1. Join Now

    AVForums.com uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

My HTPC was just Hacked!

Discussion in 'Desktop & Laptop Computers Forum' started by kmhtkmhtkmht, Oct 11, 2005.

  1. kmhtkmhtkmht

    kmhtkmhtkmht
    Guest

    Products Owned:
    0
    Products Wanted:
    0
    Ratings:
    +0
    I leave my HTPC on all the time - it's running Media Center Edition and I just switched to it to check something and on my screen was a German Paypal Hotmail account and someone's Paypal account! I immediately ran over to my home network box and unplugged it from there and unplugged the HTPC from the network. Upon returning I got the following message:

    "Badluck -NWC ~by Princeali~
    The file is used on you Cause You are Doing Something Wrong (I Hope)"

    Then I checked my Firefox history and there was access to a Paypal Account and someone a German Hotmail site!

    Scary stuff, what should I do?!

    Attached are the screenshots! (I had to scale it down!) :lease:
     

    Attached Files:

  2. sapper

    sapper
    Active Member

    Joined:
    Jul 20, 2000
    Messages:
    2,232
    Products Owned:
    0
    Products Wanted:
    0
    Trophy Points:
    66
    Location:
    Southgate, North London
    Ratings:
    +141
    I am not an expert...

    but

    1. Do youhave a fire wall installed and switched on, have you downloaded SP2??

    2. Do youhave a spy ware program running, again the windows version is not to bad as i understand

    3. Do youhave an uptodate anti viral checker on your PC.

    Also is your router of type with an inbuilt firewall?

    Somethign for you to consider.

    Adrian
     
  3. kmhtkmhtkmht

    kmhtkmhtkmht
    Guest

    Products Owned:
    0
    Products Wanted:
    0
    Ratings:
    +0
    Wow I really got hit hard.

    My Router was hacked in too and they Port Forwarded a HUGE range.

    They completely wiped the HTPC, it totally doesn't boot anymore!

    Pretty scary stuff.

    My moral of the story is that I won't run Windows Media Center Edition anymore!

    My XP box that was on the same network seems still fine now, so that's good!

    I've taken a screenshot of the router's port forwarding range, I've always had this off so there was NO reason for any of these ports to be on, the hacker got into there and set the open a bunch of ports...
     

    Attached Files:

  4. Jim_Fear

    Jim_Fear
    Active Member

    Joined:
    May 17, 2005
    Messages:
    1,799
    Products Owned:
    0
    Products Wanted:
    0
    Trophy Points:
    51
    Location:
    Caterham
    Ratings:
    +59
    All i can suggest you do is try and contact the police and ask for their computer crime department to ask for advice, if they need to examine your machine or anything (hopefully its all legit) then its better that than have you charged with some nasty computer fraud or something, its better that you do this asap incase anything bad was done using your machine and they trace it back to you as it would be rather hard to convince them that you thought nothing of someone elses bank details on your screen. Its better to be safe than sorry!

    Good luck
     
  5. kmhtkmhtkmht

    kmhtkmhtkmht
    Guest

    Products Owned:
    0
    Products Wanted:
    0
    Ratings:
    +0
    I'll call my ISP up tommorow ( tried them today, phone lines were too busy for them ) and I'll leave it with them.

    Least if you check the history they cancelled the Paypal transaction. Pretty serious stuff though!

    Least I documented the situation quite well and understand what they did to get in! ( MCE is NOT patched up very well and was probably VERY vunerable! )
     
  6. kmhtkmhtkmht

    kmhtkmhtkmht
    Guest

    Products Owned:
    0
    Products Wanted:
    0
    Ratings:
    +0
    Least it wasn't some bank details or something! ( A paypal account main transaction screen ) It's pretty disturbing but I'll leave my ISP to deal with it!
     
  7. sapper

    sapper
    Active Member

    Joined:
    Jul 20, 2000
    Messages:
    2,232
    Products Owned:
    0
    Products Wanted:
    0
    Trophy Points:
    66
    Location:
    Southgate, North London
    Ratings:
    +141
    But if youdont leave MCE running youcant record programmes..

    Very scaryy stuff though...

    Perhaps another option is to switch the router off when your not at home?
     
  8. The Dude

    The Dude
    Well-known Member

    Joined:
    May 21, 2004
    Messages:
    4,826
    Products Owned:
    0
    Products Wanted:
    0
    Trophy Points:
    136
    Location:
    Beverley, East Yorkshire
    Ratings:
    +1,172
    If you get the machine running again without rebuilding, worth giving McAfee stinger a quick run just in case... It was updated last week so there may well be a new nasty one out there...

    download yourself a copy from http://vil.nai.com/vil/stinger/ and run it, and see if it finds anything?

    be sure to let us know if it does etc..:)


    Is your router running a firewall? or is that how they got on in the first place..?

    A very nasty attack indeed.... :eek:
     
  9. kmhtkmhtkmht

    kmhtkmhtkmht
    Guest

    Products Owned:
    0
    Products Wanted:
    0
    Ratings:
    +0
    Nah no way - I can't let this stop me.

    I fully Blame MCE and my router for this!
     
  10. lisag

    lisag
    Well-known Member

    Joined:
    Jul 14, 2004
    Messages:
    5,558
    Products Owned:
    0
    Products Wanted:
    0
    Trophy Points:
    106
    Location:
    Essex
    Ratings:
    +296
    Crikey :eek: I thought that only happened in films!
    Now I am all worried, my MCE machine is on 24/7, as like Sapper says, how else would it record programs... S3 suspend does not work for me..

    I have MCE 2005 fully patched, Mcafee AntiVirus a Linksys router and Windows XP SP2 firewall... isn't there something called 'probe my ports' that can test how vulnerable your machine is?

    lisa
     
  11. dejongj

    dejongj
    Distinguished Member

    Joined:
    Sep 11, 2003
    Messages:
    28,041
    Products Owned:
    0
    Products Wanted:
    0
    Trophy Points:
    166
    Location:
    Beautiful South
    Ratings:
    +4,481
    That is scary stuff...But I wouldn't go through the lengths of not running MCE anymore hasn't got anything to do with that...I bet you didn't change the default password on your router....Correct configuration of your router is very important as you now know. Simply setup it up so that it doesn't respond to any incomming signals from the Internet and don't let it perform ICMP (ping) replies...But that is too late now as that hacker now knows your IP address so they probably try it again. Make certain your ISP provides you with a different IP address...Once you've got that locked down there is very little chance of turning your machine into a zombie....
     
  12. dejongj

    dejongj
    Distinguished Member

    Joined:
    Sep 11, 2003
    Messages:
    28,041
    Products Owned:
    0
    Products Wanted:
    0
    Trophy Points:
    166
    Location:
    Beautiful South
    Ratings:
    +4,481
    You are quite right Lisa...It's just difficult to choose the right company that probes it for you...Otherwise you may just be giving a cracker all the details they need...

    you can give me your IP and I do it for you ;-) Just kidding...
     
  13. kmhtkmhtkmht

    kmhtkmhtkmht
    Guest

    Products Owned:
    0
    Products Wanted:
    0
    Ratings:
    +0
    I didn't change the default passwords of the router, that was my first mistake, I didn't patch up MCE enough (It rarely ever has patch updates) but I know I would've left it on automatic update so I can't really blame that.

    My Router is Linksys AG241, there hasn't been a firmware update.

    I am just pretty ****** off, the PC has been totally wiped - TOTALLY not bootable.
     
  14. kmhtkmhtkmht

    kmhtkmhtkmht
    Guest

    Products Owned:
    0
    Products Wanted:
    0
    Ratings:
    +0
    That IP changing idea is pretty smart - I will make sure they do it tommorow but I will disconnect my connection before I go to sleep and only turn it on after they've done this - I am pretty sure they'll prioritize it.
     
  15. dejongj

    dejongj
    Distinguished Member

    Joined:
    Sep 11, 2003
    Messages:
    28,041
    Products Owned:
    0
    Products Wanted:
    0
    Trophy Points:
    166
    Location:
    Beautiful South
    Ratings:
    +4,481
    I feel for you and you have all the right to be upset, especially as you probably didn't have a backup of your files either! The PC is easily reinstalled, but your data is probably not that easy...

    On a positive note, you will never ever leave the default password on a router will you ;-) If it is locked down there, you can leave the rest more or less unprotected for better performance on MCE....
     
  16. kmhtkmhtkmht

    kmhtkmhtkmht
    Guest

    Products Owned:
    0
    Products Wanted:
    0
    Ratings:
    +0
    I will never touch MCE again, SP2 all the way!
     
  17. dejongj

    dejongj
    Distinguished Member

    Joined:
    Sep 11, 2003
    Messages:
    28,041
    Products Owned:
    0
    Products Wanted:
    0
    Trophy Points:
    166
    Location:
    Beautiful South
    Ratings:
    +4,481
    For your knowledge and so you can be persistent (in case you have to be)...The function to force you with a new IP address is really really simple. And make certain that lock the old address from the DHCP range...But you really need to spend the time to lock down your router to ensure it doesn't reply to ICMP requests and performs NAT, i.e. have different addresses for your computer...And ensure your MCE box is not in the DMZ...That way they (who ever they are) will have a hard time ever finding it again....

    Good luck man...
     
  18. mjn

    mjn
    Distinguished Member

    Joined:
    May 24, 2001
    Messages:
    17,614
    Products Owned:
    0
    Products Wanted:
    0
    Trophy Points:
    166
    Location:
    Herts, England
    Ratings:
    +4,540
    You may get away with a repair installation, and retrieve some of your data.
     
  19. The Dude

    The Dude
    Well-known Member

    Joined:
    May 21, 2004
    Messages:
    4,826
    Products Owned:
    0
    Products Wanted:
    0
    Trophy Points:
    136
    Location:
    Beverley, East Yorkshire
    Ratings:
    +1,172
    A lot of ISPs use dynamic IP addressing.. it's always a good idea to have the 'Idle Disconnect' timeout on your router set nice and low to take advantage of this.. I have mine set so that the router drops the ADSL connection after 30 idle mins, then you get a nice fresh IP when you connect back up..

    Wont the PC even boot in safe mode?
    They must have really shafted it whatever they did...
     
  20. sapper

    sapper
    Active Member

    Joined:
    Jul 20, 2000
    Messages:
    2,232
    Products Owned:
    0
    Products Wanted:
    0
    Trophy Points:
    66
    Location:
    Southgate, North London
    Ratings:
    +141
    I cant remember if I changed my router password or not..

    Wheres the manual...

    Adrian

    But on my other network, though it is not connected to the internet, i will change that passwrd too

    though it is a 128 bit secured system

    Adrian
     
  21. kmhtkmhtkmht

    kmhtkmhtkmht
    Guest

    Products Owned:
    0
    Products Wanted:
    0
    Ratings:
    +0
    It doesn't even go into the Windows XP screen, as in the one that loads up when you start! (therefore can't get into Safe Mode)
     
  22. The Dude

    The Dude
    Well-known Member

    Joined:
    May 21, 2004
    Messages:
    4,826
    Products Owned:
    0
    Products Wanted:
    0
    Trophy Points:
    136
    Location:
    Beverley, East Yorkshire
    Ratings:
    +1,172
    ooohhh... trashed boot sector, that's hardcore :devil:
     
  23. dejongj

    dejongj
    Distinguished Member

    Joined:
    Sep 11, 2003
    Messages:
    28,041
    Products Owned:
    0
    Products Wanted:
    0
    Trophy Points:
    166
    Location:
    Beautiful South
    Ratings:
    +4,481
    Why do you blame MCE so much? I don't get that....The Firewall in SP2 is absolutely useless, it wouldn't stop the type of attack you just had...Remember SP2 doesn't provide any outbound protection, meaning that if you get infected with a Trojan or any other unauthorised program it will just let it go out on to the Internet without 'asking' any questions....That's how it will be relative easy to take over a machine...

    This is not an MCE issue in my book....
     
  24. kmhtkmhtkmht

    kmhtkmhtkmht
    Guest

    Products Owned:
    0
    Products Wanted:
    0
    Ratings:
    +0
    I don't even know how they got me, I had a dispute with a retailer (Overclock.co.uk) before hand as they tried to rip me off, so they had my IP address from placing an order with them, but I hardly think they would go to this length to annoy me!
     
  25. dejongj

    dejongj
    Distinguished Member

    Joined:
    Sep 11, 2003
    Messages:
    28,041
    Products Owned:
    0
    Products Wanted:
    0
    Trophy Points:
    166
    Location:
    Beautiful South
    Ratings:
    +4,481
    Not necessarily, that normally only happens if they are short on addresses and need to recycle them....Otherwise you simply get refreshed with the one you already had ;-) It really depends on how the ISP has set it up...
     
  26. kmhtkmhtkmht

    kmhtkmhtkmht
    Guest

    Products Owned:
    0
    Products Wanted:
    0
    Ratings:
    +0
    Just found a new firmware, gonna load that up but it's scary, it's all logged now with the ISP (Via Email) so I performed my duties!
     
  27. dejongj

    dejongj
    Distinguished Member

    Joined:
    Sep 11, 2003
    Messages:
    28,041
    Products Owned:
    0
    Products Wanted:
    0
    Trophy Points:
    166
    Location:
    Beautiful South
    Ratings:
    +4,481
    LOL I don't think they would go that far....

    I use AOL for my travels as it is free roaming and I do notice that my machine constantly gets scanned by idiots trying it out....I've never had that on my BT broadband connection....My guess is that they target certain ISP's...Or simply setup a 'bot' to scan ranges of IP address and ports and once one responds hey presto the party can begin...

    A lot easier these days, you had to scan telephone lines in the olden days, not that I ever did that of-course...
     
  28. windfall

    windfall
    Active Member

    Joined:
    Oct 19, 2003
    Messages:
    2,327
    Products Owned:
    0
    Products Wanted:
    1
    Trophy Points:
    48
    Location:
    LFC Kop End
    Ratings:
    +57
    If I was you I would boot off the MCE disk and re-install. Delete the partition on the installation and start again. Dont put it onto the router until you have put zone alarm or another firewall onto the PC along with AV and some spy ware detector.
    You really dont want to allow the dodgy apps running on that machine to see the light of day again!
    Let this be a lesson to us all I guess! The router is one ofthe first things you have to take seriously, but sounds like you have been advised anyway! Good luck mate!

    Tone
     
  29. kmhtkmhtkmht

    kmhtkmhtkmht
    Guest

    Products Owned:
    0
    Products Wanted:
    0
    Ratings:
    +0
    I am gonna run DBAN on it, to make sure everything is totally squeeky clean, as sometimes even deleting the partition still leaves data on it - there really weren't that many rogue applications on it, as it was just an MCE box I used to playback video and such!
     
  30. lisag

    lisag
    Well-known Member

    Joined:
    Jul 14, 2004
    Messages:
    5,558
    Products Owned:
    0
    Products Wanted:
    0
    Trophy Points:
    106
    Location:
    Essex
    Ratings:
    +296
    I have got the same router - Linksys AG241, but I got the support people to email me a new beta firmware (1.00.16) as I was having problems ftp-ing, it fixed it. I haven't changed my default password - will do that now :rolleyes:

    I have just had my ports probed, and got all green total stealth, on both pc's...

    lisa
     

Share This Page

Loading...