JDownloader Community - Appwork GmbH
 

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 15.10.2017, 12:36
choin choin is offline
Super Loader
 
Join Date: Oct 2017
Posts: 27
Default Help me, I think my computer got hijacked?

I have the "Captcha Solving in Browser via Dialog (Window)" enabled, and Opera browser is used for this.

At some point, this is what happened:
- I had JDownloader running and downloading files.
- I had Opera browser running.
- Opera was proposing to reboot for an update for a few days already.
- I closed Opera to update it. It was done without issues.
- Even though JDownloader was already working for a few days too and there was some updates available, I did not restart JDownloader to not interrupt download progress.
- I turned off my display and went to sleep as usual.

On the morning, this is what happened:
- I've found out that new tabs were opened in Opera. these tabs were JDownloader Captcha solving pages and pages I've never use before - an email server (a major one, but I never used it myself) was opened, logged in as a user which, from what I see in messages history, is a real person. Some email messages were opened with sets of login data to different portals, mostly about SEO. Most of these portals were not working (I think these services died many months ago) or login data was not working. Also Bitcoin Wallet login page at Blockchain.info was opened with login entered and password field in red (indicating there was a login attempt with wrong password). That entered wallet ID is clearly tied to that email account.
- I've remembered that these JDownloader pages stopped working some time ago - even though auto-click option was enabled, it was not working, and I had to click the Google Captcha manually for it to be accepted and page closed. That's why I found it normal to see these pages opened with errors in Google Captcha (when not clicked for a long time, an error text pops up there).
- I've decided to update JDownloader since no dowload was in progress. When doing so, it crashed. After a restart, it was launched, updated without problems. It never crashed before on trying to update.

I've started to check clues to what actually happened and how someone might have apparently connected to my desktop remotely and used my PC. This is what I've found:
- First JDownloader page was opened somewhere at 2:00 AM.
- First page which was apparently opened by intruder at 2:01 AM.
- I was unable to confirm that any remote PC software was used. All logs looks clear.
- I was unable to confirm that any malicious software was installed or opened on my PC. I've checked all important places and found nothing bad or infected.

At this point, I've started to doubt that it was anyone's attempt to control my PC. Here are reasons:
- Nothing was apparently touched, only my default browser - Opera.
- The "intruder" used an e-mail account of real person, I could see that some documents and personal data was included in recent messages.
- Along with e-mail account, there is an access to Cloud disk storage and a Wallet (not bitcoin one, but the one from that major e-mail provider). Inside wallet, and from some messages, I could guess that the account owner tries to earn money from SEO projects, where you click ads and get very small transactions every day. The amount of money in that wallet is less than $1.
- The "intruder" never logged out or reset his password. Even now, I can access his email, cloud and wallet account. He did not even close the opened tabs. Did not clean browsing history.
- JDownloader apparently has ability to open links in my browser and click stuff, even though the auto-click was not working for some time now.

If it was a real intrusion, you'd expect an attempt to install bitcoin miner or some trojan-encoder type of viruses. You wouldn't expect an opened email session and attempts to login to SEO or Bitcoin Wallet pages.

My current theory is that there was no intruder, but JDownloader somehow opened pages which another JDownloader user tried to open at that time, entered data and clicked on things which another user tried to enter or click. Is this remotely possible? It all looks just too suspicious to assume that someone attempted to control my PC.
Reply With Quote
  #2  
Old 15.10.2017, 13:44
raztoki's Avatar
raztoki raztoki is offline
English Supporter
 
Join Date: Apr 2010
Location: Australia
Posts: 17,659
Default

How exactly can it be from another user?
a) your browser, opera has tab history and reopens it typically (I've been Opera 12 user and prior user for decade or more).
b) jd opens captcha task at a local host level meaning triggered on this system opened on this system. or via the My JDownloader extension, once again this is the captcha task and nothing else

I would be concerned that someone does have access to your system. This would not have happened from using JDownloader.

raztoki
__________________
raztoki @ jDownloader reporter/developer
http://svn.jdownloader.org/users/170

Don't fight the system, use it to your advantage. :]
Reply With Quote
  #3  
Old 15.10.2017, 17:49
choin choin is offline
Super Loader
 
Join Date: Oct 2017
Posts: 27
Default

Quote:
Originally Posted by raztoki View Post
How exactly can it be from another user?
That's what I'd like to know myself.

Quote:
Originally Posted by raztoki View Post
a) your browser, opera has tab history and reopens it typically
When I close the browser and open it again, the tabs are opened again, yes. But in this case, the browser was not closed. It was opened all night. If the intruder closed his tabs and re-opened the browser, I wouldn't see them opened.

Quote:
Originally Posted by raztoki View Post
b) jd opens captcha task at a local host level meaning triggered on this system opened on this system. or via the My JDownloader extension, once again this is the captcha task and nothing else
The local page uses elements from the Google Recaptcha I think. Also I'm not sure the local host level JDownloader does not open any ports.

Also, I was connected in My.JDownloader account, although I never used it.

Is it possible to check the logs JDownloader might have left on the disk? At least try to understand why it crashed on update?
Reply With Quote
  #4  
Old 16.10.2017, 11:34
choin choin is offline
Super Loader
 
Join Date: Oct 2017
Posts: 27
Default

Please check these logs if possible:
Quote:
07.10.17 18.16.05 <--> 14.10.17 10.56.28 jdlog://3677714015941/
14.10.17 10.55.45 <--> 14.10.17 10.55.45 jdlog://4677714015941/
14.10.17 10.54.43 <--> 14.10.17 10.56.20 jdlog://5677714015941/
Reply With Quote
  #5  
Old 16.10.2017, 13:36
mrc's Avatar
mrc mrc is offline
Guardian of the Droids
 
Join Date: Jan 2013
Location: Germany
Posts: 288
Default

My theory: Someone is using your computer for actions he does not want to be connected with. For example hacking into someones email account and bitcoin wallet. You are still logged in because the intruder is probably not the one whos emails you're looking at.
__________________
My.JDownloader.org Web Interface | Android App | Browser Extensions [Feedback Thread]
Reply With Quote
  #6  
Old 16.10.2017, 13:49
Jiaz's Avatar
Jiaz Jiaz is offline
JD Manager
 
Join Date: Mar 2009
Location: Germany
Posts: 79,342
Default

Logs show that something prevented JDownloader from updating itself. This can either be caused by firewall/av or some other application.

Neither the RecaptchaV2 support nor MyJDownloader can cause this.
-Recaptcha in Browser does load from localhost/JDownloader and from google/Recaptcha. -MyJDownloader does not provide any methods to *remote control* a computer.

You should run scans on your computer and also check your browser extensions. Maybe some hijacked/bad extension is installed. If possible use some sort of usb/live cd scan images and not run scans directly under windows.
__________________
JD-Dev & Server-Admin
Reply With Quote
  #7  
Old 16.10.2017, 13:51
Jiaz's Avatar
Jiaz Jiaz is offline
JD Manager
 
Join Date: Mar 2009
Location: Germany
Posts: 79,342
Default

Quote:
Originally Posted by choin View Post
- JDownloader apparently has ability to open links in my browser and click stuff, even though the auto-click was not working for some time now.
JDownloader does only open links in browser if you tell it to. It does not provide any *click* support besides *auto-click* for RecaptchaV2 which is done via Screenshot (to find the Recaptcha) and click it. For *auto-click* of RecaptchaV2 to work the Recaptcha windows must be visible for JDownloader to find on screenshot. In case the window opens in background/different monitor, this feature will fail
__________________
JD-Dev & Server-Admin
Reply With Quote
  #8  
Old 16.10.2017, 13:55
Jiaz's Avatar
Jiaz Jiaz is offline
JD Manager
 
Join Date: Mar 2009
Location: Germany
Posts: 79,342
Default

You should definitely run scans on your computer and no longer use until you've removed the remote control access.
Or in doubt, just format it and install from scratch.
__________________
JD-Dev & Server-Admin

Last edited by Jiaz; 16.10.2017 at 14:03.
Reply With Quote
  #9  
Old 16.10.2017, 13:57
Jiaz's Avatar
Jiaz Jiaz is offline
JD Manager
 
Join Date: Mar 2009
Location: Germany
Posts: 79,342
Default

In case you use Teamviewer, never share your ID and PW publicly
__________________
JD-Dev & Server-Admin
Reply With Quote
  #10  
Old 16.10.2017, 14:59
mrc's Avatar
mrc mrc is offline
Guardian of the Droids
 
Join Date: Jan 2013
Location: Germany
Posts: 288
Default

What I would do: Boot from live cd -> create a backup image of the disk (for evidence / further investigation) -> nuke everything. But I'm just a stupid app developer and not yet encountered such a scenario :-)
__________________
My.JDownloader.org Web Interface | Android App | Browser Extensions [Feedback Thread]
Reply With Quote
  #11  
Old 16.10.2017, 21:27
choin choin is offline
Super Loader
 
Join Date: Oct 2017
Posts: 27
Default

Thanks for all the suggestions to scan/clean/kill/format my system. No need to repeat them anymore.
Quote:
Originally Posted by Jiaz View Post
Neither the RecaptchaV2 support nor MyJDownloader can cause this.
-Recaptcha in Browser does load from localhost/JDownloader and from google/Recaptcha. -MyJDownloader does not provide any methods to *remote control* a computer.
Is it capable of opening tabs in the browser with some URL? From what I see, it does.

Quote:
Originally Posted by Jiaz View Post
JDownloader does only open links in browser if you tell it to. It does not provide any *click* support besides *auto-click* for RecaptchaV2 which is done via Screenshot (to find the Recaptcha) and click it. For *auto-click* of RecaptchaV2 to work the Recaptcha windows must be visible for JDownloader to find on screenshot. In case the window opens in background/different monitor, this feature will fail
Alright. Any idea why auto-click stopped working for me? How can I debug this?
Reply With Quote
  #12  
Old 17.10.2017, 10:17
Jiaz's Avatar
Jiaz Jiaz is offline
JD Manager
 
Join Date: Mar 2009
Location: Germany
Posts: 79,342
Default

Quote:
Originally Posted by choin View Post
Is it capable of opening tabs in the browser with some URL? From what I see, it does.
Of course it is. But it is not possible to open any url, nor remote use that feature.
__________________
JD-Dev & Server-Admin
Reply With Quote
  #13  
Old 17.10.2017, 10:18
Jiaz's Avatar
Jiaz Jiaz is offline
JD Manager
 
Join Date: Mar 2009
Location: Germany
Posts: 79,342
Default

Quote:
Originally Posted by choin View Post
Alright. Any idea why auto-click stopped working for me? How can I debug this?
Do you use multi monitor setup? Is Recaptcha fully visible or hidden behind some other window? With *stopped working* you mean the *auto-click* feature? So you have to click *I'm not a robot* yourself, right?
__________________
JD-Dev & Server-Admin
Reply With Quote
  #14  
Old 17.10.2017, 12:06
choin choin is offline
Super Loader
 
Join Date: Oct 2017
Posts: 27
Default

Quote:
Originally Posted by Jiaz View Post
Do you use multi monitor setup? Is Recaptcha fully visible or hidden behind some other window? With *stopped working* you mean the *auto-click* feature? So you have to click *I'm not a robot* yourself, right?
Single monitor. Yes, it's visible. When browser opens that page, its whole window activates. No matter how much I wait, I have to click *I'm not a robot* myself, yes.
Reply With Quote
  #15  
Old 17.10.2017, 12:18
Jiaz's Avatar
Jiaz Jiaz is offline
JD Manager
 
Join Date: Mar 2009
Location: Germany
Posts: 79,342
Default

I can try to help via teamviewer if you like. Send me ID and PW to support@jdownloader.org
__________________
JD-Dev & Server-Admin
Reply With Quote
  #16  
Old 18.10.2017, 09:08
choin choin is offline
Super Loader
 
Join Date: Oct 2017
Posts: 27
Default

Any idea why phantomjs.exe process is suddenly active while no files are being downloaded?
Reply With Quote
  #17  
Old 18.10.2017, 09:44
Jiaz's Avatar
Jiaz Jiaz is offline
JD Manager
 
Join Date: Mar 2009
Location: Germany
Posts: 79,342
Default

phantomjs is used for old RecaptchaV2 solving method. It no longer works good because of bugs it may take some time before this process stops.
You can disable it in Settings-Advanced Settings-PhantomJS.enabled
__________________
JD-Dev & Server-Admin
Reply With Quote
  #18  
Old 20.10.2017, 15:18
crasher80
Guest
 
Posts: n/a
Default

I think you got caught by this problem:
https://board.jdownloader.org/showthread.php?t=75290

pls install Norton since it can block these attacks.

It starts mining coins on your pc and is installed everytime a captcha code is loaded in JD2

captcha searches for installed or running browser miners and hoster like share-online installs them.

**External links are only visible to Support Staff****External links are only visible to Support Staff**

Last edited by crasher80; 20.10.2017 at 15:26.
Reply With Quote
  #19  
Old 20.10.2017, 15:27
Jiaz's Avatar
Jiaz Jiaz is offline
JD Manager
 
Join Date: Mar 2009
Location: Germany
Posts: 79,342
Default

@crasher80: JDownloader does neither load/nor execute this coinmining scripts.
__________________
JD-Dev & Server-Admin
Reply With Quote
  #20  
Old 25.10.2017, 12:08
choin choin is offline
Super Loader
 
Join Date: Oct 2017
Posts: 27
Default

I'd like to add that my pc is certainly does NOT look like it's infected. I've checked with several advanced tools and consulted with experienced people. I also have some experience myself. And it all looks very strange.

Auto-clicking still doesn't work and I don't want to provide access through TeamViewer. It should be possible to debug such issues with logging. All I can say is that I'm using latest version of Opera browser.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

All times are GMT +2. The time now is 12:15.
Provided By AppWork GmbH | Privacy | Imprint
Parts of the Design are used from Kirsch designed by Andrew & Austin
Powered by vBulletin® Version 3.8.10 Beta 1
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.