Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Curious/in need of assistance.


  • Please log in to reply
7 replies to this topic

#1 Lehr

Lehr

  • Members
  • 124 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:02:14 AM

Posted 13 May 2016 - 03:16 PM

I’m posting this after an odd incident I personally witnessed last night which was fairly strange/interesting, but for the most part worrying.

Around eight last night, I was playing an old source game with a few friends and I was in their teamspeak three server chatting with them, and the owner of the game server we were all on. After five minutes into the gaming session, the servers console (I.E Rcon/someone talking through a control panel) starts spamming the owners real life details.

His real name, address, passwords to his Rcon/steam account/email(s), along with his paypal (which he was locked out of for a period of time.) information.

He did eventually enter our teamspeak, and spoke with us/played music. Afterwards, the strange fellow admitted that he had all of our IP’s, and the guy was able to find my email, and two old websites I used to visit, along with another fellows in a short span of time after he defaced our website. He also mentioned a brute-force program as well, which was concerning. While he did admit none of us were worth anything to him, I'm still concerned about my own well being.

My only question is, can he get my steam password/email password? We didn’t download anything from him, but I’m curious as to if something can actually happen to my email/steam and or banking information.
 

 

And no, none of us downloaded anything from him or clicked links that he provided.



BC AdBot (Login to Remove)

 


#2 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,472 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:14 AM

Posted 13 May 2016 - 03:28 PM

Does seem a bit odd, but not completely implausible I guess. I would change all passwords and double-check software is fully updated. Scan your system for any infections before updating passwords.

 

Have everyone on the channel do the same as well. Never bad to be too cautious.

 

Most likely the "hacker" exploited some vulnerability with the host's system or TeamSpeak server, and went from there. Or there was a weak password on it. If he had access to the TeamSpeak software, it probably did have the logs of your IPs and such, not that that really means a whole lot. You can request your IP refresh your DHCP lease for another IP if that's a major concern (unless you have a static for some reason - you'd know if you have one).


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#3 Lehr

Lehr
  • Topic Starter

  • Members
  • 124 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:02:14 AM

Posted 13 May 2016 - 03:44 PM

Like I said, none of us clicked anything and I bailed before the odd disruption started, my friends witnessed most of this.

 

Nor did we download anything from him in TS, and I did a scan with Malwarebytes right after finding out about it and it came up blank. I also changed my email/steam passwords twice over.

 

I'm just curious as to if anything can still be stolen from me at this point, or my friends.


Edited by Lehr, 13 May 2016 - 03:45 PM.


#4 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,472 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:14 AM

Posted 13 May 2016 - 04:01 PM

As long as passwords were securely changed, and no live infection such as a keylogger is present on the systems, you should be OK. I would vigorously update all software/plugins and run scans with different software such as HitmanPro, MalwareBytes, antivirus, etc. If you want to be extra paranoid, you could post to the Am I Infected forums.

 

Definitely keep an eye on things. Just having your IP isn't necessarily enough to do anything unless you have a vulnerable service listening to outside traffic, or something like default credentials on your modem/router if its web panel is accessible from the internet.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#5 Lehr

Lehr
  • Topic Starter

  • Members
  • 124 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:02:14 AM

Posted 13 May 2016 - 04:10 PM

Definitely keep an eye on things. Just having your IP isn't necessarily enough to do anything unless you have a vulnerable service listening to outside traffic, or something like default credentials on your modem/router if its web panel is accessible from the internet.

 

I have no clue as to what any of that meant... Could you elaborate? I've never modified my router, nor have I seen a web panel.

 

 

Also, someone figured that the guy managed to figure out the owners password (turns out he has very similar passwords for everything), and managed to get things from there. I haven't gone on the website since, so... Yeah, they're probably script kiddies but it's usually a bad idea to underestimate anything.


Edited by Lehr, 13 May 2016 - 04:17 PM.


#6 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,472 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:14 AM

Posted 13 May 2016 - 04:37 PM

I've heard of hacking modems that were not protected. If your modem/router has a web panel (aka you can reach a GUI from your browser by IP, like 192.168.1.1 or something), then it should be locked down with non-default credentials. Most routers come out of the box with something default like admin/admin, admin/password, etc. Definitely change that, even if you can't reach it from external IP.

 

If you'd like, you can PM my your IP (whatismyip.com) and I can run an external port scan for you to see if I can find anything.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#7 Lehr

Lehr
  • Topic Starter

  • Members
  • 124 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:02:14 AM

Posted 13 May 2016 - 04:51 PM

I sent it to you, let's see what happens.



#8 Lehr

Lehr
  • Topic Starter

  • Members
  • 124 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:02:14 AM

Posted 13 May 2016 - 07:04 PM

And port 49152 has some 'download' file with

 

d[NUL][ETX]

 

 

Should I be worried?

 

 

Edit: Both Malwarebytes and Emi-soft came up clean.


Edited by Lehr, 14 May 2016 - 05:56 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users