contrix_ Posted November 20, 2017 Share Posted November 20, 2017 Hello, something really weird happened to me yesterday. I created a RAT that I encrypted in a WinRar File and wanted to troll some of my friends with. I send the file in the chat of my discord server (similar to Teamspeak) and before that tested it on virustotal.com and a similar site. No one downloaded it (unfortunately ^^), but a few hours later (when none of the people that were on the discord were online) anymore, I saw a connection coming in. I used a cracked version of NanoCore that I got from some hacking forum (it was created by Alcatraz3222 and thousands of people downloaded it). The Computer had an IP from the USA (doesn't have to be true, it show that I'm from England even tho I have a German IP) and had no Antivirus installed. The name of it was something with a C at the beginning, and a y and an o (don't remember it exactly). I wanted to know who that was and opened the windows to the screen. He had some old version of Windows installed which I didn't know (its the one with the gray taskbar, pretty basic). There was a command prompt running, which had a python logo and was named "clock". I don't remember what was in it, but it was testing for something the whole time and once said something about "found" and "terminated". The only other thing I saw was Wireshark on the desktop. A few seconds after that, he disappeared from my client list. I didn't use any protection like VPN or a firewall at that moment. After that, I got really scared for some reason and turned off my computer. Does someone know how he got on my list and what he was doing? Maybe I'm getting ratted and he wanted to see what that file was, or a discord server ran the file? I really need your help ;) Cheers, contrix_ PS: Sry for my bad English, I'm German and just 14 years old as you probably already assumed by my writing ^^ PPS: While writing this text I overwrote my text two times, even tho I don't think I touched the insert button. I'm getting really paranoid xD Quote Link to comment Share on other sites More sharing options...
digip Posted November 20, 2017 Share Posted November 20, 2017 #1 - don't link to cracked/pirated software #2 - More than likely, you just got yourself hacked from the sounds of it, if any of it is true. Quote Link to comment Share on other sites More sharing options...
contrix_ Posted November 20, 2017 Author Share Posted November 20, 2017 Sorry I didn't know that. I think the problem was that I opened the UDP and TCP Ports without any security. Quote Link to comment Share on other sites More sharing options...
Dave-ee Jones Posted November 20, 2017 Share Posted November 20, 2017 Theoretically he could've been running any Windows, but from the description it sounds like 98. Was Wireshark actually running or did you just see the icon on the desktop? Either way, worst case scenario is he's a hacker that was trying to hack you. 'Best' case scenario is he was curious and wanted to try out something. Not sure what 'found' and 'terminated' could relate to, could be the connection, but I don't think it would say 'found' if a connection between you and him was seen. Terminated was probably when (or just before) you were cut off if that's the case. A command prompt running a Python script with the name 'clock' is a bit weird, though. Not sure there, could be anything. Not sure why he would name it clock.. Quote Link to comment Share on other sites More sharing options...
i8igmac Posted November 21, 2017 Share Posted November 21, 2017 What ports are used, when a target machine runs the trojin, does it connect back to your machine? If so then you would have configured port forwarding? What port if this? You should monitor this port, its possible random traffic hit your open port but also possible your tool is a backdoor. hackforum is full of bs tools. I may have misunderstood what you see. A vnc session? Maybe some one ran your trojin from a vm. Quote Link to comment Share on other sites More sharing options...
contrix_ Posted November 21, 2017 Author Share Posted November 21, 2017 (edited) 15 hours ago, Dave-ee Jones said: Theoretically he could've been running any Windows, but from the description it sounds like 98. Was Wireshark actually running or did you just see the icon on the desktop? Either way, worst case scenario is he's a hacker that was trying to hack you. 'Best' case scenario is he was curious and wanted to try out something. Not sure what 'found' and 'terminated' could relate to, could be the connection, but I don't think it would say 'found' if a connection between you and him was seen. Terminated was probably when (or just before) you were cut off if that's the case. A command prompt running a Python script with the name 'clock' is a bit weird, though. Not sure there, could be anything. Not sure why he would name it clock.. No, Wireshark was not running or at least I didn't see it. 14 hours ago, i8igmac said: What ports are used, when a target machine runs the trojin, does it connect back to your machine? If so then you would have configured port forwarding? What port if this? You should monitor this port, its possible random traffic hit your open port but also possible your tool is a backdoor. hackforum is full of bs tools. I may have misunderstood what you see. A vnc session? Maybe some one ran your trojin from a vm. 6 I don't know the port anymore because I deleted it. It was probably a VM, I think the Display measures I saw in nanocore were 800x800 and I used a VM that had these quarter windows once Update: Last night I left my computer on due to Ethereum mining and had 1 browser window open. When I got up and looked at my screen, the browser window was closed and I was on my Steam Account Page where I can see my Payment Methods and all that stuff. I didn't have that much time because I had to go to school, but in the browser history were some new listings, and I only saw the first. It was a sellfy (or something similar) website where someone had a website that was someone like "crackpw" and sold something for 20 Euros. I bet those where my passwords or a connection to my pc. I also had an email from Coinbase (you can buy bitcoins there) that someone logged in from MY IP, but the Account was empty and without any payment methods anyways. After school, I changed the most of my passwords but I wasn't able to log into my second PayPal Account because the password was changed and the telephone number was also changed, so they had access to my email, too. I can't send a ticket to PayPal about that because I used false names and streets (no not a fake id) but there were only a few dollars on it. I didn't notice anything else. I'm going to start my computer without Internet, save some important files that I know are 100% not infected on an external drive and gonna reset my whole computer completely. Or can I track where the RAT is installed and delete somehow? Thanks for your answers, I hope you will take your time again to answer me ;) contrix_ Edited November 21, 2017 by contrix_ Quote Link to comment Share on other sites More sharing options...
Dave-ee Jones Posted November 22, 2017 Share Posted November 22, 2017 Ah, well, if it's taught you something it's don't play with fire, or you are going to get burnt. Quote Link to comment Share on other sites More sharing options...
0phoi5 Posted November 22, 2017 Share Posted November 22, 2017 Sounds like you got hacked back. Whoops! I would; Change all passwords for all accounts. Wipe your PC using Boot N' Nuke, and reinstall. Change your external IP address. Profit. Quote Link to comment Share on other sites More sharing options...
Dave-ee Jones Posted November 23, 2017 Share Posted November 23, 2017 13 hours ago, haze1434 said: Sounds like you got hacked back. Whoops! I would; Change all passwords for all accounts. Wipe your PC using Boot N' Nuke, and reinstall. Change your external IP address. Profit. I don't see how you can profit from that. He's 11 years old, I don't think he could change his external IP address just by going up to his parents and saying "Hey, dad, I got hacked..can we change our external IP so they can't access my PC remotely? Cheers. Oh, and my bad." Quote Link to comment Share on other sites More sharing options...
Foxtrot Posted November 23, 2017 Share Posted November 23, 2017 Restarting the modem still works for the majority of ISPs. Quote Link to comment Share on other sites More sharing options...
0phoi5 Posted November 23, 2017 Share Posted November 23, 2017 3 hours ago, Foxtrot said: Restarting the modem still works for the majority of ISPs. This. And 'profit' was a meme joke. Quote Link to comment Share on other sites More sharing options...
Dave-ee Jones Posted November 23, 2017 Share Posted November 23, 2017 17 hours ago, Foxtrot said: Restarting the modem still works for the majority of ISPs. That's assuming your connection is DHCP. 13 hours ago, haze1434 said: This. And 'profit' was a meme joke. I know :P It's one of those silly memes that make no sense and don't have to have any context. Like every meme ever. Quote Link to comment Share on other sites More sharing options...
Broti Posted November 23, 2017 Share Posted November 23, 2017 Free advice from one German to another: Don't try to hack anything/anyone outside your own (virtual) local network; especially since you're 14 (age of criminal responsibility). You may check out our laws, if you haven't done that already. No need to risk being busted for having fun. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.