Jump to content

Need Help Figuring Out How Home PC Was Hacked...


Recommended Posts

Posted

While at the office this morning, I called my wife at home to check in... she immediately asks me if I am goofing around on the Home PC, to which I responded, "No." After convincing her that it was not me (as I do use VNC a bunch), she tells me that IE7 is up accessing www.paypal.com, and the PC is being remotely controlled.

I immediately jumped on VNC and logged in remotely to see what was going on. I found pspv.exe running, exposing a bunch of our Auto Complete passwords. In a panic, I quickly shut down the Home PC until I could get home to take a look. I then changed a bunch of our passwords at PayPal, eBaY, etc.

I looked the WindowsPrefetch folder and found the following interesting executables were run around that time:

1. pspv.exe

2. mailpv.exe

3. syslogger.exe

I read about pspv.exe and mailpv.exe on the Nirsoft website. I couldn't find any info on syslogger.exe.

My question is how could someone remotely access our PC to run these? Could it simply have been VNC? If so, how did they get our Public IP Address and learn the VNC password? Could it have been AIM (which was also running at the time)? What can I do to prevent this in the future?

Sorry for all the newbie questions! Thanks for any suggestions!

Posted
My question is how could someone remotely access our PC to run these? Could it simply have been VNC? If so, how did they get our Public IP Address and learn the VNC password? Could it have been AIM (which was also running at the time)? What can I do to prevent this in the future?

'They' probably found it by scanning ISP IP Blocks. 'They' either got in by brute force/dictionary attack or a vulnerability in the VNC service it's self. You can stop this by not exposing VNC to the Internet (which is a very dangerous/stupid thing to do, particularly when not done threw a VPN).

Posted

Thanks for the quick response.

Any idea what syslogger.exe is?

Also, I was unable to find pspv.exe or mailpv.exe anywhere on the PC - could it be launched remotely without physically residing on the PC?

Posted

It's possible your computer is root kitted and is hiding them, but that's only a possibility, the attacker could have done any thing (literally). I recommend you do a clean install of windows.

Posted

Keep everything locked down, VNC through a VPN (or don't leave VNC running), use a firewall, keep your antivirus and anti-malware apps up to date...

Posted

Can I asked why you had your browser auto saving stuff while the same account is accessible over the Internet? It just seems to me like a obvious thing that, even some one who doesn't understand the Internet would realise, is a big no no.

Posted
Can I asked why you had your browser auto saving stuff while the same account is accessible over the Internet? It just seems to me like a obvious thing that, even some one who doesn't understand the Internet would realise, is a big no no.

Convenience I bet. When the browser asks you to remember that stuff, it's very tempting for a user to let the browser deal with those pesky passwords so you don't have to. It's a bad thing to do, but some people couldn't use a computer without it.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...