Hacked (probably via RDP) Logged since July 20th

[Earwax]

So, someone got admin access to my home machine a few weeks ago. I believe they were able to do it through RDP, and somehow changed my admin password hint to display the password in plain text.

They installed a keylogging program (kidlogger) and a search program (Everything). They searched for and found some cryptocurrency wallets on my machine, but they're outdated and empty. They also were able to log my log in credentials to kraken.com AND more disturbingly, my Roboform master password.

I've logged in to all of my financial accounts from a secure machine and changed the passwords, nothing seems to be missing. I changed my roboform masterpass via my android phone on LTE last night.

Just wondering what advice anyone can provide for next steps. This is a terrifying experience.

I plan on contacting my creditors just to inform them of the intrusion. My big concern is that they may have left something on the router/modem, since that admin password was also compromised.

Currently, my system is offline at home--I pulled the boot drive and dumped the keylogger logs on a Mac. I also copied the user folders that were made by the intruders. Is there anything else I should grab off the compromised drive before I do a low-level format? I'm concerned about what they may have been doing online with my ip.

 

[PliotronX]

You might look at other profiles as they will typically create many administrator level accounts and some might have interesting bits in them! There may be some tools that can get into some forensics but I haven't dealt with that too much. I am wondering if you had this port forwarded from the internet. Did you use remote desktop yourself or did they remotely forward that through your router?

 

[VirtualLarry]

I got hacked as well, last year, running I think Win7 Pro. I did have a password, I think.

When I upgraded to Windows 10, I noticed that IIS was running, and I never manually installed it.

NETSTAT showed some interesting domain-names in the connection list.

I've had a theory about that, having to do with people using a (relatively weak) password for their Windows Login, on the theory that someone would have to be on their LAN locally, or at the PC, to login.

But I think, that if Windows is running Teredo, to tunnel IPv6 over IPv4, that RDP may be listening on both IPv6 and IPv4, but may not be firewalled on both, because the firewall is above the NIC layer, I think. So IPv4 may be firewalled, but the IPv6 may not be, and may offer a "backdoor" to RDP.

 

[Ichinisan]

Definitely make sure the router hasn't had unrecognized IP addresses added for custom DNS.

 

[Earwax]

Definitely make sure the router hasn't had unrecognized IP addresses added for custom DNS.

Would a router reset clear the DNS entries?

I upgraded the firmware on it last night and have changed passwords. I ended up pulling the boot drive and putting it aside. Purchased a new copy of Win 10 and installed on a new hard drive. I have access to all of my hard drives now on the new machine, and I'm slowly bringing the network back online.

They were after ethereum, and they stole a private key of mine and attempted to erase it and its backups. Luckily, there was only something like .000000006 ETH in the wallet, and they haven't gained access yet because it's also password protected.

However, I do have a boatload of ERC20 tokens in that wallet and I'm now working on getting access so I can transfer them to a new wallet.

This whole experience has been terrifying, there's little recourse once you've been exploited. I have a feeling I've been very fortunate, but I'm not out of the woods yet.

 

[Earwax]

But I think, that if Windows is running Teredo, to tunnel IPv6 over IPv4, that RDP may be listening on both IPv6 and IPv4, but may not be firewalled on both, because the firewall is above the NIC layer, I think. So IPv4 may be firewalled, but the IPv6 may not be, and may offer a "backdoor" to RDP.

I had a very secure admin password. I think my biggest mistake was enabling RDP and not changing the default port, or using a VPN. I have a mining rig in the basement, that may have made my ip a target, once they saw 3389 was open I think they used an exploit to get access. There was never any malware or virus that I could find.

As far as I can see the first series of searches they executed was for geth, then after finding wallets and deleting private keys, they searched for backups. Another weird tidbid, I have bitcoin and vertcoin wallets on here and as far as I can tell they never touched them.[/QUOTE]

 

[Ichinisan]

Would a router reset clear the DNS entries?

I upgraded the firmware on it last night and have changed passwords. I ended up pulling the boot drive and putting it aside. Purchased a new copy of Win 10 and installed on a new hard drive. I have access to all of my hard drives now on the new machine, and I'm slowly bringing the network back online.

Rebooting or power-cycling the router would not remove manually-entered DNS servers, but performing a factory reset should do it. For most routers, you just find the pinhole button and poke something in there for 60 seconds to wipe all settings. That would also wipe the custom wireless name and password, so your devices may need to connect to the new WiFi network and learn it again. If you match the old SSID and don't precisely match everything else (security type, case-sensitive password, etc), your devices may try to connect and they might just fail without asking for the updated password.

 

[Earwax]

Thank you, I did use the factory reset button on Monday night. I checked the DNS entries and they are pointed to my isp. There have been a few DoS attacks on the router since I got back online (my isp hasn't given me a new ip), but they haven't gotten access. My previous logs are lit up like a christmas tree with people getting remote LAN access via port 3389 from ips all over the world.

They did find an ethereum wallet and erased the private key, but the balance on that account is less than a penny. They were also doing some strange searches for coinbase and coinbase icons. Here are some screens they captured of their sessions via their logging program:

https://imgur.com/a/2Y5Wbaj

 

[Earwax]

And for anyone else who is curious, here's a snip from their logs with (I hope) most of my personal information redacted. You can see from it they set up a custom alert anytime the logger detected the terms "eth" or "coinbase." This logger ran and uploaded captures for about 2.5 weeks before I found it. fortunately, I was on vacation most of that time.

https://www.dropbox.com/s/39gwfqjfg5cwdcb/hacklog.txt?dl=0

 

[PliotronX]

I had a very secure admin password. I think my biggest mistake was enabling RDP and not changing the default port, or using a VPN. I have a mining rig in the basement, that may have made my ip a target, once they saw 3389 was open I think they used an exploit to get access. There was never any malware or virus that I could find.

As far as I can see the first series of searches they executed was for geth, then after finding wallets and deleting private keys, they searched for backups. Another weird tidbid, I have bitcoin and vertcoin wallets on here and as far as I can tell they never touched them.

Changing it from 3389 does not save you from a full port scan. An office came to us hit by ransomware had translated a completely different port to 3389. The security issue was having it allow any ip to reach it. If you could have locked it down to somewhere where you work or attend class with static IPs, that would have prevented it. It is even easier for foreign attackers to use for a vehicle if NLA is disabled.

 

[Ichinisan]

Changing it from 3389 does not save you from a full port scan. An office came to us hit by ransomware had translated a completely different port to 3389. The security issue was having it allow any ip to reach it. If you could have locked it down to somewhere where you work or attend class with static IPs, that would have prevented it. It is even easier for foreign attackers to use for a vehicle if NLA is disabled.

The attacker is brute-forcing the password? Does RDP throttle password attempts?

 

[Red Squirrel]

Why would you have RDP facing the internet? That is a very very bad idea. You should setup a proper VPN server, and only allow the IPs from which you plan to connect from. (even vpn servers can be hacked. ex: if an vulnerability like heartbleed is found at some point)

Anything that requires a password should also have a form of brute force protection, otherwise it's not a matter of if, but a matter of when, they get in.

 

[Earwax]

Thanks everyone! I'm going to read up on router security and try to configure my router to connect directly to my vpn. I knew that RDP facing the internet came with a security risk, I just expected that any attempt to hack it would result in me receiving some sort of notification. There were a few DoS attacks (echo char gen) after I reset everything, but I've locked down all of my ports and I'm going to keep them that way for the forseeable future.

I have a crypto mining rig in my basement and I think this may have made my ip a target. The hacker actually got my kraken account login credentials and attempted to access some of my funds, but I have 2FA on all of my financials. They did discover an ethereum wallet with a significant number of ERC 20 tokens in it. They stole that private key file and erased it, but I had a backup. I transferred the tokens out of that wallet and they're safe now. I'm buying a ledger nano S to protect my crypto funds. It makes me uneasy though that strangers now know my address and the contents of my portfolio, but I'll have to live with that.

The scariest part of all of this was that it was going on for so long without my noticing it. They also got my roboform master password via their logging program, so I've spent the last 72 hours changing every password under the sun.

 

[PliotronX]

The attacker is brute-forcing the password? Does RDP throttle password attempts?

Unfortunately it does not. Domain joined hosts will abide group policy lockout settings with NLA but without NLA, it is compounded by actually setting up the session to render the GINA consuming host resources and when at that GINA screen, it would bypass any network level IPS with brute forcing detection. If you really need to securely access any workstation, try AnyDesk as it does not require unfettered access to any ports.

 

[Earwax]

FWIW, I don't think the attacker brute-forced my admin password, I think there was a security vulnerability in Win 7 pro that wasn't patched on my machine. My admin login was 12 characters, essentially randomly generated symbols and letters.

I was concerned, however, that the hacker would brute force the ethereum wallet he stole from the machine. I doubt he'd be able to unlock it, since it was a 22 character password, but I did end up moving all the funds out of that wallet to be safe.

Network security has never been my strong suit, that's something I will have to rectify moving forward.