Hello there TekSyndicate.
I don't really know where the best place to post this, so I chose here. I do apologize in advance if this was not the proper section. Mind you, I'm not some network professional or anything. I just tinker with computers.
TL;DR read the whole thing.
Last Wednesday (05-27), I found that one of my spare computers was running exceptional hot. I had been very sick for nearly a week before then, so I was not able to tend to all of my computers. After getting a screen, mouse, and keyboard connected, I found something very very odd. I shit you not, but FTL was sitting there on its "Game Over" screen. At first, I thought that I may have left it like that before I fell ill, but that was not the case. Within moments, I found that Teamviewer was installed and running (did not have it installed), Winrar was installed (I hate winrar), and firefox was open. At that moment, I knew that I had an issue. I pulled the machine from the network and started to see what damage was made. After looking through event viewer, I found that at least 20 IP addresses were attempting to connect to TightVNC over a span of about 5 days non-stop. I had a reasonably strong password for TightVNC, so I could only assume that it was cracked through brute force, and maybe an exploit of sorts. I am not that knowledgeable on that aspect.
After they got in, they installed Teamviewer, winrar, and many other things including a Scrypt Miner (cryptocurrency), infected version of RealVNC (uhh what..?), CS:GO server (uhh, what...???), A few other of malicious dll's in the downloads folder, time to play FTL (I find that the most funny), and for the icing on the cake, (according to browser history) a few paypal transactions were conducted on my computer. Just the transactions right there really scares me the most because I wouldn't want to end up being framed for some kind of illegal activities.
Is there any advice that anyone can give me? I have not turned on the machine since finding out by the way.
Thanks for your time.
It's best not to have things like VNC open to the internet, a better way of doing it is to use a VPN to connect to computers on your network. Using openVPN you can configure it to require both a password and certificate which means that only devices with your certificate installed will be able to connect even if someone cracks your password.
As for what to do with your infected compiuter, the safest thing to do is to wipe it, but if you don't want to do that you could remove everything which was added, run a virus scanner, and change all your passwords. You should probably change your passwords for any onine accounts which that computer may have stored information on aswell.
You could also call the police, atleast so that if there is any illegal activity traced back to your IP then you won't have to worry about the police showing up at your door.
VNC has (or did have) more holes than swiss cheese. Anyone with backtrack or kali has all the tools at hand for a verification bypass ~ metasploit framework. Having stuff like that open to anyone is kinda asking for trouble. Sucks to be you and I would be very weary of any machines on your network now.
One can do a lot in 5 hrs but 5 days.... the buggers could have been doing all kinds of things that you dont want to be traced to.
Fingers crossed it was just some noob script kiddies that didnt have a tunneled connection and left their normal IP's everywhere...
Advice above it good - tell the cops just in case. Last thing you want is being tracked back to some kind of illicit ring that was doing naughty things, have your door kicked in and tail thrown in a cell.
Also (on a clean machine outside of your network): change passwords for everything and tell anyone else who was connected on your network to do the same.
Understood.
As far as I could tell, all the IPs that did connect to my machine
through VNC were addresses that that seemed to be reoccurring throughout
the week, which does say at least they were not using TOR. All of the
IPs were that of non residential ISPs which does say that they used a
proxy of sorts.
The computer that was compromised was not used for any personal
information, and only acted as a crude file backup computer with a few
games.
pheww thats a relief.... (the pc's use that is)
Indeed. Nothing personal was touched either. No files were deleted and even my xampp server was not tampered with either.