# I've been hacked...



## hat (Jan 12, 2017)

Well, someone has, somehow, managed to attack my network, and steal some personal images. Unfortunately, I know nothing of this sort of stuff. I know nothing about hacking, or how to defend against a hacker.

All I know is I'm pretty sure which computer was attacked. Is there any way I may be able to find out when it happened, how they got in, how to stop them from gaining access again, and who might have done it?

I thought my stuff was pretty reasonably secure until now. I use AES wifi encryption... the password isn't fantastic but strong enough. I don't even have any ports open/forwarded. We use OpenDNS, every computer uses Windows 10 (stays updated). On my machine, I don't use any AV or firewall (even disabled Windows firewall), as I find it's more of an annoyance than anything... not sure exactly how the other systems are set up. Is it possible for an attacker to have initially computerized my computer, and then attacked another from there?


----------



## jboydgolfer (Jan 12, 2017)

hat said:


> Well, someone has, somehow, managed to attack my network, and steal some personal images. Unfortunately, I know nothing of this sort of stuff. I know nothing about hacking, or how to defend against a hacker.
> 
> All I know is I'm pretty sure which computer was attacked. Is there any way I may be able to find out when it happened, how they got in, how to stop them from gaining access again, and who might have done it?
> 
> I thought my stuff was pretty reasonably secure until now. I use AES wifi encryption... the password isn't fantastic but strong enough. I don't even have any ports open/forwarded. We use OpenDNS, every computer uses Windows 10 (stays updated). On my machine, I don't use any AV or firewall (even disabled Windows firewall), as I find it's more of an annoyance than anything... not sure exactly how the other systems are set up. Is it possible for an attacker to have initially computerized my computer, and then attacked another from there?



I'm very far from an expert, but I'm fairly certain that disabling your firewalls is pretty bad idea(For future reference, maybe a hw firewall). Where they disabled on the computer that you feel was hacked?

 Also is there a possibility that these images have been missplaced ,I know it's silly and basic but sometimes the simplest answer is the most likely.i'm just trying to think of the motivation to go through the trouble of getting into someone's network to take a couple images unless there's some stuff you haven't realized Or noticed yet

Is it possible for you to elaborate on how you arrived at the conclusion of hacking being the most likely scenario


----------



## phanbuey (Jan 12, 2017)

did they hack your router or did you download something? Download fiddler and see if you have strange activity.


----------



## hat (Jan 12, 2017)

The images for sure weren't misplaced. They were found up on some website somewhere... we didn't put them there. My fiancee also says somebody was texting her friend on TextNow (an online texting service) while they were talking on Facebook... and she wasn't even on TextNow at the time. So there's definitely suspicious activity going on. We also have reason to believe there's a certain individual who may be behind it, as this person has had some issues with us and they don't like us very much...

@phanbuey I'm pretty sure it was my fiancee's laptop that was targeted, not my computer. As such I have no idea what might have happened that might give somebody access...


----------



## Easy Rhino (Jan 12, 2017)

to understand how a hacker got what he/she got you have to get into their mind. that being said, were the images *cough* personal in nature?


----------



## phanbuey (Jan 12, 2017)

well even if they broke through your wireless they would still have to get access to the share, so it's most likely she downloaded something... if thats the case then it will show up on an app that monitors your/her pc's network activity.  find it, see if you can trace it back to that person, kill it, and have her change her passwords.

there are a ton of ways to get hacked... but most of them involve getting a hold of a commonly used password.

Do you have a static IP?


----------



## m&m's (Jan 12, 2017)

1- Enable Windows firewall
2- To find when you were hacked you could check your router logs, but it can be a real pain in the ass to find anything relevant.
3- Reset your router and use a new password
4- Scan your computers with MBAM and with an antivirus. If you don't want to install one you can download Kaspersky Virus Removal Tool. You should also do a scan with an AV before Windows starts. You can use Kaspersky Rescue Disk to do so.

If you find proof that you were hacked by someone you know, you can report them to the police. It is illegal to hack a network without the owner's permission.
But it's unlikely that you were actually hacked.

If you were actually hacked it's probably IMO with a backdoor.


----------



## cdawall (Jan 12, 2017)

Router through the cable company and rented? If so tell them you need a new one. 

If it is just someone being a jerk I wouldn't worry much past actually securing the network, changing passwords and turning on firewalls.


----------



## Frick (Jan 12, 2017)

hat said:


> The images for sure weren't misplaced. They were found up on some website somewhere... we didn't put them there. My fiancee also says somebody was texting her friend on TextNow (an online texting service) while they were talking on Facebook... and she wasn't even on TextNow at the time. So there's definitely suspicious activity going on. We also have reason to believe there's a certain individual who may be behind it, as this person has had some issues with us and they don't like us very much...
> 
> @phanbuey I'm pretty sure it was my fiancee's laptop that was targeted, not my computer. As such I have no idea what might have happened that might give somebody access...



It's actually pretty good if someone is just out to mess with you. You don't want cryptoviruses, or someone making purchases in your name.

Reset passwords. All of them. Have she gotten mails about logins she does not recognize? If the photos exists on a cloud platform it is more likely the person has found out the password rather than compromised a computer. And how are her password habits?


----------



## nomdeplume (Jan 12, 2017)

While you are beefing up on personal protection give some thought to keeping sensitive materials offline in a home safe that won't survive a fire.  If the worst came that isn't the personal legacy you want to leave for your families to collect.


----------



## jboydgolfer (Jan 12, 2017)

hat said:


> The images for sure weren't misplaced. They were found up on some website somewhere... we didn't put them there. My fiancee also says somebody was texting her friend on TextNow (an online texting service) while they were talking on Facebook... and she wasn't even on TextNow at the time. So there's definitely suspicious activity going on. We also have reason to believe there's a certain individual who may be behind it, as this person has had some issues with us and they don't like us very much...
> 
> @phanbuey I'm pretty sure it was my fiancee's laptop that was targeted, not my computer. As such I have no idea what might have happened that might give somebody access...



 OK that clarifies it quite a bit. I agree with the other posts saying you should enable firewall but also have your Internet provider replace your modem and router if their provided by them otherwise you can assign them new Mac addresses I've done it before to get around IP bans,  I believe it was on the Netgear.

 In my opinion ( for what it's worth ), The fact that it involves both your significant other and you , as well as personal images, makes me feel that this is a personal attack if the word attack fits.

 And when I use the word personal, if I had to bet I want to say that it was someone who knew you.

 Regardless of  Who it was, it's totally invasive, and entirely inappropriate and I'm sure has left you feeling very insecure to say the least.  I'd start by  getting your firewall is turned on, getting new modem/router , and as much of a pain in the ass it's going to be change all your passwords.

Also either reinstalling your operating systems or using back ups that are older just to be safe.

 I know I've read about "hackers" using email hacks to reach out to peoples contacts, pretending to be the friend as a means of spreading their shit.  But the posting of images doesn't seem to fit that category


----------



## Mussels (Jan 12, 2017)

hat said:


> Well, someone has, somehow, managed to attack my network, and steal some personal images. Unfortunately, I know nothing of this sort of stuff. I know nothing about hacking, or how to defend against a hacker.
> 
> All I know is I'm pretty sure which computer was attacked. Is there any way I may be able to find out when it happened, how they got in, how to stop them from gaining access again, and who might have done it?
> 
> I thought my stuff was pretty reasonably secure until now. I use AES wifi encryption... the password isn't fantastic but strong enough. I don't even have any ports open/forwarded. We use OpenDNS, every computer uses Windows 10 (stays updated). On my machine, I don't use any AV or firewall (even disabled Windows firewall), as I find it's more of an annoyance than anything... not sure exactly how the other systems are set up. Is it possible for an attacker to have initially computerized my computer, and then attacked another from there?



can you give me details on your wifi network? B/G/N/AC? is pin based WPS active? Do you have network shares on your PC, is your PC always left on?
Were these images only on the PC, or other devices? (phone?)

Being hacked is very rare to be an external event, and VERY likely to have been done in person - someone gained access to the wifi password in the past, or a physical laptop in person for a few minutes (or even access to a phone or dropped USB stick, and quickly copied)


----------



## silkstone (Jan 12, 2017)

If they ever had physical access to your fiancee's laptop, then malware is much more likely.
It may even have been a phishing kind of attack and your significant other clicked through an e-mail she shouldn't.

Afaik, if you are using strong passwords and DD-WRT it's pretty tough to gain access to your network (WAN or otherwise).


----------



## Kursah (Jan 12, 2017)

It could've been a browser or OS exploit, something planted if this individual is able to get near you guys. 

Getting through that kind of wireless encryption is doable, but someone really will want to do it. Check your other service accounts for suspicious activity ASAP. Change passwords, use a hidden SSID if you can...though if this person cracked your wireless password out of WPA2 a hidden SSID won't be anything. But to someone else it might be enough to make em go elsewhere. Hidden SSID's still send a ping out, just not as frequently as a broadcasted SSID.

You could also just run a guest network if you need no file sharing. Most routers feature it. You can manage bandwidth limitations on many as well. Another good reason for this is because then your devices all run in isolated mode...meaning they have Internet access but not LAN resource access. So they can't see other devices.

Have you disconnected the culprit PC from the network? With Windows 10 you can spoof the MAC address for your wireless NIC pretty easily, I'd start there before reconnecting it. 

I'd enable Windows firewalls as well. What kinda router you running? Might be time to look into something capable of doing some IDS/IPS for you if this keeps up.

Another option is to disable wireless and run Ethernet. You'll have a different MAC address for the Ethernet NIC, and can simply unplug it if you feel there's been a compromise. 

Depending on what you have and want to do about it, there's options. As-far-as tracing down who-dun it and how now...that would take some work, time and advanced network abilities and comprehension. Better to lock things down, restrict shares and access, increase security...what were the share permissions for that folder? 

Another good idea is to kill your wireless when you're not home or using it, which is doubly handy when using a hidden SSID because it'll be harder to scan for between not being on and when on, not being broadcast frequently.

You could always setup a honey pot to lure and monitor for someone hacking your network, give them something that looks like what they want. Track what they're doing, and where they're doing it from and add that IP to your blacklist. 

In reality though, someone probably either got onto the machine physically, or if they were capable and desired enough to do so, got into that laptop through an exploit of some sort...more likely than hacking your wireless unless they knew the password or it was easily guessed. Sorry this happened to you, but hopefully we can get you confident in your network and its security again!


----------



## Octopuss (Jan 12, 2017)

So you obviously know little to nothing about computers (or at least about networking), and yet


hat said:


> I don't use any AV or firewall (even disabled Windows firewall), as I find it's more of an annoyance than anything...


You deserved to be hacked (or whatever it really was) then.


----------



## hat (Jan 12, 2017)

phanbuey said:


> well even if they broke through your wireless they would still have to get access to the share, so it's most likely she downloaded something... if thats the case then it will show up on an app that monitors your/her pc's network activity.  find it, see if you can trace it back to that person, kill it, and have her change her passwords.
> 
> there are a ton of ways to get hacked... but most of them involve getting a hold of a commonly used password.
> 
> Do you have a static IP?



I plan on checking her laptop, making sure firewall is on and AV is installed and working. I recall installing Panda on it at some point, but I'm not sure if it's on there now. Maybe I'll try a hijackthis log, though I admit I don't understand all of it...

IP isn't static, but it rarely, if ever, changes. I could force it to change if I spoof my router's MAC...



m&m's said:


> 1- Enable Windows firewall
> 2- To find when you were hacked you could check your router logs, but it can be a real pain in the ass to find anything relevant.
> 3- Reset your router and use a new password
> 4- Scan your computers with MBAM and with an antivirus. If you don't want to install one you can download Kaspersky Virus Removal Tool. You should also do a scan with an AV before Windows starts. You can use Kaspersky Rescue Disk to do so.
> ...



1. Gonna do that
2. Looked there, nothing of value or interest... last entry is from December 12th. 
3/4. Yeah, I plan on doing that too.



cdawall said:


> Router through the cable company and rented? If so tell them you need a new one.
> 
> If it is just someone being a jerk I wouldn't worry much past actually securing the network, changing passwords and turning on firewalls.



Nah, I own it. Gonna do what we can to secure our shit.



Frick said:


> It's actually pretty good if someone is just out to mess with you. You don't want cryptoviruses, or someone making purchases in your name.
> 
> Reset passwords. All of them. Have she gotten mails about logins she does not recognize? If the photos exists on a cloud platform it is more likely the person has found out the password rather than compromised a computer. And how are her password habits?



Not sure about that one. I'll tell her she'll have to change her passwords.



nomdeplume said:


> While you are beefing up on personal protection give some thought to keeping sensitive materials offline in a home safe that won't survive a fire.  If the worst came that isn't the personal legacy you want to leave for your families to collect.



We might do that too.



jboydgolfer said:


> OK that clarifies it quite a bit. I agree with the other posts saying you should enable firewall but also have your Internet provider replace your modem and router if their provided by them otherwise you can assign them new Mac addresses I've done it before to get around IP bans,  I believe it was on the Netgear.
> 
> In my opinion ( for what it's worth ), The fact that it involves both your significant other and you , as well as personal images, makes me feel that this is a personal attack if the word attack fits.
> 
> ...



Yeah, it it's who we think it is, it's definitely someone who knew us... and now doesn't like us anymore.



Mussels said:


> can you give me details on your wifi network? B/G/N/AC? is pin based WPS active? Do you have network shares on your PC, is your PC always left on?
> Were these images only on the PC, or other devices? (phone?)
> 
> Being hacked is very rare to be an external event, and VERY likely to have been done in person - someone gained access to the wifi password in the past, or a physical laptop in person for a few minutes (or even access to a phone or dropped USB stick, and quickly copied)



Not likely to have been done in person at all. This guy showed up at the door one day, and we, wanting nothing to do with him, shut the door in his face... he never stepped foot in the house. Give it about a week and bam, this happens. Anyways... the router runs two SSIDs, one for 2.4 and one for 5, B/G/N mixed. No WPS, WPA2-AES only.

The images were only on PC (mine and hers). Network file sharing is enabled, but these images weren't in any shared location. 



silkstone said:


> If they ever had physical access to your fiancee's laptop, then malware is much more likely.
> It may even have been a phishing kind of attack and your significant other clicked through an e-mail she shouldn't.
> 
> Afaik, if you are using strong passwords and DD-WRT it's pretty tough to gain access to your network (WAN or otherwise).



No physical access. I'd imagine it would be tough to guess our passwords, as well.



Kursah said:


> It could've been a browser or OS exploit, something planted if this individual is able to get near you guys.
> 
> Getting through that kind of wireless encryption is doable, but someone really will want to do it. Check your other service accounts for suspicious activity ASAP. Change passwords, use a hidden SSID if you can...though if this person cracked your wireless password out of WPA2 a hidden SSID won't be anything. But to someone else it might be enough to make em go elsewhere. Hidden SSID's still send a ping out, just not as frequently as a broadcasted SSID.
> 
> ...



I'm thinking it has to be some sort of exploit or sneaky virus... the kind that might be hidden in something else (like an image). Apparently there's spooky things going on with that laptop that sounds like remote control to me. I have an RTN66R. I'm sure it's capable of nifty things with a custom firmware... but most of that stuff is over my head, at least at this time.



Octopuss said:


> So you obviously know little to nothing about computers (or at least about networking), and yet
> 
> You deserved to be hacked (or whatever it really was) then.



Thanks... I admit I may have been a bit careless with my network security, but I'm no fool... however, despite your attitude, I still hope the same won't happen to you.


----------



## Filip Georgievski (Jan 12, 2017)

About the WiFi security, you can do a Mac filtering if your routher supports it, so that only those devices with MAC numbers that are in the routher database can access.
I had similar issue. Someone was stealing from my internet years ago, and i did this, and guess what, no more burgulars in my network.


----------



## Mussels (Jan 12, 2017)

if the files were not shared, then they cant have been accessed by remote wifi hacking. I'm not convinced this was a wifi hack (i've hacked a few neighbours wifi networks in my time)

He clearly knows where you live, so perhaps there is some missing piece you dont know (could he have been let into the house without your knowledge? forgive the examples, but a daughter letting a guy in for relations, cheating spouse, etc etc)
Could he have got access to a laptop out of the house? broken into a car for example? Your partners workplace if a laptop is taken there?


----------



## Ahhzz (Jan 12, 2017)

Octopuss said:


> So you obviously know little to nothing about computers (or at least about networking), and yet
> 
> You deserved to be hacked (or whatever it really was) then.


not really productive.....


----------



## Vulcansheart (Jan 12, 2017)

OpenDNS pointing back to your home IP where all your personal devices are connected. No AV or firewall on your PC.

^^This would be my point of entry if you were my target. A quick nmap scan would reveal any open ports through the router's firewall straight to your machine. My guess is your PC stays on most of the time, making a john attack on your windows credentials viable. This is like 3/10 difficulty for an intermediate hacker.

My gut says that you were not targeted by someone you know, rather you were an easy test of some script kiddie on the other side of the country that happened across your domain name.


----------



## jboydgolfer (Jan 12, 2017)

Ahhzz said:


> not really productive.....



I know right?

 I  can understand the feeling of like "why would you disable firewalls and antivirus"!!?

 But making someone feel s****y or brow beating them isn't helping.

 If anything hopefully the OP will come away with this with a new respect for the firewalls and antivirus's "annoyanceS" and learn to live with them since they may be annoying when you don't need them but they're sure as hell nice to have when you do.  Especially since most of the time you don't know when you need them.

 Based on the type of activity and what was posted by the OP my guess is someone they know personally knew that their network and machines were vulnerable. They use that information to malicious ends.

 I'd like to find someone if they did this to me .....in person omg, It would be so rewarding


----------



## Silas Woodruff (Jan 12, 2017)

Well, can't really give any concrete answers, but these might help in giving your PC a thorough clean of anything malware.

TDSSKiller run this first
RogueKillerX64 second
Emisoft emergency kit third
adwcleaner forth
JRT fifth

After that, do pretty much what others have said, new passwords for everything you use and maybe try to re-enable firewall.


----------



## jboydgolfer (Jan 12, 2017)

@hat
I just remembered, if I may be so bold. If you don't mind the wait of taking delivery of an actual physical copy, Malwarebytes pro 1 year license ( installs on up to three different PCs at once )
Is currently on sale the lowest I've ever seen it.

 Just use promo code : Emcrbbc29

https://m.newegg.com/Product/Index?itemNumber=N82E16832562009

 It *ends up costing $15 after shipping charges* of course that's dependent on what shipping method you choose and also *email delivery is not available* for this deal but if you can wait four days you can get it at this price for three of your PCs. I remember you mentioned you have more than one machine I recommend it highly

_summarized product info:_



_Detects and protects against malware in real-time
_
_Blocks hacking and phishing attempts
_
_Schedules automatic scanning
_
_Offers three flexible scanning modes
_
_Advanced malware removal_


----------



## Ahhzz (Jan 12, 2017)

jboydgolfer said:


> @hat
> I just remembered, if I may be so bold. If you don't mind the wait of taking delivery of an actual physical copy, Malwarebytes pro 1 year license ( installs on up to three different PCs at once )
> Is currently on sale the lowest I've ever seen it.
> 
> ...


Excellent product, does really well. I recommend this with a side of an AntiVirus of your choice...


----------



## eidairaman1 (Jan 12, 2017)

Turn off homegroup


----------



## Boatvan (Jan 12, 2017)

I swear by Malwarebytes. I've had a premium license for years. I also use Malwarebytes Anti-Exploit because of a leftover license from my old job. I'm not sure if it is appropriate for home use, but it is a "set and forget" type of browser/application protection. It has blocked a few things since I installed it. 

https://www.malwarebytes.com/business/antiexploit/


----------



## Kursah (Jan 12, 2017)

Use MBAM...excellent product I use it on all my main systems at home, continue using OpenDNS, put MerlinWRT on your Asus router. Consider using an old PC and slap PFSense on there...use your RT66 as an AP and we could really increase your network security.


----------



## rtwjunkie (Jan 12, 2017)

Boatvan said:


> I swear by Malwarebytes. I've had a premium license for years. I also use Malwarebytes Anti-Exploit because of a leftover license from my old job. I'm not sure if it is appropriate for home use, but it is a "set and forget" type of browser/application protection. It has blocked a few things since I installed it.
> 
> https://www.malwarebytes.com/business/antiexploit/



I can second that. It is great zero day protection, and even the free version is worthwhile.


----------



## nomdeplume (Jan 12, 2017)

Just want to reaffirm that the best protection for non-critical data is not keeping it on multiple computers with network access.  There are plenty of removable media that leave very little trace of what you looked at which are small and rugged enough for secure onsite storage in unconventional places visitors are unlikely to discover. 

I had an apartment where that place was routinely above the ceiling fan for most residents.  I know this because I surprised the maintenance guy shoulder deep in mine muttering he knew whatever I had must be up there somewhere.


----------



## jboydgolfer (Jan 12, 2017)

Ahhzz said:


> Excellent product, does really well. I recommend this with a side of an AntiVirus of your choice...



it has given me issues with windows 10 insider , but its more of a Windows issue than MBAM. cant knock it for that, especially @ $15


----------



## silkstone (Jan 12, 2017)

So a question.

Being behind a routers firewall with a strong router password is not enough?
I know WiFi is another point of entry, but with WPA2-Personal and another strong PW, it's pretty difficult to get in.


----------



## Aquinus (Jan 12, 2017)

Ah yes. Now I remember why I love my Debian gateway server. iptables is configured to drop all packets by default. The only forward facing port that's open is a non-standard port for SSH which accepts only key auth. Other than that, it's practically as if no one is home if you try to port scan or ping my IP. That alone pretty much makes my network "not the lowest hanging fruit" which is secure enough to mitigate most attacks. I used to have my DNS server exposed but, that was a mistake.

As for protecting yourself, well... Common sense is a great start but, the reality is that phishers are getting more and more creative and that protecting your machine with software alone might not be enough.


----------



## jaggerwild (Jan 13, 2017)

@hat 
Did you happen to have wirless on? I have a motherboard it auto turns on blue tooth and wirless is why I ask. Seems an easy way to get in, I run nakied all the time(no fire wall)(hack me)ill reformat...............Hitman pro if you think you got something on it, adjust settings, run it once then remove it(free)for the first month too!


----------



## FordGT90Concept (Jan 13, 2017)

I'd be playing twenty questions with the fiancée asking about RDP and suspicious activity (e.g. opening email attachments).  RDP is the most likely culprit but something had to have happened to give the intruder permission to RDP.


----------



## hat (Jan 13, 2017)

I've made sure Windows Firewall was enabled on all the PCs. Interestingly, her laptop, which is the suspected target, did have it enabled (as well as Panda AV). The others didn't... but I suppose if Windows Firewall would have stopped them, they could have got in one of the ones that didn't have it enabled and got around that way...

Windows Defender is now enabled on the two of mine, and the other two have Panda. I'm running scans on all the PCs either with Panda or Windows Defender. MBAM is up next. Is there anything else I should check for?

It's gonna be difficult (costly) to bring another computer online for PFSense or something similar. Are there any solutions I could use with my RTN66R? I'm not afraid to flash custom firmware. I've had Tomato on it in the past. The only reason I went back to stock firmware is for the simple QOS...


----------



## jboydgolfer (Jan 13, 2017)

hat said:


> I've made sure Windows Firewall was enabled on all the PCs. Interestingly, her laptop, which is the suspected target, did have it enabled (as well as Panda AV). The others didn't... but I suppose if Windows Firewall would have stopped them, they could have got in one of the ones that didn't have it enabled and got around that way...
> 
> Windows Defender is now enabled on the two of mine, and the other two have Panda. I'm running scans on all the PCs either with Panda or Windows Defender. MBAM is up next. Is there anything else I should check for?
> 
> It's gonna be difficult (costly) to bring another computer online for PFSense or something similar. Are there any solutions I could use with my RTN66R? I'm not afraid to flash custom firmware. I've had Tomato on it in the past. The only reason I went back to stock firmware is for the simple QOS...



iirc
 My AC66u is pretty similar to that one u have,and I use Merlin which is almost identical to the asus FW, aside from a few improvements


----------



## FordGT90Concept (Jan 13, 2017)

Have you checked the Remote features of the system?  It's in System Properties -> Remote tab.  Everything should be disabled there.  If anything is enabled, that could be how the attacker gained access.  If you want to play it safe, disable the Remote Desktop services.

I'd also check for other remote desktop programs like Team Viewer.


----------



## exodusprime1337 (Jan 13, 2017)

I work in IT security for a major toy company.  I might have some input if ya wanna pm me?


----------



## nomdeplume (Jan 13, 2017)

With all due respect to OP's situation.  

Children's or adult toys?


----------



## hat (Jan 13, 2017)

FordGT90Concept said:


> Have you checked the Remote features of the system?  It's in System Properties -> Remote tab.  Everything should be disabled there.  If anything is enabled, that could be how the attacker gained access.  If you want to play it safe, disable the Remote Desktop services.
> 
> I'd also check for other remote desktop programs like Team Viewer.


I'm not sure if it's enabled on her laptop, but I know it's enabled on the other two desktops, as I sometimes use the feature myself. My Plex server runs headless, so that's how I connect to if it I have to.

She's used Teamviewer in the past (something similar happened before, but it was mainly social engineering that caused it, not an attack that came out of the blue). I had her uninstall it, but apparently it's re-appeared again. Would Teamviewer be a more secure option, if configured so? I used to use it before I started using windows remote desktop, and I had it configured so it would only accept LAN connections... or is that still attackable?


----------



## Mussels (Jan 13, 2017)

teamviewer 're appearing' would be exactly how she got hacked - that makes 100% sense for accessing files not shared on the network as well.


----------



## hat (Jan 13, 2017)

She didn't do it though, she said it just came back on its own recently. Someone already had a way to get it there in the first place.


----------



## Mussels (Jan 13, 2017)

its entirely possible this is the result of the previous hack, or another social engineering success.


----------



## phanbuey (Jan 13, 2017)

a script is running to reinstall it

the good news is that it has to send the key somewhere... so if you find it you found your hacker,,,


----------



## silkstone (Jan 13, 2017)

It would be great to have a sticky regarding network security. I need to research this myself since starting a MC server on my RPi, but I don't really have the expertise to give advice.
I am planning on spending some time ensuring everything is secure though.


----------



## human_error (Jan 13, 2017)

hat said:


> Would Teamviewer be a more secure option, if configured so?



Considering Teamviewer got badly hacked in June last year I wouldn't have that anywhere near my PCs (especially as the company initially denied any problems, then later admitted that something didn't seem right with how many accounts were compromised). The fact it has reappeared is a bad sign - get rid of it again, and restart the laptop a few times to see if it gets installed again (as already suggested there could be a script running that's installing it).

If you have system restore running it may have a restore point when teamviewer was installed, or list that an old restore point would remove teamviewer - that would at least give you an indication on when it was installed. If the machine has been compromised though I'd personally take only the most important files off and wipe the whole thing, going in fresh with a new OS install. Also make sure you scan the files you want to keep from it to make sure there's nothing nefarious hiding amongst them.


----------



## Steevo (Jan 13, 2017)

First I would start off with the obvious things as previously mentioned. 

Next thing I would do is enable connection by IP logging after buying and installing a decent hardware firewall, this will tell you things that software will and cannot. For example if a program is running behind the scenes (like a root kit) its network traffic may not appear in any windows logs. Hardware between the internet and your devices will enable you to see what IP/machine is connectign and sending packets to what IP/Machine on the internet, what protocol is being used, give you the ability to refuse traffic, and also prevent future attacks. 

Hardware firewalls only work as intended if you actively monitor outgoing requests as well, so if the machine already is compromised turn off all other machines on the network and isolate it, or put it on its own network for ease of monitoring.


----------



## FordGT90Concept (Jan 13, 2017)

Seriously, I'd just erase all the machines that may have been compromised (after getting important stuff off first, of course).  Starting from scratch with a strong security policy (e.g. all admin accounts are passworded) is the only way to create a good foundation to work off of.  Whenever a computer is compromised, only one hole has to be missed for it to be compromised again.


----------



## Kursah (Jan 13, 2017)

You should setup an IDS on your network if you continue to have concerns about potential issues. Definitely consider upgrading to MBAM Premium if you haven't yet already...worth every single penny. You might also consider running standard user accounts and have a locked down admin account you use to enter credentials for when you need to install or modify something. That will help quite a bit. I would disable the default admin account and create a new dedicated one that you know but don't keep easily accessible credential-wise.

It won't be easy and you'll have to have a decent comprehension of networking, managing your network. But it might help you in learning network security and how to use an IDS as well. The below link would be A LOT of work, but would be very helpful in identifying what or who is on your network that shouldn't be. There are all sorts of other solutions, but for a free option with a free guide, this is a pretty good choice IMHO.

https://techanarchy.net/2015/01/home-ids-with-snort-and-snorby/

You could also wipe your G/F's PC, run Ubuntu, Mint or Fedora... and learn how to use IPTables...excellent firewall! Can get very complex. Is what PFSense, OPNSense and other routers use as well.

If you can budget it, building a better router with better capabilities could help, especially running extra things like IDS/IPS, Proxy filtering & caching, network AVAM, notificaitons, etc.

http://arstechnica.com/gadgets/2016/04/the-ars-guide-to-building-a-linux-router-from-scratch/

http://arstechnica.com/gadgets/2016...build-faces-better-tests-tougher-competition/

http://arstechnica.com/gadgets/2016/01/numbers-dont-lie-its-time-to-build-your-own-router/

I know you said you don't have the budget right now, but you should at least educate yourself on why it is a good option. It might prove to be something worth saving for.

My all new parts, custom PFSense build came to about $250 last March. I used an mITX board with a quad-core Celeron SoC, 8GB RAM, 128GB SSD, thing is a beast and competes with the $500+ Netgates, SonicWalls, Fortinets, etc. Probably overkill in some ways...but the fact I can run all the protective measures I want and lose not perceivable performance is a huge plus for me. That's what my network is worth to me.


----------



## eidairaman1 (Jan 13, 2017)

silkstone said:


> So a question.
> 
> Being behind a routers firewall with a strong router password is not enough?
> I know WiFi is another point of entry, but with WPA2-Personal and another strong PW, it's pretty difficult to get in.



I dont allow my ssid to be transmitted. I have to tell someone what it is.


----------



## eidairaman1 (Jan 13, 2017)

FordGT90Concept said:


> Seriously, I'd just erase all the machines that may have been compromised (after getting important stuff off first, of course).  Starting from scratch with a strong security policy (e.g. all admin accounts are passworded) is the only way to create a good foundation to work off of.  Whenever a computer is compromised, only one hole has to be missed for it to be compromised again.



Id disconnect the ethernet cords, and the phone cord/cable and cycle power on the modem for a fresh IP.


----------



## Kursah (Jan 13, 2017)

eidairaman1 said:


> I dont allow my ssid to be transmitted. I have to tell someone what it is.



Even when SSID's aren't set to broadcast, they still send a transmit out at intervals and can be seen by those that are looking.

Want proof? Download *Acrylic Wifi Free* which is a wireless detection and monitoring program for Windows. You'll see whatever your wireless adapter does over the air.

There's also *other programs and options* that can do the same thing relatively easily. SSID hiding is a great supplement to other security measures though! Don't get me wrong I support it, but it is surely no solution on its own.

Also, double-posting are we?


----------



## Frick (Jan 13, 2017)

human_error said:


> Considering Teamviewer got badly hacked in June last year I wouldn't have that anywhere near my PCs (especially as the company initially denied any problems, then later admitted that something didn't seem right with how many accounts were compromised).



Off topic a bit, but I think that hack turned out to be a case of people reusing passwords.


----------



## silkstone (Jan 14, 2017)

eidairaman1 said:


> I dont allow my ssid to be transmitted. I have to tell someone what it is.



For anyone who wants to hack your network, not broadcasting your SSID will not hinder them in the slightest.
Most of the security blogs I have read say not to do this.

From my reading, again I'm no expert, the best way to secure a home network seems to be to set up an unbridged guest wifi for visitors.
Make sure that firmware is patched and use strong passwords and encryption.

@hat were you using WPA2-Personal with AES (No TKIP) for your wifi security? Anything else can be hacked from what I've learned.


----------



## revin (Jan 14, 2017)

Aquinus said:


> port scan or ping my IP


Steve Gibson has a nice *online tool *for that at GRC, ShieldsUp. This is just using COMODO thru my ATT router 








Steevo said:


> what IP/machine is connecting and sending packets to what IP/Machine on the internet


For real time monitoring maybe Process Lasso or even Comodo Kill Switch good to watch and track  what's happening also?



Kursah said:


> consider running standard user accounts and have a locked down admin account you use to enter credentials for when you need to install or modify something. That will help quite a bit.


This is what I have heard the most by far that is a real good defense to the hackers, and make sure in Explorer view properties check box's to "keep system files and folders Hidden" and "Hide protected operating system files"


----------



## Ahhzz (Jan 14, 2017)

revin said:


> Steve Gibson has a nice *online tool *for that at GRC, ShieldsUp. This is just using COMODO thru my ATT router
> 
> 
> 
> ...


This, this, a thousand times this. GRC has been running this site forever, excellent tool, and excellent software.


----------



## hat (Jan 22, 2017)

Yeah, I know about ShieldsUp! Nothing was open, everything reported Stealth. I've been busy doing this and that... changed my wifi password, checked all the computers (except the suspect laptop of course... I can never get a chance to get to it).

I flashed Merlin to my router, but I went back to stock firmware because I like manually assigning DHCP addresses and Merlin won't do that. There's an option for it, but as soon as I hit apply, the circling "Applying Settings" just stays forever. If I refresh the page, log back in to the router settings... the settings don't stick. I'm still not sure what security advanced firmware might offer me though...


----------



## Solaris17 (Jan 22, 2017)

It looks already pretty covered but what you need is more secure practices not more secure hardware.


----------



## silkstone (Jan 22, 2017)

Solaris17 said:


> It looks already pretty covered but what you need is more secure practices not more secure hardware.





hat said:


> Yeah, I know about ShieldsUp! Nothing was open, everything reported Stealth. I've been busy doing this and that... changed my wifi password, checked all the computers (except the suspect laptop of course... I can never get a chance to get to it).
> 
> I flashed Merlin to my router, but I went back to stock firmware because I like manually assigning DHCP addresses and Merlin won't do that. There's an option for it, but as soon as I hit apply, the circling "Applying Settings" just stays forever. If I refresh the page, log back in to the router settings... the settings don't stick. I'm still not sure what security advanced firmware might offer me though...



I'd say that getting to the laptop is a priority. It is highly unlikely that you were hacked via WiFi, assuming you were using WPA2.
It's just as unlikely that you were hacked over WAN, with no ports showing and the built-in firewall and (i'm guessing) non-default router pw.

One more thing to do is to disable uPNP, it's been a known exploitable feature in the past and, though it should have been patched, you won't generally need it and make sure that you keep your router's firmware up-to date.

The security that open source firmware grants is that exploits are patched pretty quickly and generally, it just doesn't have many when compared to stock.
DD-WRT has a huge user base and anything exploitable is usually caught and patched quickly. You also get other security features, like only allowing certain MAC addresses to connect over wifi as well as the ability to set-up a guest (unbridged) wifi connection for visitors. You might like to try a slightly older Merlin build to see if the problem is persistent in that and report the issue as a bug on the forums.

If I had to guess what happened, and assuming the laptop comes back clean, you might have given a friend/visitor your home wifi password who then went on to share it with the person that hacked you.
It is a very good idea to set up a separate signal for guests.


----------



## hat (Jan 22, 2017)

UPNP is always disabled, as are guest networks. Nobody would have had our password either... but I changed it anyway, just cause. Non-default router password as well... changed that also.

I did go back a few versions with Merlin... the problem persisted. :/


----------



## silkstone (Jan 22, 2017)

Then I highly suspect that there is something on the Laptop. Possibly a R.A.T. or even just a key-logger.

It would take a lot of skill, and knowledge of 0-day exploits, to hack a home network with non-default admin password and WPA2 wifi protection.

One other thing that is recommended is to choose a subnet other than 0 or 1. For example, choose something like 192.168.x.13 for your router. Some malware works on the principle that your router's address is 192.168.0/1.1.
I doubt that was the problem in your case, but as you are re-securing your network anyway, there's no reason not to.

Guest networks are actually set up for security. They aren't bridged with your LAN so giving out the password to it, wouldn't compromise security. If you never have any need for visitors to use your wi-fi connection, then I guess there is no reason to set one up.
If you ever think you will though. You should.

Also what you said here:

"I'm thinking it has to be some sort of exploit or sneaky virus... the kind that might be hidden in something else (like an image). Apparently there's spooky things going on with that laptop that sounds like remote control to me. I have an RTN66R. I'm sure it's capable of nifty things with a custom firmware... but most of that stuff is over my head, at least at this time."

Tells me that you need to take a look at your fiancee's laptop ASAP. All the work you are doing now to secure your network will be for nowt, if they have got a remote access tool on your other half's computer.


----------

