Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[DavidMW]

I observed that an unauthorized user was on my Id. I accessed the Id this morning and saw that a Google search window was open and that someone was moving the cursor to websites (PayPal, Microsoft, etc.) I immediately powered down the Id, came back online, and saw that the unauthorized user returned after ~ 5 minutes of inactivity. The Id is now off.

When I set up the Id back in April, I struggled for a while to configure it. I am now unclear how to change the password. Is it the change remote access password (#16) or something else? Also, I wonder if I change the port forwarding on my router that is linked to the Id, would that create an extra obstacle for any hackers getting on the web through my Id. Finally, I have two port forwarding configurations set up for the Id: 52199 and 52198. I initially set both up for the Id and a windows machine. How do I tell which port forwarding is set up for the Id so I can then terminate the other?

Trying to find my way back to a safe haven...

[JimH]

That's not good.

The ports 52199 and 52198 could only be used to access your media.  I don't think they would allow an outsider to login.

It's possible someone is on your wireless network. 

On the text menu of the Id, change the password for remote access.

In the Media Network settings of MC, change the login and password.  Turn Media Network off and back on.

[JimH]

I think that it could only be done by using VNC or similar and probably only from your LAN, wireless or wired.

Any kids?

[JimH]

Routers can be easily compromised, usually through WPS.  Please read this and consider changing your router settings:

https://en.wikipedia.org/wiki/Wi-Fi_Protected_Setup

[DavidMW]

Thanks for the quick reply. I changed the remote access password. I will soon have to understand when I need to enter the new password to access the Id, MC, and JRemote (if needed for the latter two).

I am unclear how to change the login and password in the Media Network settings (image from the Windows version is attached) and then how to turn Media Network off and back on. Is that the Read-only Authentication Log? Please advise.

No kids nearby who could access the network. My speculation is that I have used Google=>Gmail within MC, and set it to trust this computer (the Id) so the hacker could get in once they tunneled into the Id. It is now all reversed- no trust, new passwords, etc.

What I need to understand is that with the new remote access password set for the Id (perhaps even for the first time due to the initial configuration challenges), is the Id now generally secure from unauthorized access? Under what circumstances will I need to enter the password?

I will research the compromised routers and ways to strengthen that side.

[JimH]

Do you have a wireless LAN?  That's the only way I can see that anyone could gain access.

Kids nearby?  Do you see other networks in your wireless settings for Windows.  If so, they probably see you.

Check the "Use Media Network" box.

[DavidMW]

I don't think it is nearby kids (it was also at ~5:30 AM) and has happened the last three Sundays. Use Media NetworK is enabled as that is how I reach JRemote on my phone. I deselected it and then selected it again. The same access key was presented (I didn't wipe that). Is that what you were suggesting?

From your first reply: "In the Media Network settings of MC, change the login and password.  Turn Media Network off and back on." How do I do that?

[JimH]

You're set now.   Unchecking and re-checking Media Network was what I meant.

I don't mean to alarm you, but check the router carefully and at least change any admin password there.  Firewall, too. 

It's very possible that your whole network is compromised.  If it were mine, I would reset the router to default settings, and set it up again, making sure to change the password of the router and to turn off WPS Pin setup.

[DavidMW]

Jim, thanks for the confirmation about Media Network. Just spent the last hour with Verizon router support who stepped me through a full factory reset of the router with new passwords, etc. So I should be good for now.

One final question, I'm still unclear about the Id remote access password. I changed that earlier. When do I enter that password to gain access to the Id, or more importantly, when does the unauthorized user get blocked by being confronted with the need to enter the remote access password before getting to the browser?

[JimH]

You won't need to use that password unless you try to use Remote Desktop or VNC or similar to connect to the Id.

Make sure that the password is not simple or obvious.

[DavidMW]

I don't use either. Good to know. So then most of the Id vulnerabilities should now be tightened.

Passwords are not simple or obvious.

One other safeguard I am thinking about as I stare at motionless pointer on my Id/MC windows-- is there any way to be notified if there is activity (outside of my use). Can I get a report of some sort showing when there was activity? That way, I will have confirmation that there was or was not unauthorized access through the Id. A bit of a stretch, but thought best to ask.

[bob]

You should check your router to make sure only the 52199/52198 MCWS ports are being forwarded to your Id. There shouldn't be any way for a hacker to get in through them.

[DavidMW]

Based on Jim's earlier guidance, I worked with Verizon earlier today to factory reset the router and created a new port forwarding for the Id for port 52199. I formerly had a port 52198 for a parallel MC installation on a Windows computer that we did not recreate.  There was also a port 22 with the same IP address as port 52199 that Verizon recreated at my direction. Should port 22 be deleted?

[RoderickGI]

Trying not to be too dramatic here, but;

Port 22 is used for an "SSH Remote Login Protocol" (SSH means "Secure Shell") connection. These connections can be made over the internet if your router allows access. Your router did.

If you failed to set a remote access password for the ID when you initially set it up, as you suggest here:

What I need to understand is that with the new remote access password set for the Id (perhaps even for the first time due to the initial configuration challenges), is the Id now generally secure from unauthorized access?

and if the IP Address that port 22 was forwarded to was the Id, then I think anyone on the internet who port scanned your external internet address would have seen port 22 was open and could have connected to your Id simply by opening an SSH session and would not have required a password at all. Port scanning from the internet is very common and port 22 is almost always one of the ports scanned for.

Alternately, if you did set up a remote access password but it was easy to guess, or if it was left at some default that JRiver uses that could be easily guessed, then logging in would be simple.


Have you ever or do you ever want to connect to your Id from outside your LAN (your home network)? If not, why was Port Forwarding created for port 22? Didn't Verizon question the need? They should have. I don't think Verizon would need any port forwarding to remotely assist you with their router. They have direct access to remote administration tools for that sort of thing usually, and they only access the router, not your network, let alone your Id.

Regardless, if you don't use SSH to access your Id from outside your network, you should delete that Port Forwarding rule for port 22. I don't think there is any reason for JRiver to access the Id that way unless you ask for remote assistance. But in that case, the remote access password would be essential, and you could always add that port forwarding rule again when you request assistance. If someone helped you set up the Id, they could have set up that rule.


Once the intruder was on your Id, which means on your network, they could have been able to get to your Windows PC, and any other devices on your network. You should use the Antivirus Software on your Windows PC to do a thorough scan for everything, just to be sure.

You could have really dodged a bullet here, but the good news is that most of these intrusions are just kids, somewhere in the world, testing their skills and playing around with port scanning software they can download. If so they would have just had a look around to see if they could find something interesting. I think the fact you saw them using a Google search window means that they didn't find anything on the Id, and either couldn't get to your Windows PC or didn't find anything there. The fact that they were going to sites where you may have an account, and those accounts may be set to automatically log on, says that they were looking for a way to spend some of your money, by buying stuff for themselves using your accounts.

Do check your accounts for unknown transactions if you have a PayPal, Microsoft, or other accounts. If you had unsecured passwords on your Windows PC in a document or something, it would be worth changing them. If you do have internet banking accounts that log in automatically on your Windows PC, there is a VERY slim chance that the intruder could have logged into those accounts, but probably not done much harm. Again, change passwords for those accounts, and don't let any browser remember passwords for online banking or similar.


Disclaimer: I don't have an Id so I don't know exactly what services are running on it to accept an SSH connection. I am relying on my experience with other similar hardware.

[DavidMW]

Thank you for being dramatic. It's good to know when I get into dangerous waters…

Here is what I know at this point, and I think most of this is behind me now. Bob provided some off-line support when I had some early struggles setting up the Id back in April. Bob had direct access to my device by the Port 22 for remote login. I suspect that Port 22 was kept open and I should have been closed it once MC on the Id was stable. I did not. However, I did so today. I’m still uncertain if I set up a remote access password at the time (I hope I did). I have one now and it is strong (as are all of my passwords).

I previously used the free AVG anti-virus software. Just before this episode, I was considering a paid anti-virus software package (as you get what you pay for) and selected and installed Malwarebytes 3.0 Premium, which now has both antivirus and antimalware protection. After installing, I ran a complete scan of all computers and everything came up clean.

I’m already working with PayPal to back out charges that occurred on Jan 28 and Feb 4 (and with the intrusion this past weekend- all on Sundays). After setting up new passwords, I am much more careful when and where I allow Google to “remember” my name and password.

So I think everything is now secure. Fortunately, these hackers were after easy money and they thankfully didn’t touch or get access to my music library stored on my NAS.

Thanks to all for the caution and the tips.

[Awesome Donkey]

I'd also recommend enabling and using two-factor authentication with accounts that support it, especially PayPal.

[DavidMW]

I have had two-factor authentication in place on all my accounts (Synology, Gmail, etc.). After the first PayPal breach, their security folks advised me of the PayPal security key where I get a code on my phone prior to every login. That is in place as well.

[RoderickGI]

While you are cleaning up, as you mentioned Google, you may want to take a look at what old and new passwords Google has stored. I was surprised a bit when I looked, as I don't usually let Google store them. I use LastPass password manager these days, so all my passwords stored in Chrome were from before I implemented that, and for unimportant sites.

Anyway, Google Chrome > Settings (via the vertical ... at the top right of the Chrome window) > (scroll down) Advanced > (scroll down) Manage Passwords.

Worth a look.

Wow, I just had another look, and under the "Password and forms > Auto-fill settings" item Google can now store your credit card information! Just wow. Who would use that? I just feel very uncomfortable trusting Google that much, particularly when it is becoming more and more necessary to log into Chrome to get the best functionality. Walking away from your desk without locking your PC could cost you a lot of money!


So they did get into PayPal ! All on Sundays would again be consistent with a teenager at work, rather than a career criminal. Did they buy Playstation games, porn, or something else?

[DavidMW]

I usually purge the Google history (3 dots upper right => history => history => Clear browsing data => All time) from time to time and just did so again yesterday. My PayPal intrusion resulted in unwanted purchases through gift cards from Best Buy, Microsoft, New Egg and similar vendors. PayPal has been very helpful in making appropriate credits.