As was foretold, we've added advertisements to the forums! If you have questions, or if you encounter any bugs, please visit this thread: https://forums.penny-arcade.com/discussion/240191/forum-advertisement-faq-and-reports-thread/

Remote Accessed... Great, now what?

Ok, so I unlocked my computer last night and it was acting funny. Jumps in FPS and the like. Tried to drag browser from one screen to the other and it was stopping. Basically looked like when we would get RA'd at school. went to open a command line to run ipconfig and whoever was on it ran a shutdown script. I rebooted it in safe mode and ran MSE and it found a java exploit. removed it, ran reg scan and everything seems to be fine now.

So now I have some questions:

1. Was the (assumed) s-kid able to access my computer when it was locked or did he only have access for the 20~ seconds it took for me to realize what's going on?
2. Is it safe to assume that I'm fine now and my stuff is secure (closed the exploit, got rid of trojan) or is it time to blow away my OS and/or change all of my passwords?

any other advice is appreciated as well
thanks

Posts

  • StrifeRaZoRStrifeRaZoR Registered User regular
    1. They were not able to access any of your file while your system was locked. He was basically sitting there waiting on you to unlock it so he could take over.
    2. Technically you are fine and should not need to nuke your OS. I would definitely change your passwords for online services from a different computer, just to be safe. As for your passwords for that particular system, you can change them just to cover your bases, but you should be fine.

    I'd definitely monitor activity on that system for a week or so, just to make sure you're okay.

    StrifeRaZoR.png
  • ShadowfireShadowfire Vermont, in the middle of nowhereRegistered User regular
    I'd monitor your bank accounts and the like, as well, just in case. It sounds like you don't know how long he had access, so maybe call your bank and have them watch for suspicious activity.

    WiiU: Windrunner ; Guild Wars 2: Shadowfire.3940 ; PSN: Bradcopter
  • Giggles_FunsworthGiggles_Funsworth Blight on Discourse Bay Area SprawlRegistered User regular
    As a Computer Security Professional I would format everything.

    You have no idea how else your system has been compromised and even stuff sold in crimeware kits can have features that most (any?) AVs are not going to catch.

  • AumniAumni Registered User regular
    As a Computer Security Professional I would format everything.

    You have no idea how else your system has been compromised and even stuff sold in crimeware kits can have features that most (any?) AVs are not going to catch.

    I think it's appropriate to listen to this guy - compromises can be incredibly complex and contain many components that can operate independently from one another. Format and change all credentials.

    http://steamcommunity.com/id/aumni/ Battlenet: Aumni#1978 GW2: Aumni.1425 PSN: Aumnius
  • JaysonFourJaysonFour Classy Monster Kitteh Registered User regular
    I'd format and just change everything. You know he remote accessed you, you don't know what other little surprises and presents he left behind in case he wants to try to get back in. Better to nuke and know it's safe than find this little jerk in your computer again.

    steam_sig.png
    I can has cheezburger, yes?
  • zagdrobzagdrob Registered User regular
    As a Computer Security Professional I would format everything.

    You have no idea how else your system has been compromised and even stuff sold in crimeware kits can have features that most (any?) AVs are not going to catch.

    Complete agreement.

    I'd add a recommendation to change your passwords. At minimum reset your system, banking, and e-mail passwords to something you haven't used before. Monitor your banking activity for a few months, make sure you grab your annual credit report and check it for unexpected stuff (you are doing that already, right?), the normal stuff.

  • WildEEPWildEEP Registered User regular
    As another computer security professional - I recommend you back up individual files onto a flash drive and format the whole thing - In fact, I'd delete all the partitions and make a new one.

    As the saying goes, "take off and nuke the site from orbit, its the only way to be sure"

  • redxredx I(x)=2(x)+1 whole numbersRegistered User regular
    WildEEP wrote: »
    As another computer security professional - I recommend you back up individual files onto a flash drive and format the whole thing - In fact, I'd delete all the partitions and make a new one.

    As the saying goes, "take off and nuke the site from orbit, its the only way to be sure"

    Would a fresh MBR be appropriate? It's going to be missed by most partition software(unless you manually tell them to recreate it), and there's a few rootkits that live in there. It takes a few seconds, but just deleting partitions won't hit it.

    They moistly come out at night, moistly.
  • Bendery It Like BeckhamBendery It Like Beckham Hopeless Registered User regular
    redx wrote: »
    WildEEP wrote: »
    As another computer security professional - I recommend you back up individual files onto a flash drive and format the whole thing - In fact, I'd delete all the partitions and make a new one.

    As the saying goes, "take off and nuke the site from orbit, its the only way to be sure"

    Would a fresh MBR be appropriate? It's going to be missed by most partition software(unless you manually tell them to recreate it), and there's a few rootkits that live in there. It takes a few seconds, but just deleting partitions won't hit it.

    Your MBR should be located on the partition you boot from, so if you're doing a complete format you should be okay. The problem is the most popular reinfection is currently an awesome partition that takes over as it's very own boot partition, and launches code from there. So you have to make sure you remove that first, otherwise it'll just load the infected MBR again anyways.

    When in rootkit doubt, run TDSS killer

Sign In or Register to comment.