I've been hacked...

[Boatvan]

I swear by Malwarebytes. I've had a premium license for years. I also use Malwarebytes Anti-Exploit because of a leftover license from my old job. I'm not sure if it is appropriate for home use, but it is a "set and forget" type of browser/application protection. It has blocked a few things since I installed it.

https://www.malwarebytes.com/business/antiexploit/

 

[Kursah]

Use MBAM...excellent product I use it on all my main systems at home, continue using OpenDNS, put MerlinWRT on your Asus router. Consider using an old PC and slap PFSense on there...use your RT66 as an AP and we could really increase your network security.

 

[rtwjunkie]

I swear by Malwarebytes. I've had a premium license for years. I also use Malwarebytes Anti-Exploit because of a leftover license from my old job. I'm not sure if it is appropriate for home use, but it is a "set and forget" type of browser/application protection. It has blocked a few things since I installed it.

https://www.malwarebytes.com/business/antiexploit/

I can second that. It is great zero day protection, and even the free version is worthwhile.

 

[nomdeplume]

Just want to reaffirm that the best protection for non-critical data is not keeping it on multiple computers with network access. There are plenty of removable media that leave very little trace of what you looked at which are small and rugged enough for secure onsite storage in unconventional places visitors are unlikely to discover.

I had an apartment where that place was routinely above the ceiling fan for most residents. I know this because I surprised the maintenance guy shoulder deep in mine muttering he knew whatever I had must be up there somewhere.

 

[jboydgolfer]

Excellent product, does really well. I recommend this with a side of an AntiVirus of your choice...

it has given me issues with windows 10 insider , but its more of a Windows issue than MBAM. cant knock it for that, especially @ $15

 

[silkstone]

So a question.

Being behind a routers firewall with a strong router password is not enough?
I know WiFi is another point of entry, but with WPA2-Personal and another strong PW, it's pretty difficult to get in.

 

[Aquinus]

Ah yes. Now I remember why I love my Debian gateway server. iptables is configured to drop all packets by default. The only forward facing port that's open is a non-standard port for SSH which accepts only key auth. Other than that, it's practically as if no one is home if you try to port scan or ping my IP. That alone pretty much makes my network "not the lowest hanging fruit" which is secure enough to mitigate most attacks. I used to have my DNS server exposed but, that was a mistake.

As for protecting yourself, well... Common sense is a great start but, the reality is that phishers are getting more and more creative and that protecting your machine with software alone might not be enough.

 

[jaggerwild]

@hat
Did you happen to have wirless on? I have a motherboard it auto turns on blue tooth and wirless is why I ask. Seems an easy way to get in, I run nakied all the time(no fire wall)(hack me)ill reformat...............Hitman pro if you think you got something on it, adjust settings, run it once then remove it(free)for the first month too!

 

[FordGT90Concept]

I'd be playing twenty questions with the fiancée asking about RDP and suspicious activity (e.g. opening email attachments). RDP is the most likely culprit but something had to have happened to give the intruder permission to RDP.

 

[hat]

I've made sure Windows Firewall was enabled on all the PCs. Interestingly, her laptop, which is the suspected target, did have it enabled (as well as Panda AV). The others didn't... but I suppose if Windows Firewall would have stopped them, they could have got in one of the ones that didn't have it enabled and got around that way...

Windows Defender is now enabled on the two of mine, and the other two have Panda. I'm running scans on all the PCs either with Panda or Windows Defender. MBAM is up next. Is there anything else I should check for?

It's gonna be difficult (costly) to bring another computer online for PFSense or something similar. Are there any solutions I could use with my RTN66R? I'm not afraid to flash custom firmware. I've had Tomato on it in the past. The only reason I went back to stock firmware is for the simple QOS...

 

[jboydgolfer]

I've made sure Windows Firewall was enabled on all the PCs. Interestingly, her laptop, which is the suspected target, did have it enabled (as well as Panda AV). The others didn't... but I suppose if Windows Firewall would have stopped them, they could have got in one of the ones that didn't have it enabled and got around that way...

Windows Defender is now enabled on the two of mine, and the other two have Panda. I'm running scans on all the PCs either with Panda or Windows Defender. MBAM is up next. Is there anything else I should check for?

It's gonna be difficult (costly) to bring another computer online for PFSense or something similar. Are there any solutions I could use with my RTN66R? I'm not afraid to flash custom firmware. I've had Tomato on it in the past. The only reason I went back to stock firmware is for the simple QOS...

iirc
My AC66u is pretty similar to that one u have,and I use Merlin which is almost identical to the asus FW, aside from a few improvements

 

[FordGT90Concept]

Have you checked the Remote features of the system? It's in System Properties -> Remote tab. Everything should be disabled there. If anything is enabled, that could be how the attacker gained access. If you want to play it safe, disable the Remote Desktop services.

I'd also check for other remote desktop programs like Team Viewer.

 

[exodusprime1337]

I work in IT security for a major toy company. I might have some input if ya wanna pm me?

 

[nomdeplume]

With all due respect to OP's situation.

Children's or adult toys?

 

[hat]

Have you checked the Remote features of the system? It's in System Properties -> Remote tab. Everything should be disabled there. If anything is enabled, that could be how the attacker gained access. If you want to play it safe, disable the Remote Desktop services.

I'd also check for other remote desktop programs like Team Viewer.

I'm not sure if it's enabled on her laptop, but I know it's enabled on the other two desktops, as I sometimes use the feature myself. My Plex server runs headless, so that's how I connect to if it I have to.

She's used Teamviewer in the past (something similar happened before, but it was mainly social engineering that caused it, not an attack that came out of the blue). I had her uninstall it, but apparently it's re-appeared again. Would Teamviewer be a more secure option, if configured so? I used to use it before I started using windows remote desktop, and I had it configured so it would only accept LAN connections... or is that still attackable?

 

[Mussels]

teamviewer 're appearing' would be exactly how she got hacked - that makes 100% sense for accessing files not shared on the network as well.

 

[hat]

She didn't do it though, she said it just came back on its own recently. Someone already had a way to get it there in the first place.

 

[Mussels]

its entirely possible this is the result of the previous hack, or another social engineering success.

 

[phanbuey]

a script is running to reinstall it

the good news is that it has to send the key somewhere... so if you find it you found your hacker,,,

 

[silkstone]

It would be great to have a sticky regarding network security. I need to research this myself since starting a MC server on my RPi, but I don't really have the expertise to give advice.
I am planning on spending some time ensuring everything is secure though.

 

[human_error]

Would Teamviewer be a more secure option, if configured so?

Considering Teamviewer got badly hacked in June last year I wouldn't have that anywhere near my PCs (especially as the company initially denied any problems, then later admitted that something didn't seem right with how many accounts were compromised). The fact it has reappeared is a bad sign - get rid of it again, and restart the laptop a few times to see if it gets installed again (as already suggested there could be a script running that's installing it).

If you have system restore running it may have a restore point when teamviewer was installed, or list that an old restore point would remove teamviewer - that would at least give you an indication on when it was installed. If the machine has been compromised though I'd personally take only the most important files off and wipe the whole thing, going in fresh with a new OS install. Also make sure you scan the files you want to keep from it to make sure there's nothing nefarious hiding amongst them.

 

[Steevo]

First I would start off with the obvious things as previously mentioned.

Next thing I would do is enable connection by IP logging after buying and installing a decent hardware firewall, this will tell you things that software will and cannot. For example if a program is running behind the scenes (like a root kit) its network traffic may not appear in any windows logs. Hardware between the internet and your devices will enable you to see what IP/machine is connectign and sending packets to what IP/Machine on the internet, what protocol is being used, give you the ability to refuse traffic, and also prevent future attacks.

Hardware firewalls only work as intended if you actively monitor outgoing requests as well, so if the machine already is compromised turn off all other machines on the network and isolate it, or put it on its own network for ease of monitoring.

 

[FordGT90Concept]

Seriously, I'd just erase all the machines that may have been compromised (after getting important stuff off first, of course). Starting from scratch with a strong security policy (e.g. all admin accounts are passworded) is the only way to create a good foundation to work off of. Whenever a computer is compromised, only one hole has to be missed for it to be compromised again.

 

[Kursah]

You should setup an IDS on your network if you continue to have concerns about potential issues. Definitely consider upgrading to MBAM Premium if you haven't yet already...worth every single penny. You might also consider running standard user accounts and have a locked down admin account you use to enter credentials for when you need to install or modify something. That will help quite a bit. I would disable the default admin account and create a new dedicated one that you know but don't keep easily accessible credential-wise.

It won't be easy and you'll have to have a decent comprehension of networking, managing your network. But it might help you in learning network security and how to use an IDS as well. The below link would be A LOT of work, but would be very helpful in identifying what or who is on your network that shouldn't be. There are all sorts of other solutions, but for a free option with a free guide, this is a pretty good choice IMHO.

https://techanarchy.net/2015/01/home-ids-with-snort-and-snorby/

You could also wipe your G/F's PC, run Ubuntu, Mint or Fedora... and learn how to use IPTables...excellent firewall! Can get very complex. Is what PFSense, OPNSense and other routers use as well.

If you can budget it, building a better router with better capabilities could help, especially running extra things like IDS/IPS, Proxy filtering & caching, network AVAM, notificaitons, etc.

http://arstechnica.com/gadgets/2016/04/the-ars-guide-to-building-a-linux-router-from-scratch/

http://arstechnica.com/gadgets/2016...build-faces-better-tests-tougher-competition/

http://arstechnica.com/gadgets/2016/01/numbers-dont-lie-its-time-to-build-your-own-router/

I know you said you don't have the budget right now, but you should at least educate yourself on why it is a good option. It might prove to be something worth saving for.

My all new parts, custom PFSense build came to about $250 last March. I used an mITX board with a quad-core Celeron SoC, 8GB RAM, 128GB SSD, thing is a beast and competes with the $500+ Netgates, SonicWalls, Fortinets, etc. Probably overkill in some ways...but the fact I can run all the protective measures I want and lose not perceivable performance is a huge plus for me. That's what my network is worth to me.

 

[eidairaman1]

So a question.

Being behind a routers firewall with a strong router password is not enough?
I know WiFi is another point of entry, but with WPA2-Personal and another strong PW, it's pretty difficult to get in.

I dont allow my ssid to be transmitted. I have to tell someone what it is.