![]() The company also argues that the increase in compromised user accounts may be related to the recent leak of hundreds of millions of user account info from other sources TeamViewer announced yesterday that it has begun to roll out two new protective features. Some hacked users reported seeing mouse movements on their screens (when they were not moving the mouse) This would make a basic brute-force attack time consuming, but might not rule out some kind of distributed attack (which is beyond my means of testing easily)." After their 30 second ban, it appears they are limited to 2 attempts with a 60 second ban with consecutive attempts increasing the ban time (with two attempts each). If a user tries to connect during a ban you will see "CLoginServer.AuthenticateServer: still blocked" in the log. If someone uses all the retries, it bans that ID for 30 seconds. ![]() You will have to search up from that line to find the most recent instance of "client hello sent" which shows their TeamViewer ID. That line will also show the retries remaining (default seems to be 5). ![]() You can search for "Authentication failed" to find instances of someone attempting to connect and entering the wrong TeamViewer password. Since any successful connections are shown in Connections_incoming.txt, this is mainly useful to search for failed connections. There's a lot of crap mixed in here, so I am using search to jump to what we're looking for. This appears to rotate, so there's also a TeamViewer11_Logfile_OLD.log file as well, which is just older data. It's called TeamViewer11_Logfile.log (replace 11 with the version you are running if it's not 11). User name or computer user name of the connecting clientĬonnection mode (RemoteControl or Filetransfer) It's a tab delimited document with the following fields: This is a pretty clean and easy to read file, but it only shows successful incoming connections. The first is Connections_incoming.txt (if you have extensions hidden, it might not show the ".txt"). In Windows machines, they are both located here: There are two log files that you can check for connections. "Here's how to check your TeamViewer logs To check if someone has compromised your system, do this : I then checked my logs at C:\Program Files (x86)\TeamViewer\TeamViewer11_Logfile.log and sure enough, it shows someone connected to my computer at 2:58 am, right before the paypal purchases/transfers:" I didn't know how this happened until today, when I saw posts about teamviewer. They also made 2 other purchases for $250 and $200, both for itunes gift cards. My bank account is linked to paypal, so it withdraws it from my checking account. ![]() On Saturday at 3 am someone accessed my paypal account and transferred $3,000 from my paypal account to theirs. ![]() I have unique passwords for every website, created with keepass so I don't even know my passwords. Unfortunately, I was also hacked because of teamviewer. "Just wanted to make another post, since some people have doubts about everyone getting hacked. Unfortunately, that's not the case it seems. Probably the users who have been hacked are using weak passwords, same password for multiple things
0 Comments
Leave a Reply. |