Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 543
  • Last Modified:

Hacked By Jeefo Megabit

Hi

A client recently came back to their PC after a couple of days to find a .txt file and about 20 printed pages saying Hacked By Jeefo Megabit.

When they went to log on their name had been removed from the user box and the administrator account name was there instead.

I've searched google, yahoo, mamma, dogpile, Ask etc for this exact phrase but it doesn't seem to come up anywhere (ok it came up once and took me to a Tupac tribute page but I can't for the life of me find it now and I can't recall what search engine I used at the time.)

I'm aware of a trojan called jeefo but I don't think this has anything to do with that (i might be wrong)

I've run a full scan for viruses and had nothing come up, I did run a spyware scan but nothing out of the ordinary came up with that either.

Has anybody heard of this and if so do they know if this is a legitimate hack and how they may have got in, and also how it can be prevented in the future?
0
diles
Asked:
diles
  • 7
  • 5
  • 2
  • +4
3 Solutions
 
simsjrgCommented:
How is the machine accessible via the Internet? VNC, RDP, GoToMyPC etc?

>> how it can be prevented in the future?

Remove access to the machine from the public Internet. Implement a VPN solution so you are not required to expose internal workstations, servers, services to the outside world that don't need to be.
0
 
snoopfroggCommented:
To prevent this, minimize the attack surface of the workstations and servers in your client's environment.  A defense-in-depth approach (thorough) is best.  To do so:

1.  Like the previous poster indicates, only allow external access via secure (encrypted and authenticated) methods.
2.  Disable unnecessary Windows services.
3.  Uninstall unneeded software.
4.  Run anti-virus/anti-malware software.
5.  Use a client firewall.
6.  Use an account with low privileges like a local user or domain user account to perform daily/routine tasks rather than running as an administrator.
7.  Control physical access to the workstation as much as possible.
0
 
AdamsConsultingCommented:
Hire an information security incident response specialist now that will be able to do a proper audit and determine how the intruder got in and how to prevent it which is the only way to prevent it in the future. It's probably not the signature of a known virus or malware, but of a bored teenager.
0
When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

 
dilesAuthor Commented:
There are only 2 pc's on the network. Protected by a Vigor 2800 firewall and no direct access from the internet, other than port 80. The attack has got to have come from a piece of Malware from an Internet site. The question is what was it. We will revisit the machine today as we have not found anything that allows this attack and are still concerned the tool used is still active. Any further assistance with this specific solution would be gratfully received.
0
 
jahboiteCommented:
You say port 80 is available to the public - is that a web server or are you allowing remote administration of the Vigor over the internet?  Are you certain that you're not exposing port 23 to the web?  Is administration of the router protected by a complex password? Do you have UPnP enabled on the router?

If you allow remote admin of the router, you ought to think about disabling that and setting-up a VPN instead.  I'd advise you to check the settings under System Maintenance > Management.  Also, perform a port scan against your public interface to be certain about what services you expose to the internet.  http://nmap.org/download is a good choice and a comprehensive scan such as the following will interrogate any services running on TCP ports either on the router or forwarded through it:
nmap -sSV -p0- --allports -v --reason
0
 
dilesAuthor Commented:
Port 80 is not redirected, I was referring to the fact that when on the internet the pc is susceptible to malware.
0
 
jahboiteCommented:
It doesn't sound like that sort of a hack.  I may be wrong, but it seems like someone managed to login to the pc interactively as an administrator and for that they would have had some kind of remote access (it may, of course have been someone on the local network, a wireless network if you have one enabled).
Therefore I urge you to answer the above questions in order to satisy yourself that remote access is not possible.
0
 
dilesAuthor Commented:
I understand where you are coming from but there is NO remote access in to this network. We have had another customer who had a malware program attacking the server from within. Having isolated the network from the internet we still saw errors in the security log and traced this attack to the CEO's pc (who insisted having Domain admin rights). So this still makes me wonder if remote access has been accessed by a IE security flaw or another piece of malware.
0
 
jahboiteCommented:
I don't know of any malware which performs an interactive logon,  deposits a text file proclaiming a hack and prints 20 pages of text.  This is either someone having a joke (someone with administrator credentials) or someone has gained remote access.  Most malware is designed to stay under the radar while it performs it's tasks - namely making money for it's authors and distributors.

It's possible that someone has visited a page on the web in which an embedded java applet or flash player file has managed to use UPnP to open-up ports to allow remote access via the Vigor.  A port scan against your external interface would show-up any publicly available services and alert you to this.
0
 
dilesAuthor Commented:
Thanks will do that now.
0
 
jahboiteCommented:
And if port 80 is not redirected then it can only be the Vigor's admin console on port 80 - this is a bad idea and my original advice stands.
0
 
dilesAuthor Commented:
The Vigor is on port 8080.
0
 
Mohamed OsamaSenior IT ConsultantCommented:
it can be a reverse connection Remote administration tool (RAT)
these types of trojan tools were introducted a few years back with the concept of FWB (Firewall bypass) 
the method is that once the server side is installed on the victim's machine, the server side will act as the client & initiate an outbound connection to the Attacker's PC which has a port listening instead of the other way around .
such tools were pretty much available on the internet & are popular among script kiddies for their ease of use, they can also be DLL files injected into trusted applications like windows explorer or internet explorer to ensure those DLLs can bypass any firewall restrictions since they are running under the context of a trusted application.

0
 
dilesAuthor Commented:
This is more like what I suspected, is there an easy way to look for these. We are going on site within the hour.
0
 
jahboiteCommented:
You could look at the NAT table on the Vigor: Diagnostics >> NAT Sessions Table
If a client within the network is connected to someone outside, you'll see an entry in this table and you'll see the IP address and port on the client machine.  You can then run netstat -ano on the client machine to determine the process ID associated with the connection and then look that up in task manager.  Start by investigating the Peer IP's to find any that might be suspicious.
0
 
MalleusMaleficarumCommented:
I'm not sure when you did your web searches, but this is what I found:

http://www.neogen.ro/user/mata

A 21 year old male in Romania goes by the name of Jeefo Megabit.  If you follow this google link

http://www.google.com/search?q=%22Jeefo+Megabit

You will see if you visit his page he has since changed his name to Jeefo MebabYTE, but google still has it cached as his other handle as seen in the screenshot.

As an incident responder, here is my guess.

Your client got infected with something which allowed the remote attacker full remote-control of the workstation.  He later googled himself, saw that someone had posted a question about his handle, and changed it to something else.  but I suspect this is your man.

The first thing that I would have recommended would have been to immediately stop any additional analysis of the live workstation and instead have a forensic bit-by-bit copy of the workstation made for analysis.  Any possible shreds of evidence could have been in the drive's slack space, assuming all the tools used were not memory resident. (Not a sermon, just my recommendation)

There is a very large hacker contingent that comes out of Eastern Europe (Google Russian Business Network) The motivation varies from stealing identities, personal information, corporate espionage, to adding yet another computer to a hacker network's sea of "zombies" to be later used as part of a massive denial of service attack.

I know it doesn't really help you figure out how, but I think it answers the who.

P.S. Jeefo, if you are reading this, feel free to sign up for an EE account and respond with how you did it. :)

_Mal_

megabit.JPG
0
 
dilesAuthor Commented:
We supplied the client with a new pc as they were concerned with the incident. We still are no further to finding out how this happened so request the question is now closed. Thanks to all who helped in this matter.
0
 
MalleusMaleficarumCommented:
Your client looked to you to assist in answering several questions.  While you may not have been able to answer them 100%, you were given some useful information that you likely used in responding to your client.  If you feel that you have gained useful information by the individualsposting here, it is only fair that you distribute some points to thoseindividuals.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 7
  • 5
  • 2
  • +4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now