Compromised computer, or network?

AmanoJ · December 17, 2015, 8:50am

I was hoping someone might be able to help me understand this situation. Fair warning: I am not skilled in these things whatsoever. I can get around computers well enough on my own and have some pretty basic knowledge, but this is all well over my head.

Earlier this evening, my sister was using her laptop when someone took control of the mouse. They opened up notepad and some other files, then spoke (middle eastern accent) telling her to put her phone number in notepad. Her boyfriend was there as well, and he put in some bogus number. The person was typing on the other end, and very quickly said that is not a functional number and disconnected. Apparently he then attempted to start copying a picture directory somewhere else, so she shut it off.

This is what I was told. I didn’t see it, wasn’t present, and have never used her laptop or know how it is configured beyond being a windows 7 machine.

I went and looked at the logs for the router (which was set to allow all users and is now being changed to an allowed access list of MAC addresses). There was an IP of 192.168.1.17 given to a MAC address I didn’t recognize. Looking it up only showed me Intel Corp., Malaysia, which didn’t help much. Then there was a large amount of admin login failures, several per second, for a while. Nothing after that for a bit until the router logged an event it says was a DoS ARP Attack. Something I am reading up on.
Blocked the MAC address until I have finished getting a list of all our devices and set up the allow list.
The network does have security enabled (WPA) with an alphanumeric password that I have changed. Not like it means much. There is a new firmware out for it (Netgear wireless, unfortunately), and I will be updating it shortly.

I have to admit, I don’t even know where to start trying to help her with this. The computer is shut off for tonight, and I unfortunately won’t get much more information until she is up tomorrow… but I wanted to ask if someone could at least tell me where to start. Should she be looking for a trojan or some kind of infection on her computer, or was it an attack on the network itself, and it was just the only computer available to exploit?

Sorry if this was not explained right or if it’s a stupid question, but please humor me. As I said, this is all well outside of my comfort zone.

Thanks much for any and all replies.

AmanoJ · December 17, 2015, 8:58am

My apologies for a second post, but I missed the edit window. I meant to also say that the router logged a UPnP event from 192.168.1.100: add_nat_rule, which is not something I have seen before. I have since disabled UPnP. No idea if it’s related, just wanted to add all of the very limited information I have.
Again, thank you.

AmanoJ · December 17, 2015, 10:42am

A third post in a row… sorry, again.
I wanted to say that the problem has now been resolved. I should have waited a couple more hours before posting (I genuinely tried for a very long time to find the information).
Lots of digging, but I think I have my answers now, and took appropriate steps.

I see that there is no way to delete the thread itself so I don’t waste any more time for anyone, so I will simply say that the issue has been handled, and it all seems to be worked out.

Thanks, all.

Cazzle · December 17, 2015, 12:29pm

Glad you sorted it. Could you share the details in case someone else finds this thread because of a similar issue?

AmanoJ · December 17, 2015, 2:44pm

Oh, sure. Well, it was nothing fantastic this time. I told her to run some simple things like malwarebytes, avast, spybot search and destroy, and get rid of what she can first to narrow things down. Then create a Hijackthis log and go over it and/or submit it to a forum if she can later, but wanted her to turn off her connection and see if anything freaked out. One program did, but not while I was there. It also (luckily) stood out in the process list. A quick search found it to be related to a popular remote desktop program.
Wondering how it could get installed on her computer, I finally got some of what had actually happened. She was embarrassed and didn’t want to share part, I guess.

Despite everything she says she knows, and everything I have told her (which is, again, only the basic level of knowledge… but enough to keep safe and problem solve some things), she fell for what amounts to little more than a Phishing scam.
She received an email that she had been given a gift card from someone she knew. Said it came from him, had his info on it, for some store she likes. I don’t know if it was good timing or if he was comprimised or what, but it was a scenario that had been discussed before with this friend. She used to run an online show (no, not that kind), and he was a friend and a viewer.

I am sure most can guess, but the card was not real, nor was the “redeem” site in the link in the email (she knows not to click any link in any email, but to go to the site itself if she believes it… but she still did, which I can’t explain). There were lots of warnings, she did not see them.

The file downloaded was a .scr I think. She wasn’t very clear on that part. That’s how it got on her computer.

The repeated network admin login attempts were from her computer. The MAC address I didn’t recognize was her laptop, but it was because it was a newer network card she was using. I noticed my error very shortly after posting this, unfortunately, that’s why I followed up with her computer.

I still don’t know what the ARP or UPnP events were, I’ve never seen either of those entries before.

So all in all… just a foolish mistake and some confusion. Her laptop should be all right at this point, but I will keep watching and see what happens. She feels bad enough, hopefully she won’t make a similar mistake in the future.
Scammers sure are tricky. I feel bad for anyone who doesn’t even have my low level of awareness when it comes to these things. Seems like it would be so easy to snag people in those tricks.

My house phone (yeah, still got one) was called recently by someone claiming to have been “contacted” by my Windows 10 machine. He said I needed to get on there and he would guide me through how to fix it. Ends up with this same situation, I would guess.
As soon as I told him that I don’t HAVE a windows 10 PC, he hung up on me. Yeah, the support call scam. Another fun one.

My grandparents once had a call from a woman pretending to BE my older sister, saying she was stuck without money and (sob story), and needed help fast. Luckily my grandparents were smart enough to ask for a number to call her back, then called her house first to make sure.

I just always wonder how many people really fall for it all. It’s such a shame.

md2000 · December 17, 2015, 3:53pm

Add NAT rule - presumably the guy was trying to change the router so that when he connected to he external IP inbound from Jihadabad, the packets would be forwarded to the PC. Double check any port forwards, application in, or whatever your router calls it. Delete as needed. Your router password should not be the same as your PC password, Wifi password, etc. It goes without saying - dn’t have a file on the PC - “my passwords” he can get your bank from your browser favourites, have a separate password for serious money stuff.

It is possible to download the passwords file and decrypt it at home, so that’s why he wanted a reconnect rule.
Did he also turn on remote connections (right click computer, properties?)

Also note the attempt to login as admin - presumably, another safety measure, your typical operating userid should not be PC administrator (although that creates as many headaches as it solves)

.scr is a screen saver, but like many other legacy file types, it can include executable code. It just is a better place to hide.

192.168.x.x is “non-routable”. It is typically the network inside your house, behind the router. (“Sally - get out! Those calls are coming from inside your house!”)

I would suggest you continue to scan the PC regularly every week or so for a few months for malware, just in case something new or hidden got installed and was missed the first scan.

AmanoJ · December 17, 2015, 4:11pm

Thank you very much, appreciate the post.
I will absolutely be keeping an eye on everything I can for a while. And passwords were all different from one another, but are getting changed (from another device) regardless. At least for peace of mind.

I am aware of the addresses given out by the network, but I was a bit surprised to see one listed as 192.168.1.100. I honestly don’t know, but… aren’t the numbers typically assigned based on order of connection by devices to the router? I’ve certainly never seen any number so high, which made me wonder about it’s origins. Wasn’t aware of the command sent, either, though. Still not very sure about the event logged as an “ARP attack,” either. It’s the only one I have ever seen in the logs, and to be honest… what I have read sort of confuses me.

One single incident like this makes me realize how much I DON’T know. Feels like someone is right outside, picking the lock to your front door… but not only can you not see them, you don’t even know what the lock looks like or how to secure it, even if you could FIND the door.
Enough to make me want to go back to the basics and take some courses.

She is just lucky it was such a simple thing. Easy to detect and (hopefully) stop and remove. There are far, far more sophisticated attacks out there she might have encountered.

md2000 · December 17, 2015, 6:21pm

Numbers can be hardcoded. Some routers have the DHCP range (addresses handed out by router) starting at 50 or 100, reserving the lower range for hard-coded addresses (like the router itself at .1)

I hope after this you change all the passwords, since the perp could have downloaded the PC’s encrypted password database and hack away at his leisure.

AmanoJ · December 19, 2015, 2:01pm

Sorry for the delay in response.
Yes, I will definitely still change anything at all that has not been changed. Thanks, again, for your information, I appreciate it.

There has been no further evidence that anything else has gone on so far, thankfully, so I think she lucked out this time with a relatively harmless attack. Maybe now she will pay more attention to what she’s doing.
Thank you, md2000.

md2000 · December 19, 2015, 5:20pm

Could be worse. We’ve had a number of customers hit by the “ransomware” virus. Also usually arrives as an email attachment. It starts encrypting JPG, DOC, XLS, PDF, etc - anything that might be valuable It asks for $X in bitcoin to decrypt them. (I don’t know of anyone who has successfully paid). For the average home user, this probably means all your digital photos disappear unless you have backups.

Rule number one - get a 1TB USB drive - under $100 at Costco etc. - and make a copy of your data - documents, photos, emails,stuff downloaded from phone, iPhone backups, music, etc. - anything you want to keep. UNPLUG THE DRIVE. Store it in a separate place. Repeat every month or two. This will also help if your home is broken into and your computer is stolen.

(There’s a classic old ad from the 1980’s, where everyone is standing around the grave at a funeral, and one fellow in a business suit is asking the widow “I know this is a bad time, but did he ever mention anything about backups?”)