How could a hacker accessed Admin's Home directory?

Sal Tennis

New Member
Credits
75
I request everyone to read full and help me and, sorry for my English.

I often got few text files (named as "New Text Document.tmp" / "WindowsUpdate..log", WindowsUpdate-1.tmp" / "0000001.tmp" / "0000001 copy.tmp" / "0000001 copy (2).tmp" ...) in my desktop while using Windows (7 & 10), even working offline, or when i dont touch my PC.

I tried windows & 3rd-party firewalls, virus/malware/spyware checkup, fresh OS installations, even in fresh hard drives too, without any 3rd-party software & drivers. Same issue again & again!

I wondered and brought my friends' 4 laptops & 2 PCs into my house! but all got same problem (only file contents are different, I'll explain it later).

I ended (guessed) that a neighbor hacked my WAN miniports & Wifi! It happen again & again in!

Finally I moved to linux with heartful of hope & expected the peace of mind!

I done a fresh installation in new hard drive, after a reboot, I shocked that I got few files in my desktop!! It happened in debian & devuan!

I come across elementaryOS website, read their promises on security & privacy! I completely believe in them & installed it. A week went without worries - actually I thoght so! one day I opened (files > Home and double shocked - there is a file named "~0000001.tmp" !!

I used firewall too !

One question is undigested:

How a OS allow a process/entity/object (PC/hacker/signal/anything) to access/write my PC/laptop WITHOUT MY CONSENT AND APPROVAL?

Where the user rights/privileges gone while a hacker access like authorized admin?

Admins/users asked for password confirmation on many important changes in a OS is common, but nothing for hackers?

Atleast, an OS can't determine a process/command come from out of current admin/user's consent?

We all believe in that Linux is best for security, it works for its admins/users - not for others/hackers!

And elementaryOS team told that there is no any back-holes in elementary OS!

If so, WHY IT HAPPENS?

Please explain, what happened? what can I do? How can I defend?



A few lines from the above said tmp/log files' contents:

> Wifi Hacked

> Wifi SSID MyWifiName Password MyWifiPassword <no mask/encryption>

> Wifi Hacked

> Wifi SSID MyNeighborWifiName Password hashed HfewGHedfDYiouyNvddz

> Phone hacked

> Voice Recording

> User said [bring some water]

> User 1 or 2 said [where is my towel]

note: all exactly what we talked (in home)

> BIOS asked where do you get these data?

> Other PC asked to collect these data

> SMS, Photos, Getting Contact Lists

> Encrypted Files

> Stored in secrete place

I turned off the phone, it writes:
> Turn on the phone for hacking

Then phone power on automatically!!! Creepy Android!!!! I broke the phone! it writes:
> USER DISPOSE THE PHONE

> USER REMOVED ITS PARTS

> Hacking failed

> Hacking failed

> Spreading hacked details to other PC's

> Spreading hacked details to other PC's

> ...

I stored all files for reference in a separate pen drive.
 


Hillbilly H

Active Member
Credits
770
Who has access to your house and your computer?
 

Sal Tennis

New Member
Credits
75
Thanks for asking! I forgot to mention, I have a small family, wife & 1 child (aged 1 month).

Nobody touch my PC/Laptop! My wife is an illiterate woman (from a village), she only learned to use answer/cut keys on her old classic phone! Currently in after delivery rest.

I only using a smartphone & PC & a laptop. I'm a vet doc, have a small clinic for pets in my geust room (attached with home).

I dont know when this hacking issue started, I recognized since a 20 days from now.
 

KGIII

Super Moderator
Staff member
Gold Supporter
Credits
27,947
Have you looked to see what ~0000001.tmp is? Have you opened it with a text editor? All sorts of valid things may write temporary files. I'd assume it to be harmless before assuming it to be malicious, at least on Linux.

Maybe upload it somewhere and share it with us - after you open it with a plain text editor to see if it contains personal information. An application may have crashed and dumped a temporary debug file where it hoped you'd see it in ~/.
 

Sal Tennis

New Member
Credits
75
Have you looked to see what ~0000001.tmp is? Have you opened it with a text editor? All sorts of valid things may write temporary files. I'd assume it to be harmless before assuming it to be malicious, at least on Linux.

Maybe upload it somewhere and share it with us - after you open it with a plain text editor to see if it contains personal information. An application may have crashed and dumped a temporary debug file where it hoped you'd see it in ~/.

Thanks! I already pasted the tmp/log files' contents as quotes on my first post. pls check.
 

stan

Well-Known Member
Credits
7,680
I did check and the contents aren't there in your post.
I already pasted the tmp/log files' contents as quotes on my first post.
A few lines from the above said tmp/log files' contents:

> Wifi Hacked

> Wifi SSID MyWifiName Password MyWifiPassword <no mask/encryption>

> Wifi Hacked

> Wifi SSID MyNeighborWifiName Password hashed HfewGHedfDYiouyNvddz

> Phone hacked

> Voice Recording

> User said [bring some water]
I think the OP is using " > " as his quote mark, like an email program.

And if all of that is accurate, it sounds pretty serious. Re-using the same password for the router, and phone, and computer(s) might explain why there is such a great loss of security. As bad as it all sounds, I think that I would reset and reinstall everything. But having a home business may need careful backups and restoring of customer data. If not careful, restoring data may also restore the attacker's tools or malware. Definitely run anti-virus on the Windows computers. Use different (and difficult) passwords for everything... never re-use passwords.
 

KGIII

Super Moderator
Staff member
Gold Supporter
Credits
27,947
I think the OP is using " > " as his quote mark, like an email program.
Ah, I got it now. Thanks.

And, yeah, I'd like to see a full copy of the tmp files - but not if they contain sensitive information.

That it's across multiple systems and time periods, it seems like 'serious' is an accurate statement. I've done some playful work with malware in the past, but that was way back when I used Windows.

Yeah, like you, I'd start by replacing the networking hardware, or at least doing a factory reset and then setting the WPA2 password to something that's not written on the bottom of the device. I'd then start systematically backing up the data they need, ensuring it's santized, and resetting all the devices - making sure to share no passwords among them like you suggest. If possible, I'd just nix the Windows and go straight to Linux with the rest.
 

Sal Tennis

New Member
Credits
75
I think the OP is using " > " as his quote mark, like an email program.

And if all of that is accurate, it sounds pretty serious. Re-using the same password for the router, and phone, and computer(s) might explain why there is such a great loss of security. As bad as it all sounds, I think that I would reset and reinstall everything. But having a home business may need careful backups and restoring of customer data. If not careful, restoring data may also restore the attacker's tools or malware. Definitely run anti-virus on the Windows computers. Use different (and difficult) passwords for everything... never re-use passwords.
Thanks @stan! I tried recovery & protection methods (from internet research). I made a wifi password of 25 charactors (with symbols, numbers & small & CAP letters), but it dispayed again in the *.tmp file without any mask/hash. but my neighbour's wifi password added with hash in another file!

The danger is, the file has created while I was offline, my wifi powered off & unplugged!!!

This is strange & unbelievable, no other's experience found on internet!!! After a long research, I guessed that WAN Miniports used to hack? is it correct?

Why an OS allow communications with other PC/smartphones WITHOUT admin/user's concern/permission??
 

Sal Tennis

New Member
Credits
75
Ah, I got it now. Thanks.

And, yeah, I'd like to see a full copy of the tmp files - but not if they contain sensitive information.

That it's across multiple systems and time periods, it seems like 'serious' is an accurate statement. I've done some playful work with malware in the past, but that was way back when I used Windows.

Yeah, like you, I'd start by replacing the networking hardware, or at least doing a factory reset and then setting the WPA2 password to something that's not written on the bottom of the device. I'd then start systematically backing up the data they need, ensuring it's santized, and resetting all the devices - making sure to share no passwords among them like you suggest. If possible, I'd just nix the Windows and go straight to Linux with the rest.
Thanks @KGIII !

Do I need to replace my modem hardware?!! the file has created while I was offline, my wifi powered off & unplugged!!! This is strange & unbelievable, no other's experience found on internet!!! After a long research, I guessed that WAN Miniports used to hack? is it correct?

Do I need to replace my PC motherboard & laptop?

If I replace them, there is any guaranty that it will be unhackable? Because I will again use Windows or Linux. But an OS allow communications with other PC/smartphones WITHOUT admin/user's concern/permission??

So, how can I recover this from completely?
 

stan

Well-Known Member
Credits
7,680
The danger is, the file has created while I was offline, my wifi powered off & unplugged!!!

This is strange & unbelievable, no other's experience found on internet!!! After a long research, I guessed that WAN Miniports used to hack? is it correct?

Why an OS allow communications with other PC/smartphones WITHOUT admin/user's concern/permission??
I don't think we know enough of your problem, and it seems too extreme to really determine how your hack happened just by asking you questions.... many that you probably do not know the answer yourself.

If you are willing to spend money on the problem, I think it would be best spent on a local computer expert who can come to your home and give a careful examination of your equipment and how it is configured. I don't think buying new computers and router is necessary... but as @KGIII and I both suggested, a good starting point would be to reset and erase everything and start over. This has the same effect as buying new equipment.

Besides your WiFi password, the router has a password built into it so that you can access its settings. Resetting the router will go back to this default password... or perhaps you never changed this? These default router logins are well known and could be the first step that your attacker used. But there is much more going on from your description.

I would do the following... or have a computer expert help you to do these things. But you will need to make good backups of important files. Scan these files for virus/malware before restoring later.

1. First off, shut down everything. Bring each device online again one at a time. Try to watch as each device comes online again to see if there is any trouble.

2. Reset the router. Change the admin username and apply a very secure password to it. Be sure that the router cannot be configured from a WiFi connection (there's a router setting for that). Be sure firewall is activated, if available.

3. Format/erase every computer on your network and reinstall each operating system. It would be nice to use Linux only, but if you need Windows you should only use Windows 10 because Windows 7 no longer gets security updates. Use Windows Defender or other product for anti-virus and malware protection on any Windows computers. Each computer should get a strong new password to log in.... do not use automatic login. If possible, create just a simple "user" account that does not have administrator privileges for most of your daily work in Windows.... this is one of the biggest reasons that Linux is more secure than Windows. Activate firewall software on each computer as a backup to the router firewall.

4. Reset every phone that uses your network. Use strong new password.

5. Do not install any more apps on phones or computers than absolutely needed. Programs not supplied with your operating system are another of the many ways that you could be hacked.

These steps sound simple, but they will likely take some days to complete if you go carefully. But it is basically the same process if you buy a new router and new computers and phones. If you manage to clear the hacker out of your network, you will need to be very careful going forward to keep them out. Keep all operating systems fully updated. It might be good to learn how Linux log files can tip you off to people trying to get in, and maybe Windows has such log files too. This is a lot of work, but I think it's the best way to try to be sure of clearing out the hacker completely.

Good luck!
 

Sunil1991

New Member
Credits
54
Home directory is not private.

Ubuntu 21.04 made home directory private by default on new installation.

Try Ubuntu 21.04 and dont connect your WiFi network or LAN network and check if you still get tmp files
 

KGIII

Super Moderator
Staff member
Gold Supporter
Credits
27,947
a good starting point would be to reset and erase everything and start over.
I almost want to suggest hiring a *trusted* professional and verifying the work.

They're looking at many, many hours of work - and diligent work, when their profession is animal medicine. It's perfectly okay if they don't have the IT skills required for this type of work, and we really shouldn't expect them to.

Can it be done by a layman? Of course. It's time consuming while requiring a whole lot of learning and understanding, and it may be wisest and quickest to hire a professional.
 

stan

Well-Known Member
Credits
7,680
If you are telling the truth, Why don't you just file a police complaint against your neighbour ?
This might be a good option if you have evidence or proof. Or it could make a bad situation worse.


a *trusted* professional
Much better term than "computer expert." :)

It's a bit of a toss-up... hire a trusted professional to dig into existing network, looking for possible "needles in a haystack" left by the hacker (some that might be missed)... or have the professional guide a safe clean new network installation.

The choices and decisions are, of course, dependent on the OP's time available to deal with this, his own computer skills, and the cost of hiring a trusted professional. At the end of it all, the OP still must have (or learn) the skills to keep his network secure... or else keep the IT professional returning on a somewhat regular schedule. It looks like a long road ahead either way.
 

KGIII

Super Moderator
Staff member
Gold Supporter
Credits
27,947
The more I think of it, the more I'm liking the idea of developing a relationship with a trusted IT specialist. You need them once to clean up and that's likely to be the most costly. Then, have them set policies and lock things down - preventing (or making more difficult) further intrusion. Finally, having them return regularly (or monitoring remotely) to verify the network and device integrity.

Small business IT via contract is pretty common, though I'm unsure of where the OP lives.

Hmm... I just scoped their IP address and they don't appear to be too remote. They don't appear to be in some undeveloped country.

They might try asking their peers who they use. Or asking other small business owners who they use for IT.
 
$100 Digital Ocean Credit
Get a free VM to test out Linux!

Members online


Top