panther Posted January 20, 2007 Posted January 20, 2007 While at the office this morning, I called my wife at home to check in... she immediately asks me if I am goofing around on the Home PC, to which I responded, "No." After convincing her that it was not me (as I do use VNC a bunch), she tells me that IE7 is up accessing www.paypal.com, and the PC is being remotely controlled. I immediately jumped on VNC and logged in remotely to see what was going on. I found pspv.exe running, exposing a bunch of our Auto Complete passwords. In a panic, I quickly shut down the Home PC until I could get home to take a look. I then changed a bunch of our passwords at PayPal, eBaY, etc. I looked the WindowsPrefetch folder and found the following interesting executables were run around that time: 1. pspv.exe 2. mailpv.exe 3. syslogger.exe I read about pspv.exe and mailpv.exe on the Nirsoft website. I couldn't find any info on syslogger.exe. My question is how could someone remotely access our PC to run these? Could it simply have been VNC? If so, how did they get our Public IP Address and learn the VNC password? Could it have been AIM (which was also running at the time)? What can I do to prevent this in the future? Sorry for all the newbie questions! Thanks for any suggestions! Quote
Sparda Posted January 20, 2007 Posted January 20, 2007 My question is how could someone remotely access our PC to run these? Could it simply have been VNC? If so, how did they get our Public IP Address and learn the VNC password? Could it have been AIM (which was also running at the time)? What can I do to prevent this in the future? 'They' probably found it by scanning ISP IP Blocks. 'They' either got in by brute force/dictionary attack or a vulnerability in the VNC service it's self. You can stop this by not exposing VNC to the Internet (which is a very dangerous/stupid thing to do, particularly when not done threw a VPN). Quote
panther Posted January 20, 2007 Author Posted January 20, 2007 Thanks for the quick response. Any idea what syslogger.exe is? Also, I was unable to find pspv.exe or mailpv.exe anywhere on the PC - could it be launched remotely without physically residing on the PC? Quote
Sparda Posted January 20, 2007 Posted January 20, 2007 It's possible your computer is root kitted and is hiding them, but that's only a possibility, the attacker could have done any thing (literally). I recommend you do a clean install of windows. Quote
moonlit Posted January 20, 2007 Posted January 20, 2007 Disconnect from the net, back up your personal files and reformat, your system is hosed. Quote
panther Posted January 20, 2007 Author Posted January 20, 2007 If I do reformat the OS, what is preventing it from happening again? Quote
Sparda Posted January 20, 2007 Posted January 20, 2007 Don't expose VNC services to the Internet. Quote
moonlit Posted January 20, 2007 Posted January 20, 2007 Keep everything locked down, VNC through a VPN (or don't leave VNC running), use a firewall, keep your antivirus and anti-malware apps up to date... Quote
panther Posted January 20, 2007 Author Posted January 20, 2007 Got it. Thanks again for the help... Quote
Sparda Posted January 20, 2007 Posted January 20, 2007 Can I asked why you had your browser auto saving stuff while the same account is accessible over the Internet? It just seems to me like a obvious thing that, even some one who doesn't understand the Internet would realise, is a big no no. Quote
cooper Posted January 20, 2007 Posted January 20, 2007 Can I asked why you had your browser auto saving stuff while the same account is accessible over the Internet? It just seems to me like a obvious thing that, even some one who doesn't understand the Internet would realise, is a big no no. Convenience I bet. When the browser asks you to remember that stuff, it's very tempting for a user to let the browser deal with those pesky passwords so you don't have to. It's a bad thing to do, but some people couldn't use a computer without it. Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.