Got hacked - need advice.

[Natsoup]

Hey guys, I got hacked through my VNC client. I use it to access my PC from my phone, but someone got into my computer and started using my google passwords for literally everything saved. Guess this teaches me not to use that anymore. (Both VNC and Google passwords) 

Can anyone help me get this straight? They connected to 10.0.0.1:8090 but I don't know what that port is used for. They also saved to my google passwords what appears to be some "Protect your personal privacy" thing, cyberoam. They logged into that 10 dot address and saved a password to it. I can't connect to that server now, but it looks like they did from my machine. Any leads?

Ask me anything and everything. I really don't know what to do except change all my passwords.

[badreg]

How did someone access your private network? VNC is not the primary security flaw here if that happened.

[Natsoup]

Just now, badreg said:

How did someone access your private network? VNC is not the primary security flaw here if that happened.

Port was forwarded and no real security.

[Natsoup]

If it helps, the guy was also running the open source port scanner http://www.mylanviewer.com/port-scanner.html

[dgsddfgdfhgs]

disconnect internet at once!

[badreg]

7 minutes ago, Natsoup said:

Port was forwarded and no real security.

Well, lesson learned to be sure. In the future, if you need to access your private network from the Internet, don't forward ports. Instead, run a VPN using your router or a server, and connect to that instead.

 

For now, close any open ports, and change all your saved passwords and start using a password manager.

 

Edit: also change your router login ASAP. 10.0.0.1:8090 is likely the web interface of your router.

[Natsoup]

Just now, dgsddfgdfhgs said:

disconnect internet at once!

Okay, should I disconnect just this PC or take my router offline?

[dgsddfgdfhgs]

Just now, Natsoup said:

Okay, should I disconnect just this PC or take my router offline?

both if possible. just pull the lan cable for all device untill issue resolves

[Natsoup]

5 minutes ago, dgsddfgdfhgs said:

both if possible. just pull the lan cable for all device untill issue resolves

How should I resolve this without any connectivity? I've taken down all my open ports. Log shows IP's from all over accessing every few seconds. Any way to trace these? I've saved the log. The guy cleaned up the log from realVNC and wiped my recycling, too.

[RejZoR]

Check your core login services (e-mail) and change passwords ASAP for all of it. If you still have access to. Everything you registered through that e-mail now depends on it if it wasn't yet compromised because they can easily do "forgot password thing". Also, remove VNC entirely.

[Natsoup]

5 minutes ago, RejZoR said:

Check your core login services (e-mail) and change passwords ASAP for all of it. If you still have access to. Everything you registered through that e-mail now depends on it if it wasn't yet compromised because they can easily do "forgot password thing".

Right. I changed pw to my 2 main emails. Now on to all the accounts in my passwords.

[Natsoup]

From my log 3 minutes ago: [DoS Attack: RST Scan] from source: 217.115.10.132, port 53210, Thursday, May 23, 2019 22:35:32

[Natsoup]

1 minute ago, quakeguy81 said:

Ouch.

Yeah. Basically am stupid.

[Smaksum]

Change your passwords from a different computer. Use a password manager. Disconnect hacked computer from networks. You never know what they installed on it. I would save any important data to a USB drive and scan the USB drive from a isolated computer. Do a complete fresh install on the hacked computer. I had one of our office staff let a remote session on to his PC while logged into our remote sage server. What a pain in the ass that was. Had to get the main corporate it guy to check the remote server while I was killing all the office connections. Of course I was out doing deliveries at the time and was an hour away from the office when I got the call. I had him unplug the modem and switch power until I could get back and go through everything.

[Natsoup]

7 minutes ago, Smaksum said:

Change your passwords from a different computer. Use a password manager. Disconnect hacked computer from networks. You never know what they installed on it. I would save any important data to a USB drive and scan the USB drive from a isolated computer. Do a complete fresh install on the hacked computer. I had one of our office staff let a remote session on to his PC while logged into our remote sage server. What a pain in the ass that was. Had to get the main corporate it guy to check the remote server while I was killing all the office connections. Of course I was out doing deliveries at the time and was an hour away from the office when I got the call. I had him unplug the modem and switch power until I could get back and go through everything.

Ok. thanks for the insight. I'll change these things from another machine, do a fresh install. This is scary man. I don't think the guy installed anything, I got to my pc as he was just going to my main e-mail, and he had chrome open with the download of port scanner still in the download bar, so if he had done anything else on that session, I probably would have seen. 

 

Do you have any thoughts why he would use a seemingly default Cyberoam admin login (user cyberoam pw cyber) on MY 10.0.0.1 on a port I've never used? (8090) I also don't own any Cyberoam hardware.

[Smaksum]

From what I have read 8090 is an alternative to 8080 for http. Looks like some Trojans and  packet sniffers use it too and can be exploited to execute arbitrary code. Seems this guy knows what he's doing. I'm just the guy at work that knows enough to fix things when they break at the office. So they don't have to send the IT guy 3 hours to our 5 man office to replace ram or change out a switch or cable. Just starting to learn the networking side of things. 

[Ace Reborn]

1 hour ago, Natsoup said:

Hey guys, I got hacked through my VNC client. I use it to access my PC from my phone, but someone got into my computer and started using my google passwords for literally everything saved. Guess this teaches me not to use that anymore. (Both VNC and Google passwords) 

Can anyone help me get this straight? They connected to 10.0.0.1:8090 but I don't know what that port is used for. They also saved to my google passwords what appears to be some "Protect your personal privacy" thing, cyberoam. They logged into that 10 dot address and saved a password to it. I can't connect to that server now, but it looks like they did from my machine. Any leads?

Ask me anything and everything. I really don't know what to do except change all my passwords.

Seems like your password got stolen, either way, first change all your passwords,and also add 2fa ( 2 factor authentication, aka ping my phone for code type).

Then, add some firewall and stuff. which windows are you even using?

reinstall isn't gonna do much, avoid the flaws, that were previously, so it doesn't get repeated.

[Natsoup]

6 minutes ago, Smaksum said:

From what I have read 8090 is an alternative to 8080 for http. Looks like some Trojans and  packet sniffers use it too and can be exploited to execute arbitrary code. Seems this guy knows what he's doing. I'm just the guy at work that knows enough to fix things when they break at the office. So they don't have to send the IT guy 3 hours to our 5 man office to replace ram or change out a switch or cable. Just starting to learn the networking side of things. 

I am in almost exactly the same position. Time to reset my stuff. 

6 minutes ago, Ace Reborn said:

Seems like your password got stolen, either way, first change all your passwords,and also add 2fa ( 2 factor authentication, aka ping my phone for code type).

Then, add some firewall and stuff. which windows are you even using?

2FA saved my ass in the first place  

I'll need to look into firewalls. Running Win10 Home 1809.

edit: build 17763.503

[AngryBeaver]

Reimage the machine from a fresh format. Then make sure you change all your passwords.

 

Btw having that port open or even using VNC isn't the problem. The problem is the apparent ease at which he got your password. So either it was a common and very susceptible to dictionary attacks or was simple enough he brute-forced it.

 

Now I don't know how your network is setup, but 10.0.0.1 is most likely your router/gateway device.

 

Port 8090 is a alternate port for 80 and 8080, so it being used to access the web console for your router makes since.

 

I would also factory reset your router and add a new complex admin password for it.

 

As to running this guy down you won't have much luck. He will be using a VPN and probably ToR as well. That doesn't mean you cant trace him back to his home connection, just that as an average user you won't get the help needed from the VPN hosting company and then the ISP. Being there is little monetary lose here the police/FBI won't do anything about it either. So in the end your best course is remediation and prevention. Reimage, factory reset, change passwords, and learn from the experience.