Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Tracking a hacker


  • Please log in to reply
39 replies to this topic

#1 asphalt1234

asphalt1234

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:10 PM

Posted 22 May 2018 - 05:18 PM

For the last few years I've been bullied by a group of hackers who refuse to leave me alone. Unfortunetly this has been going on so long I can't remember every single thing that makes me believe I was hacked, but they used to prevent me from playing games by locking down my mouse, they would rename my folders/files to insults, they would remotely turn my computer on when I had it turned off, and they've accessed some of my accounts. (There's a lot more but I'm not willing to go into detail.) I've previously tried various ways to remove whatever malware they've used to access my computer, with little to no success - although 2 years ago I did manage to find several malware, the problem persisted.

 

I've tried various malware scanners (AVG, avast!, malwarebytes, windows defender, and various miscallaneous scanners suggested from various websites), I've reformatted, reinstalled the OS, bought a new computer, and I've used Bitdefender boot disk virus scanner to scan outside of the OS. I know that they've seen me over my webcam, and listened over the microphone; I know that they've had unerred access to admin privileges over various computers. The only way I've managed to find ANY malware is when I used the BitDefender boot disk to scan outside of the OS, but they still had access after, so I don't think it did much.

I've also tried going to the police, only to be told there wasn't enough information and they didn't know how to help me. They haven't left me alone in years and I'm looking to prove someone is doing this to me so I can finally make it stop. So I'm looking for ways to prove exactly who's remotely accessing my computer.



BC AdBot (Login to Remove)

 


#2 mjd420nova

mjd420nova

  • Members
  • 1,824 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:10 AM

Posted 22 May 2018 - 08:15 PM

My first inclination is to suspect that your router has been taken over.  A hacker can imitate (spoof) a MAC address (unique to each WIFI device) on your network and access any other devices on that network.  The router maybe the clue.



#3 ranchhand_

ranchhand_

  • Members
  • 1,669 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest
  • Local time:12:10 PM

Posted 23 May 2018 - 08:06 AM

 

they would remotely turn my computer on when I had it turned off

As far as I know, the only way they can do that is by using Wake On LAN feature, or something similar. But...your computer would not be turned off, just in sleep mode but power still on. Disable Wake On LAN and that should (at least) stop that from happening. There is no way the smartest hacker in the world can "turn on" a computer when the power to it is disabled.

Other than that, mjd's suggestion is where to start.

Also...you didn't post any specs on your computer, but if it is 4 years old or more, and especially if you are running an old OS like XP, you need to upgrade. Old operating systems have huge security holes.


Edited by ranchhand_, 23 May 2018 - 08:07 AM.

Help Requests: If there is no reply after 3 days I remove the thread from my answer list. For further help PM me.


#4 Remotee

Remotee

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:10 PM

Posted 23 May 2018 - 05:14 PM

Join the club. I have had my hacker group for over 2 years (see my message in the "Am I Hacked" category of this forum. Unfortunately, I have come to the conclusion that they get at least some control over your computer when you are installing the operating system and the network devices are being added. Once in, they install all kinds of nasty programs and controls to consolidate their remote control of your computer.  I think they use internet radio or something similar for their initial attack so find a deep mine or a submarine. They also need some information on you, your computer and provider and possibly your location so changing them should work as long as you don't turn on any of your other contaminated devices (smartphones, cameras etc.).Not very practical so I'm hoping the experts on this forum find a better solution. Keep me informed of your progress.



#5 asphalt1234

asphalt1234
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:10 PM

Posted 23 May 2018 - 10:09 PM

My first inclination is to suspect that your router has been taken over.  A hacker can imitate (spoof) a MAC address (unique to each WIFI device) on your network and access any other devices on that network.  The router maybe the clue.

Okay, so how do I stop them from using it?

 

 

 

they would remotely turn my computer on when I had it turned off

As far as I know, the only way they can do that is by using Wake On LAN feature, or something similar. But...your computer would not be turned off, just in sleep mode but power still on. Disable Wake On LAN and that should (at least) stop that from happening. There is no way the smartest hacker in the world can "turn on" a computer when the power to it is disabled.

Other than that, mjd's suggestion is where to start.

Also...you didn't post any specs on your computer, but if it is 4 years old or more, and especially if you are running an old OS like XP, you need to upgrade. Old operating systems have huge security holes.

 

I've already gone into the BIOS and disabled WOL, so it's no longer a problem. I have a 3 year old laptop that uses Windows 10, so I don't think it needs an upgrade.

 

Join the club. I have had my hacker group for over 2 years (see my message in the "Am I Hacked" category of this forum. Unfortunately, I have come to the conclusion that they get at least some control over your computer when you are installing the operating system and the network devices are being added. Once in, they install all kinds of nasty programs and controls to consolidate their remote control of your computer.  I think they use internet radio or something similar for their initial attack so find a deep mine or a submarine. They also need some information on you, your computer and provider and possibly your location so changing them should work as long as you don't turn on any of your other contaminated devices (smartphones, cameras etc.).Not very practical so I'm hoping the experts on this forum find a better solution. Keep me informed of your progress.

Well, it's good to know I'm not alone. I honestly don't think my anti-malware programs are stopping them from doing anything, but I feel like even if they've made me vulnerable, that the anti-malware programs still keep out other malware. At least in my case I don't think they need to use the OS because they have admin privs, anyway, and I'm pretty sure they work outside of the OS. I'm pretty sure reinstalling the OS and all my security updates just leaves me vulnerable, since I'm required to connect to the internet to install them in the first place. I've been told that disconnecting from the internet is supposed to prevent them from accessing my computer, but I've tried that and it hasn't actually worked. Any time I've tried to ask for advice over it I get told it's not possible, so... lol.

Personally, I disabled the microphone and camera hardware so that they couldn't spy on me. Unfortunetly not all the infected devices are mine, so I can't do anything about those ones, and they get to hear most times anyway.



#6 mjd420nova

mjd420nova

  • Members
  • 1,824 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:10 AM

Posted 23 May 2018 - 10:10 PM

One of the first things I do before tackling any suspected virus is to isolate the unit, unplug the network cable, pull the WIFI card or disable the WIFI from the router.  Then commence cleaning.  Severe cases might call for a system reset to factory default settings, either through the BIOS or hardware jumper.  Then and only then can a real cleaning be accomplished.  This should wipe out any root kit or BIOS infection that got into the flash chip.  I also recommend that NO ONE use the wake on LAN, hibernate or sleep functions as they cause more trouble than they are worth.


Edited by mjd420nova, 23 May 2018 - 10:12 PM.


#7 asphalt1234

asphalt1234
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:10 PM

Posted 23 May 2018 - 10:30 PM

One of the first things I do before tackling any suspected virus is to isolate the unit, unplug the network cable, pull the WIFI card or disable the WIFI from the router.  Then commence cleaning.  Severe cases might call for a system reset to factory default settings, either through the BIOS or hardware jumper.  Then and only then can a real cleaning be accomplished.  This should wipe out any root kit or BIOS infection that got into the flash chip.  I also recommend that NO ONE use the wake on LAN, hibernate or sleep functions as they cause more trouble than they are worth.

 Okay, so any advice on how to go about doing that?



#8 mjd420nova

mjd420nova

  • Members
  • 1,824 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:10 AM

Posted 24 May 2018 - 12:10 PM

First, shut the machine down.  Disconnect the network cable from the network card if it is wired.  If on WIFI, open the case and removed the WIFI card from its slot or if WIFI is part of the system board, the PC will have to be deleted from the WIFI routers list of approved users to disable the network connection.  Then power up the PC and enter the BIOS.  Select factory default setting from the first menu and reboot.  Then begin cleaning.



#9 Remotee

Remotee

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:10 PM

Posted 24 May 2018 - 12:23 PM

" I've been told that disconnecting from the internet is supposed to prevent them from accessing my computer, but I've tried that and it hasn't actually worked. Any time I've tried to ask for advice over it I get told it's not possible, so... lol."  

Sounds so familiar to my experience. The new generation of hackers have advanced tricks that some 'experts' keep saying are impossible and that you are just imagining all this. Very frustrating!



#10 britechguy

britechguy

    Been there, done that, got the T-shirt


  • Moderator
  • 8,598 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Staunton, VA
  • Local time:02:10 PM

Posted 24 May 2018 - 12:36 PM

It is not possible, period, for a machine not connected to any outside network to be hacked (at least not in any meaningful sense - if someone else happens to have physical access to the box, and they're nefarious, they can play all kinds of tricks - that's not what hacking is generally taken to mean).

 

As has already been discussed here, there are kinds of infections that are persistent after they are present and that must be removed when disconnected from any outside network and before doing anything else.

 

No one is being hacked by some new technology that no one knows about.  If that kind of hacking were to occur, you can be absolutely certain that the target would not be an individual's home computer and/or home network. 


Edited by britechguy, 24 May 2018 - 12:37 PM.

Brian  AKA  Bri the Tech Guy (website in my user profile) - Windows 10 Home, 64-Bit, Version 1803, Build 17134 

     . . . the presumption of innocence, while essential in the legal realm, does not mean the elimination of common sense outside it.  The willing suspension of disbelief has its limits, or should.

    ~ Ruth Marcus,  November 10, 2017, in Washington Post article, Bannon is right: It’s no coincidence The Post broke the Moore story


 

 

 

              

 


#11 mjd420nova

mjd420nova

  • Members
  • 1,824 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:10 AM

Posted 24 May 2018 - 12:59 PM

That's why I always isolate the unit, and use default settings, sometimes even doing the reset jumper and pulling the CMOS battery to force the BIOS to load from the firmware (which cannot be corrupted) and not the flash chip.  Just isolation won't get rid of the corruption as the virus is loaded into the flash chip and will continue to infect every time the unit is power up unless the flash chip is wiped clean and new BIOS loaded from the firmware.



#12 britechguy

britechguy

    Been there, done that, got the T-shirt


  • Moderator
  • 8,598 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Staunton, VA
  • Local time:02:10 PM

Posted 24 May 2018 - 01:31 PM

That's why I always isolate the unit, and use default settings, sometimes even doing the reset jumper and pulling the CMOS battery to force the BIOS to load from the firmware (which cannot be corrupted) and not the flash chip.  Just isolation won't get rid of the corruption as the virus is loaded into the flash chip and will continue to infect every time the unit is power up unless the flash chip is wiped clean and new BIOS loaded from the firmware.

 

Which is one of the persistent infection mechanisms I was alluding to.  You have given the perfect example of an infection type that will not be cured by isolation from the network alone, but requires steps to nuke it before you even think about reloading the OS.  If memory serves, certain rootkits also require that you take steps to purge them from the disc drive as a separate step before you proceed further as well.

 

In most of the scenarios described what I'm hearing is that this sort of "radical disinfection protocol" was not followed and likely involves infections that require that sort of protocol.  If you don't follow it then you'll just have a, "lather, rinse, repeat," cycle going into perpetuity.   And it's not because you're being reinfected, but because the root cause of the infection has never been addressed to begin with.


Brian  AKA  Bri the Tech Guy (website in my user profile) - Windows 10 Home, 64-Bit, Version 1803, Build 17134 

     . . . the presumption of innocence, while essential in the legal realm, does not mean the elimination of common sense outside it.  The willing suspension of disbelief has its limits, or should.

    ~ Ruth Marcus,  November 10, 2017, in Washington Post article, Bannon is right: It’s no coincidence The Post broke the Moore story


 

 

 

              

 


#13 asphalt1234

asphalt1234
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:10 PM

Posted 25 May 2018 - 08:24 AM

" I've been told that disconnecting from the internet is supposed to prevent them from accessing my computer, but I've tried that and it hasn't actually worked. Any time I've tried to ask for advice over it I get told it's not possible, so... lol."  

Sounds so familiar to my experience. The new generation of hackers have advanced tricks that some 'experts' keep saying are impossible and that you are just imagining all this. Very frustrating!

 Yeah.. I have a feeling that they would need a good number of people going through the same thing before we would hear anything different. Getting told that made me give up for a while.

 

It is not possible, period, for a machine not connected to any outside network to be hacked (at least not in any meaningful sense - if someone else happens to have physical access to the box, and they're nefarious, they can play all kinds of tricks - that's not what hacking is generally taken to mean).

 

As has already been discussed here, there are kinds of infections that are persistent after they are present and that must be removed when disconnected from any outside network and before doing anything else.

 

No one is being hacked by some new technology that no one knows about.  If that kind of hacking were to occur, you can be absolutely certain that the target would not be an individual's home computer and/or home network. 

I'm not going to argue that with you, but I have disconnected from wi-fi/wired internet multiple times already before scanning. I did it when I used the Bitdefender scan and found that malware. I used to use a wired connection because it was easier to disconnect than wireless and I read that wireless can be manipulated more easily than wired, so all I did was pull the cable and go through the process of cleaning.

 

That's why I always isolate the unit, and use default settings, sometimes even doing the reset jumper and pulling the CMOS battery to force the BIOS to load from the firmware (which cannot be corrupted) and not the flash chip.  Just isolation won't get rid of the corruption as the virus is loaded into the flash chip and will continue to infect every time the unit is power up unless the flash chip is wiped clean and new BIOS loaded from the firmware.

So resetting to default settings does the same thing? I used to pull the battery in the laptop that initially got the infection, but my current laptop is harder to take apart and I can't get at the battery without some deft dismantling.

After I've isolated + cleansed, how do I prevent them from accessing my router? I'm feeling what you two are describing is probably what I should do, but if they can just get back in through the router, then what?

So... no one has tips for actually tracking a hacker, and not just removing malware?



#14 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,705 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:10 PM

Posted 25 May 2018 - 09:06 AM

 

So... no one has tips for actually tracking a hacker, and not just removing malware?

 

 

You could leave some canary files on your systems, in the hope that an unauthorized user accesses them. Most of the time, that will give you the public IP address of that user.

 

https://canarytokens.org


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#15 asphalt1234

asphalt1234
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:10 PM

Posted 25 May 2018 - 01:16 PM

 

 

So... no one has tips for actually tracking a hacker, and not just removing malware?

 

 

You could leave some canary files on your systems, in the hope that an unauthorized user accesses them. Most of the time, that will give you the public IP address of that user.

 

https://canarytokens.org

 

Good suggestion, but I think in my case there's zero chance of that working.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users