I was hoping someone might be able to help me understand this situation. Fair warning: I am not skilled in these things whatsoever. I can get around computers well enough on my own and have some pretty basic knowledge, but this is all well over my head.
Earlier this evening, my sister was using her laptop when someone took control of the mouse. They opened up notepad and some other files, then spoke (middle eastern accent) telling her to put her phone number in notepad. Her boyfriend was there as well, and he put in some bogus number. The person was typing on the other end, and very quickly said that is not a functional number and disconnected. Apparently he then attempted to start copying a picture directory somewhere else, so she shut it off.
This is what I was told. I didn’t see it, wasn’t present, and have never used her laptop or know how it is configured beyond being a windows 7 machine.
I went and looked at the logs for the router (which was set to allow all users and is now being changed to an allowed access list of MAC addresses). There was an IP of 192.168.1.17 given to a MAC address I didn’t recognize. Looking it up only showed me Intel Corp., Malaysia, which didn’t help much. Then there was a large amount of admin login failures, several per second, for a while. Nothing after that for a bit until the router logged an event it says was a DoS ARP Attack. Something I am reading up on.
Blocked the MAC address until I have finished getting a list of all our devices and set up the allow list.
The network does have security enabled (WPA) with an alphanumeric password that I have changed. Not like it means much. There is a new firmware out for it (Netgear wireless, unfortunately), and I will be updating it shortly.
I have to admit, I don’t even know where to start trying to help her with this. The computer is shut off for tonight, and I unfortunately won’t get much more information until she is up tomorrow… but I wanted to ask if someone could at least tell me where to start. Should she be looking for a trojan or some kind of infection on her computer, or was it an attack on the network itself, and it was just the only computer available to exploit?
Sorry if this was not explained right or if it’s a stupid question, but please humor me. As I said, this is all well outside of my comfort zone.
Thanks much for any and all replies.