Return to Level1Techs.com

So, can... anyone help me?

#1

This is a bit of an odd topic, I imagine. But, here it goes.

Starting maybe a month and a half ago, my rig had been compromised. It first started while playing Destiny 2; I was playing with a friend and all of a sudden, my computer started typing nonsense in-game, kept opening the menus, etc. Quite odd. I killed everything, shut my rig down and manually killed power for a day or two. Didn’t wipe, didn’t explore further. Just kinda… wrote it off as, someone in the area I was in got into my stuff somehow.

It’s now happened at least three more times since then. Most recently, this evening. I managed to get a potato video of it with my phone, but you can tell it’s not me typing given I use a mechanical keyboard and there’s no clacking as the letters appear in WordPad.

Video to follow.

So, what I’m looking to know is… how do I figure out how he’s getting in? This evening, all I was doing was listening to music and figuring out some crypto stuff on Kraken. I didn’t have any random websites open, nothing malicious (by my own doing). When my windows started freaking out, and what I was doing was interrupted, I quick closed all of my Chrome windows and switched to Wordpad to try to catch what he was trying to type.

If anyone can provide any sort of help, I’d be highly appreciative. I’m nowhere close to the level of knowledge I believe most of you to be, so if you can walk me through what you’d need to know, that would be awesome.

Thanks,

-Chris

0 Likes

#2

Lol sounds like someone snuck in a wireless keyboard dongle in the back of your tower, assuming you don’t live alone.

5 Likes

#3

either a wireless dongle or a remote view/ take over using windows built in remote desktop. solutions include checking back of pc for new wires dongles/ sweep of the house for keyboards of the same manufacturer that you use. disabling remote desktop( should be done with every new install first thing) in windows and blocking off windows sharing. final option if all else fails boot into dd wipe disks write with 0’s and reinstall windows.

6 Likes

#4

I agree with above. It looks like a friend playing a prank or if your on wireless another wireless keyboard close to you.

Also if its happening try unplugging the network or disabling it in window network settings to see if its local or network.

4 Likes

#5

Guys, this is a buddy of mine. He made it stop, by disconnecting ethernet. I told him to call the police, surely it’s criminal to compromise and control a remote system, without permission, and this person is ballsy about it. This isn’t a prank, his family isn’t very tech savvy.

0 Likes

#6

While yes, this would potentially be illegal (unauthorised access), the police may not have enough resources to do anything except record the event.

It does look like someone he knows playing a prank. At some point someone has been given access to this computer, either by you @sumidor063 or someone else. probably allowing them to install some remote desktop software or similar.

To be honest, my policy is always the same, while this is probably just some remote access software you might be able to uninstall, a compromised computer needs to be erased and rebuilt. That’s what I always suggest. And be more careful about what you install and who you let on it.

8 Likes

#7

Definitely not someone within the house playing a joke on me. As DMattox mentioned, nobody in my house is capable of doing such without my knowledge. I have my stuff locked down too well, locally anyway, for that.

I’ve meant to wipe and rebuild since the first time but I’ve been lazy about it. I suppose that is the best course of action for me, but I figured I’d see if you guys had any ideas first. I’ll make sure to disable remote desktop and sharing now, and when I format. I honestly haven’t a clue what I might have done to allow such a thing into my system, and I certainly don’t understand the randomness of when it strikes.

0 Likes

#8

It doesnt need to be family. It’s not like ts a piece of Russian malware you downloaded otherwise you’d never know as your computer would be turned into a zombie. The reason people are saying someone you know (by which could be anyone you interact with online), is that they are playing a prank on you, obviously. So its more likely to be someone you know who you gave your computer access to (knowingly or unknowingly).

While you could identify whats running to allow them on, there’s no point keeping a compromised computer around once you’ve “cleaned” it up. So reinstall is as i mentioned usually the only option. Its unlikely they’ve compromised the hardware.

3 Likes

#9

If someone is using RDP, you’ll be able to see them logged in under Users in Task Manager.

Use Procmon and Autoruns to diagnose futher. It would take a great deal of time for me to train or teach you those tools, and on Jebus day I don’t have that time.

If you can put in the research and reading, I’d find out what’s going on. Otherwise restore your router and PC to factory settings.

Also, trust aside, check for extra connections. My family are inbred retards, yet they play with each other’s cable boxes all the time.

0 Likes

#10

Or, after all of the above has or has not been verified, you have (potentially) a Keylogger and more than likely additional R[emote]A[ccess]T[rojan] related software installed without your intentional foreknowledge that needs removed. This is the only logical remaining option left if you are absolutely positive that none have had or would have access to your equipment in order to play such a “prank.” Furthermore, the only general means by which your equipment could be compromised in such manner as described by you with the given details is some sort of Keylogger that is usually accompanied by a RAT in some form or another.

2 Likes

#11

in addition to all the above advice I would change the password for your router and WIFI.

5 Likes

#12

Followed by making sure said passwords of both are not default passwords and the security standard is WPA2/PSK enabled.
Standard SecOps with no Pin Enabled features either alongside of having MAC Filtering active as well. Somewhat of a pain in the arse, but it performs as expected nonetheless. Last, make sure you have your built-in firewall set to at least medium.
Other than the above standard SecOps setup, more advanced techniques can be applied with a bit of research.

2 Likes

#13

I knew I forgot to mention WPA2/PSK, SecOps procedures and Mac Filtering active. Thanks @Linuxephus for catching the ball I droped.

1 Like

#14

LOL-ing.
One cannot possibly drop a ball when no ball was present to be dropped. Nonetheless, a minor update to your initial information is all that was required to flesh it out a bit more.

0 Likes

#15

I would also if you can somehow get Wireshark running on your modem, router WIFI device, keep a complete record of all your network traffic, but since you are probably using the equipment provided by your ISP you probably don’t.

1 Like

#16

I can tell you how to stop this.

Use linux.

Edit:

Looking at how you describe this, seems like you have a rat in your machine somewhere. Probably drive by plant. Someone could have gotten your IP from destiny and threw a rat at your router to see where it would land or sifted it in game updates. Nothing new, really. I used to play HALO CE online all the time and one time I got a russian hacker who was trying to use every machine he could to mine bitcoin when it had just come out. Thing is I had a Pentium M laptop with an ATI 9600PRO so he wasn’t going to mine shit anyways. Even so, I had no fucking clue what the hell was going on.

The rat he planted in my system later turned into whitesmoke which is impossible to get rid of. But what he would do is when I connected online his rat would connect and the miner would start. But, because my machine was what it was, and I think I only had like 512mb of ram, everything but the rat froze. System and everything. But he hadn’t configured the rat properly and he left communications turned on and I could hear him typing, talking to people… I had been toying with linux at that point for a while so I decided that was the last straw and blew everything away.

@sumidor063 take your box offline for a while and get an offline copy of malwarebytes. I would also recommend a firewall. If you have any issues with it you can PM me.

4 Likes

#17

Would be easier to simply install Wireshark upon the operating system itself for network monitor logging purposes versus the monumental task of having to install a single program on the/a modem/router truth be told.

0 Likes

#18

Sure, but how many people actually know how to read wireshark? Especially the normal public. And even once you have the IP, what do you do? 100 bucks at a booter to basically ban the guy from the internet for a month?

Actually that’s not a bad idea right there but I’m not sure its worth 100 bucks.

0 Likes

#19

You are right, but if you want to see what is going on on your whole network you would have to install Wireshark on your combo device. This is why I wanted to replace my router/ WIFI/ L3 switch with Pfsense and a separate L3 switch, but Since my mother is the owner of the house. I have to get her permission before I throw out the device provided by our ISP. and start wiring the house for Ethernet and adding switches.

0 Likes

#20

Or, use that $100 to fire up ~30 VMs on Digital Ocean or Linode for a week and bomb the shit out of his IP. Even if he’s using a VPN that will cripple his availability.

I still stand by my original assessment. If the OP is not wanting to partake in threat hunting, just nuke and pave everything, router included.

2 Likes