Unknown Computer appeared on RAT?

[contrix_]

Hello,

something really weird happened to me yesterday. I created a RAT that I encrypted in a WinRar File and wanted to troll some of my friends with. I send the file in the chat of my discord server (similar to Teamspeak) and before that tested it on virustotal.com and a similar site. No one downloaded it (unfortunately ^^), but a few hours later (when none of the people that were on the discord were online) anymore, I saw a connection coming in. I used a cracked version of NanoCore that I got from some hacking forum (it was created by Alcatraz3222 and thousands of people downloaded it). The Computer had an IP from the USA (doesn't have to be true, it show that I'm from England even tho I have a German IP) and had no Antivirus installed. The name of it was something with a C at the beginning, and a y and an o (don't remember it exactly). I wanted to know who that was and opened the windows to the screen. He had some old version of Windows installed which I didn't know (its the one with the gray taskbar, pretty basic). There was a command prompt running, which had a python logo and was named "clock". I don't remember what was in it, but it was testing for something the whole time and once said something about "found" and "terminated". The only other thing I saw was Wireshark on the desktop. A few seconds after that, he disappeared from my client list. I didn't use any protection like VPN or a firewall at that moment.

After that, I got really scared for some reason and turned off my computer. Does someone know how he got on my list and what he was doing? Maybe I'm getting ratted and he wanted to see what that file was, or a discord server ran the file?

I really need your help ;) 

Cheers,

contrix_

 

PS: Sry for my bad English, I'm German and just 14 years old as you probably already assumed by my writing ^^

 

PPS: While writing this text I overwrote my text two times, even tho I don't think I touched the insert button. I'm getting really paranoid xD

[digip]

#1 - don't link to cracked/pirated software

#2 - More than likely, you just got yourself hacked from the sounds of it, if any of it is true.

[contrix_]

Sorry I didn't know that. I think the problem was that I opened the UDP and TCP Ports without any security.

[Dave-ee Jones]

Theoretically he could've been running any Windows, but from the description it sounds like 98. Was Wireshark actually running or did you just see the icon on the desktop? Either way, worst case scenario is he's a hacker that was trying to hack you. 'Best' case scenario is he was curious and wanted to try out something.

Not sure what 'found' and 'terminated' could relate to, could be the connection, but I don't think it would say 'found' if a connection between you and him was seen. Terminated was probably when (or just before) you were cut off if that's the case.

 A command prompt running a Python script with the name 'clock' is a bit weird, though. Not sure there, could be anything. Not sure why he would name it clock..

[i8igmac]

What ports are used, when a target machine runs the trojin, does it connect back to your machine? If so then you would have configured port forwarding? What port if this?

 

You should monitor this port, its possible random traffic hit your open port but also possible your tool is a backdoor. hackforum is full of bs tools.

 

I may have misunderstood what you see. A vnc session? Maybe some one ran your trojin from a vm.

 

[contrix_]

15 hours ago, Dave-ee Jones said:

Theoretically he could've been running any Windows, but from the description it sounds like 98. Was Wireshark actually running or did you just see the icon on the desktop? Either way, worst case scenario is he's a hacker that was trying to hack you. 'Best' case scenario is he was curious and wanted to try out something.

Not sure what 'found' and 'terminated' could relate to, could be the connection, but I don't think it would say 'found' if a connection between you and him was seen. Terminated was probably when (or just before) you were cut off if that's the case.

 A command prompt running a Python script with the name 'clock' is a bit weird, though. Not sure there, could be anything. Not sure why he would name it clock..

No, Wireshark was not running or at least I didn't see it.

 

14 hours ago, i8igmac said:

What ports are used, when a target machine runs the trojin, does it connect back to your machine? If so then you would have configured port forwarding? What port if this?

 

You should monitor this port, its possible random traffic hit your open port but also possible your tool is a backdoor. hackforum is full of bs tools.

 

I may have misunderstood what you see. A vnc session? Maybe some one ran your trojin from a vm.

 

6

I don't know the port anymore because I deleted it. It was probably a VM, I think the Display measures I saw in nanocore were 800x800 and I used a VM that had these quarter windows once

Update:

Last night I left my computer on due to Ethereum mining and had 1 browser window open. When I got up and looked at my screen, the browser window was closed and I was on my Steam Account Page where I can see my Payment Methods and all that stuff. I didn't have that much time because I had to go to school, but in the browser history were some new listings, and I only saw the first. It was a sellfy (or something similar) website where someone had a website that was someone like "crackpw" and sold something for 20 Euros. I bet those where my passwords or a connection to my pc. I also had an email from Coinbase (you can buy bitcoins there) that someone logged in from MY IP, but the Account was empty and without any payment methods anyways. After school, I changed the most of my passwords but I wasn't able to log into my second PayPal Account because the password was changed and the telephone number was also changed, so they had access to my email, too. I can't send a ticket to PayPal about that because I used false names and streets (no not a fake id) but there were only a few dollars on it.

 

I didn't notice anything else. I'm going to start my computer without Internet, save some important files that I know are 100% not infected on an external drive and gonna reset my whole computer completely.

Or can I track where the RAT is installed and delete somehow?

Thanks for your answers, I hope you will take your time again to answer me ;)

 

contrix_

Edited November 21, 2017 by contrix_

[Dave-ee Jones]

Ah, well, if it's taught you something it's don't play with fire, or you are going to get burnt.

[0phoi5]

Sounds like you got hacked back. Whoops!

I would;

1. Change all passwords for all accounts.
2. Wipe your PC using Boot N' Nuke, and reinstall.
3. Change your external IP address.
4. Profit.

 

[Dave-ee Jones]

13 hours ago, haze1434 said:

Sounds like you got hacked back. Whoops!

I would;

1. Change all passwords for all accounts.
2. Wipe your PC using Boot N' Nuke, and reinstall.
3. Change your external IP address.
4. Profit.

 

I don't see how you can profit from that.

He's 11 years old, I don't think he could change his external IP address just by going up to his parents and saying "Hey, dad, I got hacked..can we change our external IP so they can't access my PC remotely? Cheers. Oh, and my bad."

[Foxtrot]

Restarting the modem still works for the majority of ISPs.

[0phoi5]

3 hours ago, Foxtrot said:

Restarting the modem still works for the majority of ISPs.

This. And 'profit' was a meme joke.

[Dave-ee Jones]

17 hours ago, Foxtrot said:

Restarting the modem still works for the majority of ISPs.

That's assuming your connection is DHCP.

13 hours ago, haze1434 said:

This. And 'profit' was a meme joke.

I know :P

It's one of those silly memes that make no sense and don't have to have any context.

 

Like every meme ever.

[Broti]

Free advice from one German to another:

Don't try to hack anything/anyone outside your own (virtual) local network; especially since you're 14 (age of criminal responsibility). You may check out our laws, if you haven't done that already.

No need to risk being busted for having fun.