Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trying to find out how my desktop was breached


  • Please log in to reply
4 replies to this topic

#1 bds76

bds76

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:04:31 PM

Posted 25 November 2017 - 05:38 AM

The other day I was trying to sleep and noticed my computer waking up randomly and heard a couple of weird notification sounds. I was tired so I ignored it until a few minutes later I noticed paypal/amazon transaction emails on my phone. I immediately shut off my pc and called to freeze my paypal linked bank account.

 

Originally I assumed someone got a hold of my gmail account, but I'm starting to suspect that someone got remote access to my PC. I say this because of how my PC woke up by itself + the weird notification sounds. Also, my chrome history shows tabs that were left open when I shut it off that I never opened (g2a/paypal/steam/amazon/verizon). For reference, I had a Windows 10 machine with only windows defender and uBlock extension as a means of defense. So far I wiped my drives and reinstalled Windows and changed passwords/enabled 2-factor authorization on my accounts. How paranoid should I be at this point?

 

Some strange things: Whoever got into my computer had a verizon messages tab open (maybe related to 2-factor authorization?). Also, he/she sent a paypal gift to some random Indian guy, who may be the same guy that breached my system (why would someone reveal their identity?).



BC AdBot (Login to Remove)

 


#2 buddy215

buddy215

  • Moderator
  • 13,118 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:05:31 PM

Posted 25 November 2017 - 07:04 AM

Would only be guessing as to how access was gained. Suggest you reset your router and resecure it. Especially change default

password, block remote access and check that its firewall is active. Check firmware updates for the router.


Edited by buddy215, 25 November 2017 - 07:04 AM.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#3 nocebo

nocebo

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:31 PM

Posted 27 November 2017 - 12:30 AM

Would only be guessing as to how access was gained. Suggest you reset your router and resecure it. Especially change default

password, block remote access and check that its firewall is active. Check firmware updates for the router.

Something similar has happened to me before a few weeks back, I had reset my router but after turning off remote management I lost complete connection. I figured maybe it was a backdoor my ISP had installed in its router to somewhat debug what is going on. Have you heard of any ISP doing this before? Or has my router been breached to the point where a custom firmware has been installed? Is it possible to install a firmware like that?



#4 buddy215

buddy215

  • Moderator
  • 13,118 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:05:31 PM

Posted 27 November 2017 - 07:20 AM

nocebo...welcome to BC....if you need further assistance please start a new topic in the proper forum.

The info in the link below will answer your question. Plus a bit more.

Home routers supplied by ISPs can be compromised en masse | Computerworld

 

QUOTE A BIT:

TR-069 devices are set up to connect to Auto Configuration Servers (ACS) operated by ISPs. These servers run specialized ACS software developed by third-party companies that can be used to re-configure customer devices, monitor them for faults and malicious activity, run diagnostics and even silently upgrade their firmware.

Many customers likely don't know that their ISPs have this level of control over their routers, especially since custom firmware running on them often hides the TR-069 settings page in the router administration interface, Tal said. Even if the owner knows about this remote management service, most of the time there is no option to disable it, he said.


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#5 nocebo

nocebo

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:31 PM

Posted 27 November 2017 - 09:50 AM

nocebo...welcome to BC....if you need further assistance please start a new topic in the proper forum.

The info in the link below will answer your question. Plus a bit more.

Home routers supplied by ISPs can be compromised en masse | Computerworld

 

QUOTE A BIT:

TR-069 devices are set up to connect to Auto Configuration Servers (ACS) operated by ISPs. These servers run specialized ACS software developed by third-party companies that can be used to re-configure customer devices, monitor them for faults and malicious activity, run diagnostics and even silently upgrade their firmware.

Many customers likely don't know that their ISPs have this level of control over their routers, especially since custom firmware running on them often hides the TR-069 settings page in the router administration interface, Tal said. Even if the owner knows about this remote management service, most of the time there is no option to disable it, he said.

Thank you for this!
Exactly what I needed to get some people motivated into actually purchasing a router!






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users