My computer was FTP hacked

[Jolicat]

My boyfriend let his friend who is an experienced self-professed hacker to help "fix" issues he was having with his computer. My boyfriend's computer is running on Windows XP and my understanding is that he used the Windows FTP (and accessed his computer using his IP Address) to gain access.

My concern is that he was able to gain valuable info from his computer for the 5+ hours he was supposedly "troubleshooting" My boyfriend is not from the technology industry and only uses his computer for emails and basic web browsing, so he was relatively unfamiliar with the threat that this might cause him and did not see this access as a potential threat.

This individual is supposed to be his friend, but I am concerned in the time he had access he could have a.) installed spyware, keystroke loggers, b.) uploaded info/files to his computer, or c.) changed settings or done something so that he could access the computer at any time at will (whether my boyfriend gives him FTP access or not.

My question is this: (I was not sure if I should post this on the boards so if it's better-suited to a specific category or topic heading, please advise).

How can we tell - ie. are their log files, or access files we can find out what programs were accessed or what documents accessed or what files uploaded during that time that he was on (2 nights ago) that would tell us if the security was breached or if he downloaded any stealth software or reset any settings on his computer? If not, what can we do to protect his machine (other than purchasing a new computer)?

Obviously, I am VERY upset about this because there is a ton of personal and financial info on that machine that does not need to be known by this individual...or anyone for that matter.

Please, can you help me? You can email me via this site please? Thanks so much in advance for your help!

 

[kimsland]

Read: Is your system infected? Read this before Cleaning or Formatting

I would suggest Backup; and Re-install Windows clean

Microsoft's Windows XP Professional Repair Install step by step (* Including Delete Partition)
http://www.windowsxpprofessional.windowsreinstall.com/sp2sp3installxpcdoldhdd/indexfullpage.htm

Microsoft's Windows XP Home Repair Install step by step (* Including Delete Partition)
http://www.windowsxphome.windowsreinstall.com/sp2sp3installxpcdoldhdd/indexfullpage.htm

* Warning deleting the Partition will remove all User data and Windows system files

 

[Jolicat]

OK - This is a pretty drastic measure...I need to be able to tell him WHY he should do this. Right now, the guy (his friend) says he has a corrupt .pst file (which could be true), because he never created archive folders in outlook and the RAM was being taxed...the other problem his friend said is that he needs more memory, so yesterday my guy went to microcenter to get more memory and is supposed to go to this friend's house to have him install it. Is he putting himself in a compromising position here?

Is there NO WAY to just run a port scan or spy sweeper program to see if his system has been compromised?

Also, how do we know if he UPLOADED anything during the time he was connected (or downloaded anything for that matter)? Are there log files accessable on XP?

Thanks!! Kim

 

[Bobbye]

Do you know what FTP means? It's a 'file transfer protocol.' Simply put, it depends on how the word is used:
Noun: (n) file transfer protocol, FTP (protocol that allows users to copy files between their local system and any system they can reach on the network)

Verb: (v) FTP (use the file transfer protocol to transfer data from one computer to another) "You can FTP these data"

You can find more information about a hack FTP here:
https://www.techspot.com/vb/all/windows/t-2395-Figure-this-one-out--ftp-hack-problem.html

And for the record, anyone given 5 unattended hours access on a computer can copy the entire hard drive. So in a word, IF the hack was done, you (he) has already potentially lost the information and he is advised to change ALL his password and close the bank account as well as any other secured accounts.

Regarding this:

My boyfriend let his friend who is an experienced self-professed hacker to help "fix" issues he was having with his computer. My boyfriend's computer is running on Windows XP and my understanding is that he used the Windows FTP

Most kids who spend a lot of time on a computer can 'hack' something. It's not that hard and most hacking is done just to see if it CAN be done.

But the serious stuff is "cracking"- this isn't a 'for fun' trip> it's done to deliberately access some computer system to either steal info or plant software that will give the cracker continued access.

So I am wondering how you know this 'friend' used FTP? Was this remote help or hands on? What was the original problem with the computer? Do you and your boyfriend share information on his computer? If he is so uneducated, wouldn't it be best to remove anything related to you and keep it separate?

 

[gbhall]

I'm afraid Bobbye is right, IF the self-confessed hacker wanted to, you are well and truly wide open now. Take it very seriously. Even if you become convinced there is no problem, the sense of the advice to separate your own details should be obvious. Also look into so-called 'secure erase' of your files. Just delete is not enough.

 

[Jolicat]

This individual has bragged about his hacking skills to us in the past...I am surprised about my boyfriend allowing him access for so long; however ,this is not my boyfriend's forte or industry and he does not understand the risk he put himself under. He only uses a computer for basic emails and web surfing - he is not a technology geek like me

Anyways, the initial issue with regard to his computer freezing, and supposedly his .pst file got corrupted and the friend said he could use more RAM. Initially, the friend wanted him to bring the computer over to his house to just put more memory in it and fix it at his house (rather than FTPing in), but my boyfriend elected to allow him to FTP in instead. The problem is, I dont know if this guy actually went in with the intention to look at anything, but as most hackers, and people do....you get curious and basic human nature would have you looking at the other person's stuff, esp when you leave them logged in for so long. The prob was that I was out of town and I called my boyfriend to go to my place and let my cat in, and he left this "friend" FTP'd in to his computer the entire time he was at my house down the street (abt 2 hrs -- and then was on for another 6 hours supposedly with my boyfriend in the room, letting the guy poke around on the computer remotely). In my head, and based on what I know, there should have been NO reason for him to be logged in for 7+ hours.

Also, my other concern is that he is running on a wireless linksys router over cable modem which is even more in-Secure....and that concerns me even more. I dont think this guy would do anything like steal his identity, or bank account info and steal money - that is not the biggest concern. My biggest concern, moreover, is the ability for this individual to be able to gain access to the computer from this point forward WITHOUT my boyfriend's permission - either via an open port or via a Spyware or Keystroke Logging Program he installed while he was on his computer. I am suspicious that he did a Port Scan when he was on my boyfriend's computer, because he said something to my boyfriend to the effect of, "someone's monitoring your computer from Illiinois....did you know that?" How would he know that?!? So bizarre!!!

He now tells my boyfriend that more RAM needs to be installed, which can be done, I understand as simply as putting in a battery.....and he says my boyfriends .pst file is corrupt and needs to be "fixed". Other than that, I know of nothing else that was wrong with the computer. Nothing that should have taken 8 hours to fix. Oh, I think he set-up some email archive folders in Outlook....Big deal - that should have taken an hour at most.

I'm afraid Bobbye is right, IF the self-confessed hacker wanted to, you are well and truly wide open now. Take it very seriously. Even if you become convinced there is no problem, the sense of the advice to separate your own details should be obvious. Also look into so-called 'secure erase' of your files. Just delete is not enough.

Is there any way we can pay you so you can talk to us for 10 or 15 minutes on the phone about this so we can understand your concerns - I am concerned that my boyfriend still doubts the risk he is under!! I am really freaking out here. My boyfriend makes movies - and he will be taking content off a hard drive each week from his director and I am concerned this guy (His Friend) will be able to grab the content thru the available FTP Port and the un-secured network - even with a firewall in place! Furthermore, I am concerned that the only way to fix this matter is now to get a new computer, and my boyfriend is adamant that is NOT an option for him as he just got some RAM and does not see the risk. Can you speak to us live about this please? Thank you for your consideration! I am available via email on this site if you can reach me there...THank you again!!

Bobbye - Is there any way we can pay you so you can talk to us for 10 or 15 minutes on the phone about this so we can understand your concerns - I am concerned that my boyfriend still doubts the risk he is under!! I am really freaking out here. My boyfriend makes movies - and he will be taking content off a hard drive each week from his director and I am concerned this guy (His Friend) will be able to grab the content thru the available FTP Port and the un-secured network - even with a firewall in place! Furthermore, I am concerned that the only way to fix this matter is now to get a new computer, and my boyfriend is adamant that is NOT an option for him as he just got some RAM and does not see the risk. Can you speak to us live about this please? Thank you for your consideration! I am available via email on this site if you can reach me there...Thank you again!!

WILL TAKING THESE STEPS NOT FIX THE ISSUE??

1. Restore from a drive image backup
2. Change all of my passwords
3. Do a windowsupdate.microsoft.com
4. Run the baseline security analyser and followed all of its advice
5. Disable anonymous ftp
6. Make ftp root directory read only access by default and then empty it, and instead pointed the various accounts to virtual directories in other locations, using NTFS so that you can set permissions so that only a specific account can access its respective ftp virtual directories.
7. Run Spy Sweeper Programs like WebRoot Spy Sweeper
8. Make sure firewall is turned on and security is at highest level possible

If we do all this, will it NOT fix the potential threat of his getting back "in" in the future? I know we cannot change what he TOOK, but if we can take OUT what he potentially installed, and then ensure he cannot get in, then will we be safe???

Thanks for the help and advice!!

KIM

The empty ftp root means that if anyone moves up above one level of their virtual directory they get a directory with nothing in it.

Remember that ftp authenticates over the internet using unencrypted ASCII text so that someone can point a network traffic analyser (like windows 2000 network monitor) at your machine and if they are even half way decent at reading the output they could find your password.

 

[kimsland]

You do know know that you can request an IP change from your ISP
By the was how did it all go with backup and Clean install?

 

[Jolicat]

To Kimsland...Response to your post

You do know know that you can request an IP change from your ISP
By the was how did it all go with backup and Clean install?

Kimsland - hi there - I cannot touch the computer till we get more RAM installed. My boyfriend does not want me near it. I have a neighbor who used to be an IT Director at a big architectural firm so I am thinking he can help us if we do need to perform the cleaning and IP change from Cox (who is the ISP). I am really grateful for your help.

Once we get the Harddrive Backed up and Cleaned - should we also perform the above steps mentioned in my last post?

Will changing the IP address with Cox ENSURE that this guy cannot get in? What if he has an IP Address Scanner? What are potential risks?

 

[kimsland]

What are potential risks?

No more than anyone else

Also if you just backup, re-install clean, change ISP (or just IP address)
Then do all Windows updates, you'll be fine

 

[gbhall]

Not forgetting review any personal data that was ever on that PC, and in the case of bank account numbers etc, etc, you should approach the bank, tell them the situation, and ask for a new account number to be assigned.

 

[Bobbye]

I am still uncertain about the use of "FTP". Are you trying to indicate the friend set up remote access?

And as for asking:

WILL TAKING THESE STEPS NOT FIX THE ISSUE??

That's a Yes/No answer. The cat's would already be out of the bag, meaning if he wanted to find information, he has already done it. You might be able to remove 'tracks' but you can't get the info back.

And as for stating:

he is running on a wireless linksys router over cable modem which is even more in-Secure..

It is only "insecure" if basic encryption hasn't been set up. It's not any more "insecure " that any other system that hasn't been correctly protected.

You're going into a lot of depth about what you "think" might have happened, but I don't know that you have actually given any facts. Seems to me you need to 'educate' your boyfriend about basic computing and security, then backup whatever you want to save, then wipe the system.

Follow that by changing ant security related items like passwords, etc. and checking all programs/files, etc. with the AV program and spyware/adware programs BEFORE putting back into the system.

 

[k.jacko]

The good advice that the guys have offered you aside, can i just ask;
"How paranoid are you!?!??!?!" :suspiciou
My god, this is your boyfriends 'friend'. Why would he hack/attack your bf's pc?

I gotta be honest, if i were your bf, i'd be concerned about you and your conspiracy theories.
He ftp'd into his pc to fix his outlook .pst issue. Big deal! He helped him out.
He needed the pc to physically put the ram in.

You say your bf isn't a tech geek like yourself. But if you were you'd have sorted those easy problems yourself.
Sound like you've read something about how hackers 'can' get into systems and panicked, regardless of the fact that this guy ia 'friend' of your bf.

By all means follow the advice given to safeguard the pc, but your bf must be soft in the head to let you get suggest his friend is that way inclined.

 

[Bobbye]

Well said, Jacko!