Stuartbe
17-02-2004, 22:52
Just been called to a customers house.......
She was worried about strange activity on her pc. (600k narrowband :D )
As she made me a welcome cup of tea I was watching the pc monitor. As I watched the mouse cursor started to move and went into Iexplore and then history. The customer was aparently running her internet banking on the site earlier that day and the link was in history. The cusror then selected the online bank and to my horror clicked on the password box. The user had password save in IE switched on and sure enough - Up popped her password on the screen in ******. The cursor then clicked onto her current account. I then dived behind the pc and pulled out the usb cable (snapping off the connector in the process) The user came in wondering what was going on.
After I pulled out the half usb connector from the back of the machine I cleared all the passwords and then connected the cable modem to a hub via ethernet and linked from the hub to my laptop. I run ethereal in prom. mode and renewed the lease on the cable modem....
After about 10 mins the mouse started to move again. There were bucket loads of packets going going in and out on port 1243 (sub 7). There were allso crap loads on port 3389 (terminal services) - remote desktop assistance. I watched this for a while and then net messaged the pc from my laptop with " THIS IS THE FBI - YOUR CONNECTION HAS BEEN DETECTED AND WE ARE TRACKING YOU NOW "....
The mouse stopped moving and then a windows box apeared -- " sorry !! we were only having a bit of fun " :rofl: :rofl: :rofl:
Nothing after that.........I think I scared them off. Ip was from a us university and I have allready e-mailed the listed administrator.....
Ran etrust on the computer and found 27 diff. trojans and 14 diff. viruses :eek:
Then ran adaware 14532 components detected :eek: :eek: :eek:
Cleaned the computer for her and installed kpf on the computer and re-installed her out of date norton and installed spywareblaster. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
What a night - Just goes to show - some users think they are secure and its the internet banks that get hacked - WRONG....
Having a well deserved beer now with the extra £30.00 she gave me for sorting her out :)
She was worried about strange activity on her pc. (600k narrowband :D )
As she made me a welcome cup of tea I was watching the pc monitor. As I watched the mouse cursor started to move and went into Iexplore and then history. The customer was aparently running her internet banking on the site earlier that day and the link was in history. The cusror then selected the online bank and to my horror clicked on the password box. The user had password save in IE switched on and sure enough - Up popped her password on the screen in ******. The cursor then clicked onto her current account. I then dived behind the pc and pulled out the usb cable (snapping off the connector in the process) The user came in wondering what was going on.
After I pulled out the half usb connector from the back of the machine I cleared all the passwords and then connected the cable modem to a hub via ethernet and linked from the hub to my laptop. I run ethereal in prom. mode and renewed the lease on the cable modem....
After about 10 mins the mouse started to move again. There were bucket loads of packets going going in and out on port 1243 (sub 7). There were allso crap loads on port 3389 (terminal services) - remote desktop assistance. I watched this for a while and then net messaged the pc from my laptop with " THIS IS THE FBI - YOUR CONNECTION HAS BEEN DETECTED AND WE ARE TRACKING YOU NOW "....
The mouse stopped moving and then a windows box apeared -- " sorry !! we were only having a bit of fun " :rofl: :rofl: :rofl:
Nothing after that.........I think I scared them off. Ip was from a us university and I have allready e-mailed the listed administrator.....
Ran etrust on the computer and found 27 diff. trojans and 14 diff. viruses :eek:
Then ran adaware 14532 components detected :eek: :eek: :eek:
Cleaned the computer for her and installed kpf on the computer and re-installed her out of date norton and installed spywareblaster. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
What a night - Just goes to show - some users think they are secure and its the internet banks that get hacked - WRONG....
Having a well deserved beer now with the extra £30.00 she gave me for sorting her out :)