Client has a remote app installed can't find it, hacker keeps logging in.

computertechguy · Dec 9, 2020

Client happily called an 800 number in regards to an Amazon account problem email she received. She let the hacker on her computer, and shortly realized that wasn't a good ide and shut her PC down in her office. I showed up ran malware scans looked in installed programs and no where was there any trace of remote apps that I could see, ran TCPview and see LOTS of connection but obviously not one says "Hey I am a bad guy"... So I left and shortly afterwards she asked me if I was on her computer, I said NO and she said someone is mousing around her computer, I told her to shut down.

I went on site and as soon as I turned her pc on I see her mouse moving and they are clicking things. SO how do we figure this one out?

She said they cam in through Teamviewer which I use for my remote assistance.

computertechguy · Dec 9, 2020

I think the hacker just created a login session with Teamviewer. I uninstalled TV and reinstalled with my personalized TV client and under, options, security, I added my company ONLY as a login for the TV app.

MichaelBits · Dec 9, 2020

In situations where I want to see what activity has occurred recently, I use Last Activity View.
Nice in situations like this where you want to see what has occurred on a PC.

Won't show everything, but shows quite a bit.

LastActivityView - View the latest computer activity in Windows operating system

Displays the latest computer activity in Windows operating system

www.nirsoft.net

phaZed · Dec 9, 2020

I'd be backing up the data and blowing it away, honestly. With some of the Command and Control stuff through, say, Metasploit.. the "remote desktop application" is literally generated as a one-off, unique dropper package, a shell listener - AV software and scans are not going to find it 99% of the time.

GTP · Dec 10, 2020

phaZed said:
I'd be backing up the data and blowing it away, honestly. With some of the Command and Control stuff through, say, Metasploit.. the "remote desktop application" is literally generated as a one-off, unique dropper package, a shell listener - AV software and scans are not going to find it 99% of the time.

This. ^^^^

Being 100% sure is better than having to continually "fix" when things happen.

And I know its like teaching a train to eat cereal, but try to educate the client?

Porthos · Dec 10, 2020

Also after the nuke, They need to reset all passwords everywhere...

GTP · Dec 10, 2020

Porthos said:
Also after the nuke, They need to reset all passwords everywhere...

But they never had or used passwords....

YeOldeStonecat · Dec 10, 2020

Yeah time for...

and...

AlaDes · Dec 11, 2020

YeOldeStonecat said:
Yeah time for...

and...

Old Cat, I loved these pictures so much, I just had to send them to my supervisor. He is always calling me "nuke & pave" as a nick name lol.

Client has a remote app installed can't find it, hacker keeps logging in.

computertechguy

Active Member

computertechguy

Active Member

MichaelBits

Well-Known Member

LastActivityView - View the latest computer activity in Windows operating system

phaZed

Well-Known Member

GTP

Well-Known Member

Porthos

Well-Known Member

GTP

Well-Known Member

YeOldeStonecat

Well-Known Member

AlaDes

Active Member

Similar threads