HackedUser857's community posts
Remote install without my knowledge
HackedUser857,
User (Posts: 6)
Sep 03, 2022 11:57:30 pm EDT
Support level: Free or trial
I've searched for likely words in a dump of ALL events on my machine and can find ZERO events that look like belonging to 'Remote Utilities' or 'RU server'....
Any other of ideas of things I can check?
Any other of ideas of things I can check?
Remote install without my knowledge
HackedUser857,
User (Posts: 6)
Aug 31, 2022 7:20:37 pm EDT
Support level: Free or trial
Those folders do not exist on my affected machine.
There are no log files that I can see.
There are no log files that I can see.
Remote install without my knowledge
HackedUser857,
User (Posts: 6)
Aug 31, 2022 7:18:42 am EDT
Support level: Free or trial
Certainly another machine on my network was compromised (an Ubuntu Web server)
Could this have been used to propagate to my Windows 10 Desktop, without accessing the Windows Desktop?
If so, how?
At this point in time I don't believe that my Windows desktop was compromised, but of course I may be mistaken.
That's why I'm here, to learn how to stop this from happening again, and to see if there are other Windows or Linux systems on my network that may have been compromised.
I'm trying to get to the cause
Could this have been used to propagate to my Windows 10 Desktop, without accessing the Windows Desktop?
If so, how?
At this point in time I don't believe that my Windows desktop was compromised, but of course I may be mistaken.
That's why I'm here, to learn how to stop this from happening again, and to see if there are other Windows or Linux systems on my network that may have been compromised.
I'm trying to get to the cause
Remote install without my knowledge
HackedUser857,
User (Posts: 6)
Aug 30, 2022 10:28:39 pm EDT
Support level: Free or trial
The system tray icon was how I found your software on my machine.
Both the File locations detailed do not exist
This registry location has data >> HKEY_LOCAL_MACHINE\SOFTWARE\Usoris\Remote Utilities Host\.
What does the config and security keys tell me?
Well they do contain a different port number than your documents show, and also include a <server_private_key> and a <server_public_key>. Can these be used to track the attacker?
I have blocked known ports on my firewall, but it would seem that an attacker can set their own ports. This is just a game of Whacka-Mole.
Both the File locations detailed do not exist
This registry location has data >> HKEY_LOCAL_MACHINE\SOFTWARE\Usoris\Remote Utilities Host\.
What does the config and security keys tell me?
Well they do contain a different port number than your documents show, and also include a <server_private_key> and a <server_public_key>. Can these be used to track the attacker?
I have blocked known ports on my firewall, but it would seem that an attacker can set their own ports. This is just a game of Whacka-Mole.
Remote install without my knowledge
HackedUser857,
User (Posts: 6)
Aug 30, 2022 5:47:11 pm EDT
Support level: Free or trial
OK, rather than you victim blaming, perhaps I can choose different words to ask my questions.
Other than unauthorised access to this particular machine (which I extremely doubt due to this being a virtual machine, and me generally having pretty tight security, including a firewall appliance) is there any way that YOUR software can be installed from a SAME LAN LINUX server that was compromised?
Other than checking all other individual Windows machines on my LAN very frequently, is there some way that I could tell that some machine on my network has been compromised?
Is there some way that I could prevent this software being installed in the future?
Is there something that would show in Windows Event Viewer to say that this software was installed, and when?
Are there particular IP addresses and ports that may show in my firewall logs? Something required that I can block for future events?
Does your software use IPv6?
Whilst you may hope that people only use your software for legitimate purposes, what steps have you implemented to try and stop illegal use?
***You want to victim blame, I want to stop your poorly thought out software from being able to be used to attack my systems, and hopefully show you that legitimate remote support and remote access SHOULD have explicit user approval EVERY time. There's a few similar posts to mine here, and they always get the same victim blaming response.
Other than unauthorised access to this particular machine (which I extremely doubt due to this being a virtual machine, and me generally having pretty tight security, including a firewall appliance) is there any way that YOUR software can be installed from a SAME LAN LINUX server that was compromised?
Other than checking all other individual Windows machines on my LAN very frequently, is there some way that I could tell that some machine on my network has been compromised?
Is there some way that I could prevent this software being installed in the future?
Is there something that would show in Windows Event Viewer to say that this software was installed, and when?
Are there particular IP addresses and ports that may show in my firewall logs? Something required that I can block for future events?
Does your software use IPv6?
Whilst you may hope that people only use your software for legitimate purposes, what steps have you implemented to try and stop illegal use?
***You want to victim blame, I want to stop your poorly thought out software from being able to be used to attack my systems, and hopefully show you that legitimate remote support and remote access SHOULD have explicit user approval EVERY time. There's a few similar posts to mine here, and they always get the same victim blaming response.
Remote install without my knowledge
HackedUser857,
User (Posts: 6)
Aug 29, 2022 11:15:53 pm EDT
Support level: Free or trial
My Ubuntu webserver was hacked, it seems fr om a 'xmlrpc' DDOS attack on a hosted Wordpress site. I have backups, so no trouble, just a hassle.
Looking around my network I find that a seemingly licenced version of RU Server is installed and running on one of my Windows Desktops. It was made to look like it was installed in 2019, and there are monthly log files showing only turn on/ turn off in the logs. I know that it was installed much more recently (in last couple of weeks) because this is a virtual machine and I have backups.
So my question is, how was your product installed on a Windows 10 Professional Desktop, without my knowledge or approval.
My next question is, how do I know what information / data has been downloaded from my Windows Desktop, and wh ere it was sent.
Looking around my network I find that a seemingly licenced version of RU Server is installed and running on one of my Windows Desktops. It was made to look like it was installed in 2019, and there are monthly log files showing only turn on/ turn off in the logs. I know that it was installed much more recently (in last couple of weeks) because this is a virtual machine and I have backups.
So my question is, how was your product installed on a Windows 10 Professional Desktop, without my knowledge or approval.
My next question is, how do I know what information / data has been downloaded from my Windows Desktop, and wh ere it was sent.