# PSA: If you use TeamViewer for whatever reason, uninstall it now. Major hack taking place.



## Mystic (Jun 1, 2016)

TeamViewer is a popular remote desktop software used in many corporations, computer repair and home computer solutions. They've just had a massive hack and many people are having passwords, credit card numbers and paypal accounts hijacked.

If you use this program at all, check your log files (From Reddit)

*Here's how to check your TeamViewer logs*

There are two log files that you can check for connections. In Windows machines, they are both located here:

C:\Program Files (x86)\TeamViewer\

The first is Connections_incoming.txt (if you have extensions hidden, it might not show the ".txt"). This is a pretty clean and easy to read file, but it only shows _successful_ incoming connections. It's a tab delimited document with the following fields:


ID of TeamViewer client connecting
User name or computer user name of the connecting client
Time client connected
Time client disconnected
The local computer user name
Connection mode (RemoteControl or Filetransfer)
Unknown hash of some kind
The second file is a lower level log. It's called TeamViewer11_Logfile.log (replace 11 with the version you are running if it's not 11). This appears to rotate, so there's also a TeamViewer11_Logfile_OLD.log file as well, which is just older data. There's a lot of crap mixed in here, so I am using search to jump to what we're looking for. Since any successful connections are shown in Connections_incoming.txt, this is mainly useful to search for failed connections.

You can search for "Authentication failed" to find instances of someone attempting to connect and entering the wrong TeamViewer password. That line will also show the retries remaining (default seems to be 5). You will have to search up from that line to find the most recent instance of "client hello sent" which shows their TeamViewer ID.

If someone uses all the retries, it bans that ID for 30 seconds. If a user tries to connect during a ban you will see "CLoginServer.AuthenticateServer: still blocked" in the log. After their 30 second ban, it appears they are limited to 2 attempts with a 60 second ban with consecutive attempts increasing the ban time (with two attempts each). This would make a basic brute-force attack time consuming, but might not rule out some kind of distributed attack (which is beyond my means of testing easily).

*Edited to add some new information:*

I have a log from someone who was hacked and it's different than what I have created during testing. First, I can't find the TeamViewer ID of the connected client anywhere. In all my tests it was scattered throughout the logs during the connection. I searched for terms included in the line with the ID's from my logs and found nothing from that in this log. I need to do some more testing in the morning to try and replicate some of the stuff I see. Hopefully some of these entries in the log may prove helpful to others trying to search their logs for odd entries.

Here's roughly what happened:

1) Client connected using custom password

CLoginServer:asswordLogin: AuthOk with CustomPassword

2) Windows was locked at the time of connection

CServer::ChangeToServermode: WindowsSession Locked: yes, secure screensaver running: no

3) Less than 10 seconds after connecting Ctrl-Alt-Del was sent to the machine.

simulating Ctrl-Alt-Del (with SASLibEx)

4) 13 minutes after connecting, the clipboard was used three times to take data off the computer

CClipboardController::SendClipboardContent: (3 data formats)

5) 17 minutes after connecting, the client disconnected.


----------



## Gerhard Westphalen (Jun 1, 2016)

Is it still a risk if you're not using the unattended access? If TeamViewer isn't running in the background I imagine that no one can do anything. In that case I'm assuming it would be fine for me to keep using it to log in to client's computers as long as we stop it running after?


----------



## Mystic (Jun 2, 2016)

That no one is 100% sure about at this point but they are *guessing* it's fine if it's not running in the background. There is also something about TV accounts that are making it even easier to access everything. I don't have a TV account so I'm not sure exactly what they are going on about there. I believe TeamViewer works on smart TVs now as well.


----------



## givemenoughrope (Jun 2, 2016)

I use it on a secured LAN...never goes online..but that's creepy.


----------



## kitekrazy (Jun 2, 2016)

I'm good.


----------



## samphony (Jun 2, 2016)

Is it Windows only???


----------



## Mystic (Jun 2, 2016)

samphony said:


> Is it Windows only???


It's across the board. All platforms were affected by this.


----------



## Blakus (Jun 2, 2016)

Mystic said:


> It's across the board. All platforms were affected by this.


Thanks for the heads up!!


----------



## Mystic (Jun 2, 2016)

No worries. Hopefully this all gets fixed soon. TeamViewer is still refusing to acknowledge the issue exists while the number of people who have had their accounts accessed by whomever is exploiting this keeps going up. The biggest thing seems to be people logging into their computers, getting Paypal or credit card information as quickly as possible and buying what seems to be gift cards off a few specific websites before they can remove the application or change passwords. Paypal is having a hay day, I'm sure.


----------



## Scrianinoff (Jun 3, 2016)

There appears to be no definitive proof whether Teamviewer is or is not to blame. Teamviewer is not silent about this and dedicated a web page to this issue: https://www.teamviewer.com/en/company/press/statement-on-potential-teamviewer-hackers/ Especially take note of Ad.3 and Ad.4 on that page, take that advice to heart and make sure you live by it the rest of your digital life, wherever you are on the Internet.


----------



## Lawson. (Jun 3, 2016)

Thanks for the notification! I don't actually have a TeamViewer account, and just use the auto-generated 9-digit ID and 4-digit password to connect. I've checked my logs and stuff and there seems to be no signs of getting hacked. Am I still at risk, though, even if I don't have a TV account? Thanks!

EDIT: Nevertheless I have uninstalled TV and am now using Splashtop.


----------



## Mystic (Jun 3, 2016)

Scrianinoff said:


> There appears to be no definitive proof whether Teamviewer is or is not to blame. Teamviewer is not silent about this and dedicated a web page to this issue: https://www.teamviewer.com/en/company/press/statement-on-potential-teamviewer-hackers/ Especially take note of Ad.3 and Ad.4 on that page, take that advice to heart and make sure you live by it the rest of your digital life, wherever you are on the Internet.


No definitive proof apart from the mass of people who have shown proof of their accounts being hacked along with log files of the attackers accessing accounts, you mean? Go take a look at the TeamSpeak subreddit or even the technology subreddit. Lots of information about it there.

Their official statements are currently under attack by professional users because they are refusing to take any responsibility for this. Even if the passwords these people were using were not the best ones to use or were using the same password across accounts, these attackers would have had their work cut out for them getting access to so many of them. This is not a small scale attack by any means.

Looks like this press release was done last week before the mass outage hit and the real attack began. Since that time, it's become a wide-scale issue and TV has been sending a canned response via Twitter basically avoiding any responsibility.

In this situation, better safe than sorry until we know 100% for sure where this exploit is.


----------

