Need some hacking/security help

skydiverz

Junior Member
Mar 10, 2013
4
0
0
I'm good with computers but not so much when it comes to networking and network security so I'm hoping I can get some help here.

About a year ago my Mom gave an IT guy from work that she trusts her laptop with Windows XP to install some programs she needed for work. She knows I'm busy and didn't want to bug me so she asked him for help. Fast forward to a few days ago where my Mom finally confides in me that she thinks this IT guy put special software on her Windows XP laptop and some crazy stuff has been going on this last year, ever since. She says her laptop and her iMac are now both infected and do crazy things all the time, mainly her iMac which she uses 99% of the time. Like she'll be using her GMail account and then out of nowhere it will sign her off saying her account was accessed from somewhere else. Or the GMail upper-right lettering where it shows your name, she says and showed me once that her name was very faint and it's usually easy to read. I told her that's probably just a glitch but she won't hear that. She has changed passwords but it still happens. She has an Ooma VOIP box that apparently will do weird things and the lights will flash for no apparent reason. I told her this all sounds very CSI Miami'ish and that it could never happen and she's scaring herself for no reason, like REALLY scaring herself. About a month ago my parents got a smart TV that has wireless built into it and their old router wasn't cutting it so I had them get a nice new router in which we set up WPA2 and put a password on there that's alphanumeric and pretty damn tough. She says nothing has changed and things are still happening. I think it's impossible but wanted to hear your input on the matter.

How can I give her peace of mind that nothing will ever happen again? I was thinking a total extreme 1's and 0's format and reinstall on both devices, which is long overdue as her computers crawl from all the crap on them. I did show her how to see the IP addresses of the devices currently talking with her router and showed her what each device was but she still won't calm down. Is there any way I can demonstrate that no outside devices are getting through her router? She was just visiting this weekend and used MY laptop (fresh Win7 install last week) on MY router and the password thing happened in Gmail where it kicked her off and then her name in the upper-right corner was faded and hard to read. Yes, my WPA2 encrypted network.

I know this may sound silly but it's serious. My Mom is not taking this lightly and I'm trying my best to ease her worries. I'm thinking two total formats, fresh installs, a crazy WPA2 password and the firewall (I think the router has one) and nothing could happen. I would really like to prove to her that nothing HAS EVER happened so she can move forward with peace of mind but I'm not sure how to do that.

I really appreciate you guys for reading this and any input you may have.
 

mechBgon

Super Moderator<br>Elite Member
Oct 31, 1999
30,699
1
0
To begin with, if you want to wipe the drives well, use DBAN from http://dban.sourceforge.net.

Windows XP needs to be retired. If the computer is old enough to have Windows XP on it, you really should just pick up a new Win8 model, preferably with a CPU that has the Ivy Bridge core (available in Celeron, Pentium and Core variants). Ivy Bridge has a desirable hardware security capability called SMEP, which is a special form of Data Execution Prevention that Win8 will take advantage of. And all Win8 prebuilts should have Secure Boot enabled, to prevent bootkits. If the nutty Win8 Metro user interface is too much to deal with, slap on Classic Shell, StartIsBack, or Stardock Start8. Make sure the Win8 is 64-bit, not 32-bit.

Regarding the Gmail log-off problem: if she changes passwords but is using a compromised computer with a keystroke logger, that keeps betraying the new passwords to the bad guys, then changing passwords at Gmail is ultimately futile. If that IS what's going on, flattening the system with DBAN, or better yet replacing it with a modern one, is the first step.

The second step is to change the password again at Gmail, and also examine the password-reset scenario... if the attacker owns the location where her password reset request will arrive at, they can get back in. Or if they can guess the answer to her secret question and reset it that way, they can get back in. So if her password-reset request would go to another email address, change the password on that one, too. And make sure the passwords are strong, and NOT THE SAME ONE. If there's a secret question/answer like "what color was your first car?" which is pretty easy to crack by naming colors, or "what high school did you go to?" which is probably public knowledge to her FaceBook world, then fix that too.

Since you didn't say that her password is getting changed behind her back, the most likely answer is a keylogging malware that is helping itself to whatever password she's using.

The security guide link in my signature has a suggested plan for securing desktop Windows, so also check that out if you end up doing a reinstallation or getting a new computer.
 
Last edited:

skydiverz

Junior Member
Mar 10, 2013
4
0
0
Thank you very much for that info. I really think it's in her head as I don't see why this guy would target an old lady, OR how putting software on her Windows XP laptop could gain him access to her iMac. I was hoping there would be a way to show her that there is no way in hell anything was going on. I did run some anti-malware software on her laptop and it didn't find anything.
 

AnonymouseUser

Diamond Member
May 14, 2003
9,943
107
106
Regarding the Gmail log-off problem: if she changes passwords but is using a compromised computer with a keystroke logger, that keeps betraying the new passwords to the bad guys, then changing passwords at Gmail is ultimately futile. If that IS what's going on, flattening the system with DBAN, or better yet replacing it with a modern one, is the first step.

Not necessary. With Gmail, once you've logged in, go to the bottom right of the screen and click Details. From there you can see the IP addresses and types of logged in sessions. If there is nothing unusual, then you are ok as far as someone accessing from another location.

To be extra sure this isn't happening, use 2-step verification. You may even want to change the email associated with your account recovery options, but even that won't be enough to get into the account without the text that is being sent to the phone. Use a Linux Live USB drive to log in to Gmail if you really want to rule out keyloggers. If you don't want to use the Linux option, type the verification text along with a bunch of random numbers, then highlight and delete the random numbers before hitting Enter.

That's all that's needed for Gmail, but you may want to secure the PC if you suspect remote desktop software is installed (eg, VNC, TeamViewer). Install a good firewall with logging options, and lock it down. Keep an eye on the logs and cross reference any suspicious ports being used with common remote desktop ports. I don't think it will be necessary to reformat, but do what you feel you need to if it will ease her mind.
 
Last edited:

mechBgon

Super Moderator<br>Elite Member
Oct 31, 1999
30,699
1
0
Thank you very much for that info. I really think it's in her head as I don't see why this guy would target an old lady, OR how putting software on her Windows XP laptop could gain him access to her iMac. I was hoping there would be a way to show her that there is no way in hell anything was going on. I did run some anti-malware software on her laptop and it didn't find anything.

If the computer were compromised, it wasn't necessarily by the IT guy. It could just as easily be the result of an exploit attack or a Trojan Horse program she ran herself.

In the case of the most advanced malware, running an anti-malware check from within the affected OS won't necessarily suffice, either... I'd either resort to scanning for rootkits/bootkits from a bootable scanning CD (Avira and Kaspersky have rescue CDs, to name a couple), or simply nuke from orbit with DBAN.

If you haven't done so already, it would be a good idea to set a non-default password on the router and disable UPnP. Routers can be compromised by scripted attacks if left at default settings, and this does sometimes happen IRL.
 

mazeroth

Golden Member
Jan 31, 2006
1,821
2
81
The Mac is probably pretty stable as there aren't many viruses or trojans for it.
 
Last edited: