September 2014 - 01:36 PM

It is not often that I get stumped but this one has me confused (maybe the user is not telling me everything).

 

The client came to me and told me the computer was operating on it's own as in the mouse was moving, folders were opening etc.

 

I was able to verify this when the machine was connected to the network. There was definitely someone in control browsing through the folders at random, they seemed most interested in the network shares. I removed the computer from the network and started scans and searching for possible infections etc.

 

I found absolutely nothing installed, no run/runonce problems in HKEY_CURRENT_USER or HKEY_LOCAL_MACHINE. No startup items that are not recognized, no services, no sheduled tasks, no nothing.

 

Anyway after running tdss, and rkill, and every other tool I could throw at it I came up empty handed as to how or why. The user claims they never clicked agree to anything anywhere or installed anything which seems to be true after manually digging through everything. Funny thing is this user says they had this same problem for the company they worked for before.

 

What they did do was copy some files from an external drive, none of the files were exe's or runables from what I could see. All were documents or pictures.

 

I uninstalled the wireless driver and reset all inet ipv4, tcp/ip settings. This remote has not happened again (yet).

 

So I am confused as to how they were able to remote into the computer silently without any input from the user (clicking agree or installing something). This is the first time I have ever seen a silent remote. I have seen many people agree to allow online technicians connect using team viewer or logmein123 etc, in those cases it was user error and the install file for the remote client was generally left in temp or running on the desktop.

 

Any ideas are welcome. The computer is back in production but I am still not 100% sure it is safe so I have removed all folder shares/permissions for now and told them to use it for the day and let me know if anything strange happens again.


Edited by zingo156, 05 March 2015 - 03:48 PM.

If I am helping you with a problem and I have not responded within 48 hours please send me a PM.

BC AdBot (Login to Remove)

 


m



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users