Community


Remote install without my knowledge

Links used in this discussion
HackedUser857, User (Posts: 6)
Aug 29, 2022 11:15:53 pm EDT
Support level: Free or trial
My Ubuntu webserver was hacked, it seems fr om a 'xmlrpc' DDOS attack on a hosted Wordpress site. I have backups, so no trouble, just a hassle.

Looking around my network I find that a seemingly licenced version of RU Server is installed and running on one of my Windows Desktops. It was made to look like it was installed in 2019, and there are monthly log files showing  only turn on/ turn off in the logs. I know that it was installed much more recently (in last couple of weeks) because this is a virtual machine and I have backups.

So my question is, how was your product installed on a Windows 10 Professional Desktop, without my knowledge or approval.

My next question is, how do I know what information / data has been downloaded from my Windows Desktop, and wh ere it was sent.
Conrad Sallian, Support (Posts: 3033)
Aug 30, 2022 10:39:47 am EDT
Hello,

Thank you for your message.

So my question is, how was your product installed on a Windows 10 Professional Desktop, without my knowledge or approval.

I'm sorry, but we have no idea how it could be installed. Perhaps, someone got unauthorized access to your computer and installed it (this is the most viable hypothesis). This can be applied to just about any software, not only Remote Utilities.

My next question is, how do I know what information / data has been downloaded from my Windows Desktop, and wh ere it was sent.

Unfortunately, we cannot answer this question either simply because if someone gains unauthorized access to your computer they can copy any information from it anywhere. How could we possibly know what information they may steal from that PC?

As per using Remote Utilities, we disclose what information is collected and how it is used in our privacy policy.

Remote Utilities is software for legitimate remote access and remote support. We bear no responsibility for unauthorized use of this software.

Hope that helps.
HackedUser857, User (Posts: 6)
Aug 30, 2022 5:47:11 pm EDT
Support level: Free or trial
OK, rather than you victim blaming, perhaps I can choose different words to ask my questions.

Other than unauthorised access to this particular machine (which I extremely doubt due to this being a virtual machine, and me generally having pretty tight security, including a firewall appliance) is there any way that YOUR software can be installed from a SAME LAN LINUX server that was compromised?

Other than checking all other individual Windows machines on my LAN very frequently, is there some way that I could tell that some machine on my network has been compromised?

Is there some way that I could prevent this software being installed in the future?
Is there something that would show in Windows Event Viewer to say that this software was installed, and when?

Are there particular IP addresses and ports that may show in my firewall logs? Something required that I can block for future events?

Does your software use IPv6?

Whilst you may hope that people only use your software for legitimate purposes, what steps have you implemented to try and stop illegal use?

***You want to victim blame, I want to stop your poorly thought out software from being able to be used to attack my systems, and hopefully show you that legitimate remote support and remote access SHOULD have explicit user approval EVERY time. There's a few similar posts to mine here, and they always get the same victim blaming response.
Pauline, Support (Posts: 2860)
Aug 30, 2022 7:34:03 pm EDT
Hello,

Thank you for your message.

Please note that Remote Utilities does not offer a stealth mode - a persistent Host icon is always visible in the system tray. In addition, starting version 7 of Remote Utilities, we've implemented a persistent banner near the system tray that notifies a user that their machine is being accessed remotely. This banner is shown for all free and trial mode users and cannot be hidden or moved around. In addition, please note that Internet-ID feature in version 6 was discontinued for all free users. For more information please also see this announcement on our forum. This is to assure you that we're doing our best to improve our software with each update and eliminate any opportunity to use our software for illegitimate purposes as well ensure that the remote user is always aware that our software is running or was installed.
In case if someone makes rogue software from legitimate software by patching it or putting it in a wrapper - either way is in itself illegal and violates our EULA. We bear no responsibility for the consequences of such abuse of our program, and that is clearly stated in our EULA.  

As per your other questions:
1. You can find Host installation/connection log files that can provide information on when Host was installed and when it was accessed.
2. You can find information on ports used by Remote Utilities on this page.
3. Here's also a guide on how to uninstall Host/Agent from your system.

Last but not least, if you believe that someone got unauthorized access to your computer, please try contacting your nearest police department and letting them know about the case so that they can investigate this further. We can provide our server logs that contain the originating IP address which is stored on our servers (i.e. the information that might help to identify whoever got the access to your computer). However, please note that the logs can be only provided if there's a direct request from the police. Here is an excerpt from our Privacy Policy:

Government and law enforcement agencies
We may also share information to (i) satisfy any applicable law, regulation, legal process, or governmental request; (ii) enforce this Privacy Policy and our Terms of Service, including investigation of potential violations hereof; (iii) detect, prevent, or otherwise address fraud, security, or technical issues; (iv) respond to your requests; or (v) protect our rights, property or safety, our users and the public. This includes exchanging information with other companies and organizations for fraud protection and spam/malware prevention.

This is strictly within the law and international treaties and also conforms to our privacy policy. Please feel free to provide our contact information privacy@remoteutilities.com to the police as well - we will be happy to provide our assistance to the investigation if it's needed.

Hope that helps.
HackedUser857, User (Posts: 6)
Aug 30, 2022 10:28:39 pm EDT
Support level: Free or trial
The system tray icon was how I found your software on my machine.

Both the File locations detailed do not exist
This registry location has data >> HKEY_LOCAL_MACHINE\SOFTWARE\Usoris\Remote Utilities Host\.

What does the config and security keys tell me?
Well they do contain a different port number than your documents show, and also include a <server_private_key> and a <server_public_key>. Can these be used to track the attacker?

I have blocked known ports on my firewall, but it would seem that an attacker can set their own ports. This is just a game of Whacka-Mole.
Conrad Sallian, Support (Posts: 3033)
Aug 31, 2022 6:50:28 am EDT
Hello,

This registry location has data >> HKEY_LOCAL_MACHINE\SOFTWARE\Usoris\Remote Utilities Host\.

This registry entry contains the Host settings.

Well they do contain a different port number than your documents show, and also include a <server_private_key> and a <server_public_key>. Can these be used to track the attacker?

Neither of the this data can help with tracking the attacker. Only the logs can tell what was the originating IP address that was connecting to the machine. However, even that may not be necessary since it may be an address of a proxy server somewhere in India or Pakistan and knowing it won't help much.

I have blocked known ports on my firewall, but it would seem that an attacker can set their own ports. This is just a game of Whacka-Mole.

I'm sorry, but the software such as Remote Utilities cannot miraculously appear on your computer out of thin air. If it has been found on your computer, it only means that someone had gained unauthorized access to you computer (or network) previously and Remote Utilities being installed on your machine is your least problem. This is fighting with the effect, not the cause.
HackedUser857, User (Posts: 6)
Aug 31, 2022 7:18:42 am EDT
Support level: Free or trial
Certainly another machine on my network was compromised (an Ubuntu Web server)
Could this have been used to propagate to my Windows 10 Desktop, without accessing the Windows Desktop?
If so, how?

At this point in time I don't believe that my Windows desktop was compromised, but of course I may be mistaken.
That's why I'm here, to learn how to stop this from happening again, and to see if there are other Windows or Linux systems on my network that may have been compromised.

I'm trying to get to the cause
Pauline, Support (Posts: 2860)
Aug 31, 2022 7:18:09 pm EDT
Hello,

Could this have been used to propagate to my Windows 10 Desktop, without accessing the Windows Desktop?

Do you mean if Host could be push-installed on your Windows across your network? It's possible to push-install Host via GPO or via Remote Install Tool, however, that would require to have access to Group Policy Management or access to admin$ share and local administrator rights on the remote PC. Please note that Host installation always requires to have administrator privileges.

At this point in time I don't believe that my Windows desktop was compromised, but of course I may be mistaken.

We recommend that you take a look at the Host log files - in the log files you can find exact information on when Host was installed and when/if it was accessed and what connection mode was used. Perhaps, this will help to determine if your Windows machine was compromised or not.

Hope that helps.
HackedUser857, User (Posts: 6)
Aug 31, 2022 7:20:37 pm EDT
Support level: Free or trial
Those folders do not exist on my affected machine.
There are no log files that I can see.
Pauline, Support (Posts: 2860)
Sep 01, 2022 5:38:39 pm EDT
Hello,

Thank you for the clarification.

In this case, you can also check the Windows System Events log to see if it contains any entries on the Host installation. Here's how you can filter the events log.
Alternatively, please note that we can provide logs from our servers that contain the originating IP address but only by a direct request from a law enforcement agency (police, for example) as mentioned previously.

Please let us know if you have more questions.

* Website time zone: America/New_York (UTC -5)