-1

Is it possible to attack a pc through local network ? Or from the isp ? A remote attack to shutdown the pc ?

My desktop have been shutting down for past few days, I suspect a local network attack.

No virus or malware found on the pc.

Mehdi Hasan
  • 1
  • 2
  • Anything in the system event logs? – DavidPostill Apr 26 '21 at 08:27
  • Does it also happen when you don't have a network connected? Or while booted into secure mode? Then it is most likely something local, maybe some malware which was not detected – DarkDiamond Apr 26 '21 at 08:51
  • It is possible, and also very unlikely. The eventlog will tell you what happened though. If the computer was shutdown by a hacker, it will say that. If its a faulty PSU, it will state something like: The computer shutdown unexpectedly. – LPChip Apr 26 '21 at 08:58
  • Event logs shows critical power loss, https://ibb.co/w6x2NPH – Mehdi Hasan Apr 26 '21 at 09:32
  • Changed what the power buttons do, also removed power button plug from motherboard – Mehdi Hasan Apr 26 '21 at 09:33
  • When the shutdowns started it was connected to the network and I found system files were modified were modified somehow, i suspect shutdown was modified or a different file/ process were created to shutdown the pc, how do I fix it ? – Mehdi Hasan Apr 26 '21 at 09:38
  • @MehdiHasan - How exactly did you determine system files were modified? If system files are modified you should use Fresh Start to reinstall Windows. – Ramhound Apr 26 '21 at 12:39

1 Answers1

-2

You are referring to a type of exploit that allows someone to send "something" to your ip. A Nuke exploit would result in your PC going offline, maybe stopping a certain service or perhaps (highly unlikely) shutting down. A Flood exploit would swamp a targeted service (perhaps HTTP webserver, a gaming server your run, ...) into giving up and becoming unresponsive but that would hardly shutdown your computer unless your BIOS maybe initiates a critical shutdown when it detects the CPU overheating limit is reached (configurable). Although many Nukers/Flooders exist they are pretty much harmless when you apply all security patches/updates for your OS and nowadays there are pretty much no more existing or freely available Nukers/Flooders for current OS's that would result in a instant & full shutdown. If there were, it would be big news. Many other things could be at play, if you're running an expired trial copy of Windows Server it will somewhat randomly shut itself down every 24h.

A sudden shutdown is most likely a problem with your hardware such as a defect RAM board. To find those you could run a full test from the BIOS and make sure the hardware is correctly working.

wowbagger
  • 164
  • 5
  • so how do i counter the attacks if it's a nuke/flooder attack somehow ? what about a modified shutdown.exe ? or a new file/process created, here's a similar post https://superuser.com/questions/1423929/shutdown-exe-change-the-path-in-registry/1644270#1644270 – Mehdi Hasan Apr 26 '21 at 10:08
  • so how do i counter the attacks if it's a nuke/flooder attack somehow? --> You would use a firewall, the windows build-in firewall does a pretty good job stopping stuff like that, unless you manually openend a port for a specific service. What Windows version are you running? Can't comment on the modified shutdown.exe, there's a reason your host is shutting down, messing with that could cause permanent hardware problems when the root cause is an actual hardware issue. – wowbagger Apr 26 '21 at 11:21
  • windows firewall is on, using windows 10 insider preview dev channel. it shows on the screen that windows are shutting down, to check the power button, already removed it from the motherboard and disabled what power buttons do. device temperatures are, as usual, windows are stable too. I suspect it's a modified shutdown.exe/process or an attack from the local network/isp. And I'm living in a rented house, so the device could be tampered with, there were attacks on the desktop and Facebook account too few months ago. – Mehdi Hasan Apr 26 '21 at 11:43
  • Have you checked the power settings from Windows self? Going sleep/shutdown etc and all that. It's interesting you see it actually shutting down, granted, that -is- weird. I wouldn't suspect the ISP as such but perhaps (but it's a long shot) it could be an infected router but in that case we're talking MiTM style attacks with additional payload in your normal network traffic. All that is pretty advanced hardcore hacking to just "shutdown a computer randomly or grab someone's Facebook". Have you tried a second virusscanner and ran a full/deep virus scan? – wowbagger Apr 26 '21 at 12:00
  • Have you installed a lot of third party software? Games? Warez? Do you have roommates that have administrator access to the desktop? Remote Desktop access? – wowbagger Apr 26 '21 at 12:00
  • Resetting power option in windows didn't changed anything. Sleep/ hybrid shutdown is turned off, changing the settings didn't affected the shutdowns. Did scans with Malwarebytes, and microsoft virus/ rootkit removal softwares, and windows security. Not sharing the apartment with anyone, but shady house owners are very common. Also disabled the remote access after the attack. Yes a lot of softwares are installed, I don't suspect those because I have been using this windows for a while. – Mehdi Hasan Apr 26 '21 at 13:43
  • Somehow login password got leaked in the past, and there were tempering of the files before. Mitm attack or data intercepting could be done, there's an increased amount of surveillance where Im from. So if it's that kind of attack can the windows firewall do anything ? Or how to counter it ? – Mehdi Hasan Apr 26 '21 at 13:43
  • Change your password and obviously remove all unused user accounts is a good start. You could give https://www.whonix.org/wiki/VirtualBox/XFCE a shot if you are really concerned with local online surveillance. Whonix is a bit technical to run if you're not into tech but it does a pretty good job. You could also try TOR browser https://www.torproject.org/download/ . It's very easy to use. – wowbagger Apr 26 '21 at 16:49
  • Unless your system is set up to trust the mitm root certificates used to sign the on-the-fly generated certificates an attack is pretty hard to execute when the target/your desktop is using TLS/HTTPS encryption. Unless of course you are being surveilled by a "state". You could check which Certificate Authorities your system trusts versus the actual official list at: https://ccadb-public.secure.force.com/microsoft/IncludedCACertificateReportForMSFT – wowbagger Apr 26 '21 at 16:49
  • how do i install and run sigcheck, to check all the installed certificates ? download the latest version but sigcheck command doesn't work – Mehdi Hasan Apr 27 '21 at 14:27
  • What error do you get? Following http://woshub.com/how-to-check-trusted-root-certification-authorities-for-suspicious-certs/ should work. It correctly showed 2 certs in my store that are not in the default list. You need to run ```sigcheck64.exe``` for Win10 64bit. You could also check file signatures with ```sigcheck -u -e c:\windows\system32\``` (https://www.thewindowsclub.com/sigcheck-unsigned-certificates-windows) – wowbagger Apr 27 '21 at 15:44