I believe someone got into my Windows 11 computer remotely, at least that is where I saw some activity. I’m looking for information on tracking down what happened, if they still have access, and what I should do from this point.
My main concern is if they have installed remote access software and if they now have some type of permanent access to my network. On my LAN I three Windows computers and a TrueNAS server running SCALE.
Is there a specific pfSense (I’m running 25.07_RELEASE) log file I can look at or some setting I should activate? The only port I currently have open is 32400 (Plex server).
If you have the space available on your NAS you can boot the Windows machine from a known clean USB stick, say with Linux, and imagine the disk drives for later forensic analysis.
Then delete and reinstall the OS and everything on that machine using freshly downloaded software only. Do not reuse any install kits that may have been stored on the compromised computer or from network shares the attackers had write access to. It’s the only way to make sure it is clean and stays clean.
You have 2 primary goals: first is to make sure they’re out off your network with no way back in, and secondly figure out how they got in and plug it so it doesn’t happen again.
Depending when they got access to the Windows machine, what kind of sensitive information you have stored or typed from there, such as passwords, credit card information, etc. I’d suggest changing them starting with your home LAN server passwords. Keep a close eye on your other machines on the network looking for indicators of compromise.
#1 open a terminal or powershell or cmd as admin on the suspect computer, make sure no browsers or other know applications that communicate on the network.
#2 open a terminal, powershell, or cmd as admin and type netstat, save that output for analysis.
#3 Disconnect that computer from the network.
From a safe computer (fresh linux would be nice if you have one), download the free offline Microsoft AV scanner, also download the free McAfee Stinger (part of their enterprise system now), run both of those.
Backing up stuff to a share or portable drive is a good idea, that can be scanned with other tools later. If still in doubt over the result of the two scanners, wipe it and start again fresh, then copy your data back in and install the applications (yes it is a pain, but what more can you do?).
The stinger page isn’t loading a preview, but it’s there if you click on it.
You can also boot from several Linux rescue disks and try the included ClamAV and see what it shows.
I was in my vehicle and got a note from Coinbase of a transaction. I was home within minutes. Getting to my computer there some some Windows update screen. When I moved the mouse pointer it would move elsewhere on the the screen like someone was controlling it. Then my desktop popped up and everything has looked normal since.
I did download and run both msert.exe and Trellix Stinger from the Windows machine and they didn’t find anything. How important is it to download from different machine?
If so, then you’re probably compromised, and the only appropriate and sure solution is to assume that the OS install is compromised as well as any storage that was mounted on it (e.g. if you have a folder on the NAS saved in Explorer favorites or mounted as a drive). Depending on what it is compromised with, it may be sophisticated enough to use the same antimalware hooks that antivirus makers use to hide itself from other scanners. The only surefire solution is to use another system that is definitely not possibly compromised to download something like a live linux environment (e.g. Ubuntu Desktop can run directly off of a thumb drive) and use that to only copy whatever files you need off of the computer to some other non-compromised storage. Then you need to wipe the PC and reinstall from scratch. If your motherboard has any sort of auto-installing software, that might be compromised too (e.g. Asus DriverHub) and you should look in your UEFI settings to turn off any sort of driver installation or software utility auto-install option.
You need to backup your data on this machine, reinstall operating system and applications - this is the only 100% way you know the machine is probably safe
Do you have periodic backups of your data? If yes, I would try to isolate/identify a backup that pre-dates the intrusion, and restore that, even if it means losing some data. That’s just me however.
Images, music and movies are generally fine. There are ways to hide malware within those files, but it’s quite unlikely you’ll encounter any. MS Office documents are a bit more problematic since they can contain macros.
Once you reinstall everything from clean sources I suggest you run thorough antivirus and malware scans on everything and take it from there.