#1
|
|||
|
|||
Help me, I think my computer got hijacked?
I have the "Captcha Solving in Browser via Dialog (Window)" enabled, and Opera browser is used for this.
At some point, this is what happened: - I had JDownloader running and downloading files. - I had Opera browser running. - Opera was proposing to reboot for an update for a few days already. - I closed Opera to update it. It was done without issues. - Even though JDownloader was already working for a few days too and there was some updates available, I did not restart JDownloader to not interrupt download progress. - I turned off my display and went to sleep as usual. On the morning, this is what happened: - I've found out that new tabs were opened in Opera. these tabs were JDownloader Captcha solving pages and pages I've never use before - an email server (a major one, but I never used it myself) was opened, logged in as a user which, from what I see in messages history, is a real person. Some email messages were opened with sets of login data to different portals, mostly about SEO. Most of these portals were not working (I think these services died many months ago) or login data was not working. Also Bitcoin Wallet login page at Blockchain.info was opened with login entered and password field in red (indicating there was a login attempt with wrong password). That entered wallet ID is clearly tied to that email account. - I've remembered that these JDownloader pages stopped working some time ago - even though auto-click option was enabled, it was not working, and I had to click the Google Captcha manually for it to be accepted and page closed. That's why I found it normal to see these pages opened with errors in Google Captcha (when not clicked for a long time, an error text pops up there). - I've decided to update JDownloader since no dowload was in progress. When doing so, it crashed. After a restart, it was launched, updated without problems. It never crashed before on trying to update. I've started to check clues to what actually happened and how someone might have apparently connected to my desktop remotely and used my PC. This is what I've found: - First JDownloader page was opened somewhere at 2:00 AM. - First page which was apparently opened by intruder at 2:01 AM. - I was unable to confirm that any remote PC software was used. All logs looks clear. - I was unable to confirm that any malicious software was installed or opened on my PC. I've checked all important places and found nothing bad or infected. At this point, I've started to doubt that it was anyone's attempt to control my PC. Here are reasons: - Nothing was apparently touched, only my default browser - Opera. - The "intruder" used an e-mail account of real person, I could see that some documents and personal data was included in recent messages. - Along with e-mail account, there is an access to Cloud disk storage and a Wallet (not bitcoin one, but the one from that major e-mail provider). Inside wallet, and from some messages, I could guess that the account owner tries to earn money from SEO projects, where you click ads and get very small transactions every day. The amount of money in that wallet is less than $1. - The "intruder" never logged out or reset his password. Even now, I can access his email, cloud and wallet account. He did not even close the opened tabs. Did not clean browsing history. - JDownloader apparently has ability to open links in my browser and click stuff, even though the auto-click was not working for some time now. If it was a real intrusion, you'd expect an attempt to install bitcoin miner or some trojan-encoder type of viruses. You wouldn't expect an opened email session and attempts to login to SEO or Bitcoin Wallet pages. My current theory is that there was no intruder, but JDownloader somehow opened pages which another JDownloader user tried to open at that time, entered data and clicked on things which another user tried to enter or click. Is this remotely possible? It all looks just too suspicious to assume that someone attempted to control my PC. |
#2
|
||||
|
||||
How exactly can it be from another user?
a) your browser, opera has tab history and reopens it typically (I've been Opera 12 user and prior user for decade or more). b) jd opens captcha task at a local host level meaning triggered on this system opened on this system. or via the My JDownloader extension, once again this is the captcha task and nothing else I would be concerned that someone does have access to your system. This would not have happened from using JDownloader. raztoki
__________________
raztoki @ jDownloader reporter/developer http://svn.jdownloader.org/users/170 Don't fight the system, use it to your advantage. :] |
#3
|
|||
|
|||
That's what I'd like to know myself.
When I close the browser and open it again, the tabs are opened again, yes. But in this case, the browser was not closed. It was opened all night. If the intruder closed his tabs and re-opened the browser, I wouldn't see them opened. Quote:
Also, I was connected in My.JDownloader account, although I never used it. Is it possible to check the logs JDownloader might have left on the disk? At least try to understand why it crashed on update? |
#4
|
|||
|
|||
Please check these logs if possible:
Quote:
|
#5
|
||||
|
||||
My theory: Someone is using your computer for actions he does not want to be connected with. For example hacking into someones email account and bitcoin wallet. You are still logged in because the intruder is probably not the one whos emails you're looking at.
__________________
My.JDownloader.org Web Interface | Android App | Browser Extensions [Feedback Thread] |
#6
|
||||
|
||||
Logs show that something prevented JDownloader from updating itself. This can either be caused by firewall/av or some other application.
Neither the RecaptchaV2 support nor MyJDownloader can cause this. -Recaptcha in Browser does load from localhost/JDownloader and from google/Recaptcha. -MyJDownloader does not provide any methods to *remote control* a computer. You should run scans on your computer and also check your browser extensions. Maybe some hijacked/bad extension is installed. If possible use some sort of usb/live cd scan images and not run scans directly under windows.
__________________
JD-Dev & Server-Admin |
#7
|
||||
|
||||
JDownloader does only open links in browser if you tell it to. It does not provide any *click* support besides *auto-click* for RecaptchaV2 which is done via Screenshot (to find the Recaptcha) and click it. For *auto-click* of RecaptchaV2 to work the Recaptcha windows must be visible for JDownloader to find on screenshot. In case the window opens in background/different monitor, this feature will fail
__________________
JD-Dev & Server-Admin |
#8
|
||||
|
||||
You should definitely run scans on your computer and no longer use until you've removed the remote control access.
Or in doubt, just format it and install from scratch.
__________________
JD-Dev & Server-Admin Last edited by Jiaz; 16.10.2017 at 14:03. |
#9
|
||||
|
||||
In case you use Teamviewer, never share your ID and PW publicly
__________________
JD-Dev & Server-Admin |
#10
|
||||
|
||||
What I would do: Boot from live cd -> create a backup image of the disk (for evidence / further investigation) -> nuke everything. But I'm just a stupid app developer and not yet encountered such a scenario :-)
__________________
My.JDownloader.org Web Interface | Android App | Browser Extensions [Feedback Thread] |
#11
|
|||
|
|||
Thanks for all the suggestions to scan/clean/kill/format my system. No need to repeat them anymore.
Quote:
Quote:
|
#12
|
||||
|
||||
Of course it is. But it is not possible to open any url, nor remote use that feature.
__________________
JD-Dev & Server-Admin |
#13
|
||||
|
||||
Do you use multi monitor setup? Is Recaptcha fully visible or hidden behind some other window? With *stopped working* you mean the *auto-click* feature? So you have to click *I'm not a robot* yourself, right?
__________________
JD-Dev & Server-Admin |
#14
|
|||
|
|||
Single monitor. Yes, it's visible. When browser opens that page, its whole window activates. No matter how much I wait, I have to click *I'm not a robot* myself, yes.
|
#15
|
||||
|
||||
I can try to help via teamviewer if you like. Send me ID and PW to support@jdownloader.org
__________________
JD-Dev & Server-Admin |
#16
|
|||
|
|||
Any idea why phantomjs.exe process is suddenly active while no files are being downloaded?
|
#17
|
||||
|
||||
phantomjs is used for old RecaptchaV2 solving method. It no longer works good because of bugs it may take some time before this process stops.
You can disable it in Settings-Advanced Settings-PhantomJS.enabled
__________________
JD-Dev & Server-Admin |
#18
|
|||
|
|||
I think you got caught by this problem:
https://board.jdownloader.org/showthread.php?t=75290 pls install Norton since it can block these attacks. It starts mining coins on your pc and is installed everytime a captcha code is loaded in JD2 captcha searches for installed or running browser miners and hoster like share-online installs them. **External links are only visible to Support Staff****External links are only visible to Support Staff** Last edited by crasher80; 20.10.2017 at 15:26. |
#19
|
||||
|
||||
@crasher80: JDownloader does neither load/nor execute this coinmining scripts.
__________________
JD-Dev & Server-Admin |
#20
|
|||
|
|||
I'd like to add that my pc is certainly does NOT look like it's infected. I've checked with several advanced tools and consulted with experienced people. I also have some experience myself. And it all looks very strange.
Auto-clicking still doesn't work and I don't want to provide access through TeamViewer. It should be possible to debug such issues with logging. All I can say is that I'm using latest version of Opera browser. |
Thread Tools | |
Display Modes | |
|
|