When I came to my computer this evening, and unlocked, I noticed a TeamViewer window saying the session timed out. Clicked okay, and about 5 seconds later, said, "Wait, what? What session?"
I had not made any outbound, nor inbound, connection via TeamViewer in over a week, so what was that? Unfortunately, I didn't think about this until after closing the window, so I'm not sure what it said.
I went ahead and started digging through a log that would be better served to say things like:
"WARNING! Connection refused due to bad password"
But instead, it's full of lines of very difficult to follow stuff. So I'm not certain what I am seeing, but I think I don't see any connection attempts since yesterday, and that attempt, so far as I can tell, failed due to bad password attempts.
This indicates someone tried to connect yesterday, and that someone wasn't me. I really should be able to report this to support, who should take any action possible to id the source of the connection(it was via TV servers) and investigate the user, as they are likely trying to break in to accounts they do not own.
Additionally, that timeout message that I can't remember exactly what it said, I dont know if that indicates someone DID gain access to my system.
Can you guys suggest anything I can do to make sure no one did access the system? Maybe specific lines to look for in the log? And if possible, I would love to hear from TV support as to if they plan to investigate the login attempt, because it was very likely malicious.
Thanks for any help you guys can give!
I can not help you go through the logs, but I can say your logic is sound in determining that you had someone enter into your computer.
That being said, there are many things you can do to make TeamViewer more secure than it is "out of the box".
First open TeamViewer and navigate to Options>Security you will get a screen like below.
On this screen you can set a personal password that is as complex or as easy as you desire. That is what the Yellow Aarows are pointing at.
Once that is set you can set aditional Personal Passwords if desired by clicking where the Red Aarow is pointing.
On this screen you can also set how complex your "Random Password" is. I suggest setting it to at least what the picture shows, or disabled completely.
Lastly, and I employ this for my systems and at my customers sites, There is the Black and White list button. In there you can setup a Black List (anyone who is on this is denied access to your computer) or a White List (This is what I use and allows ONLY the people listed on it to connect to your computers.) When you go to this section you'll need to log into your TeamViewer account. Once you do that you can specify individuals or anyone in your organization. Given I you are on a free account, you'll be doing individuals I suspect.
A couple of other things you can do to make TeamViewer EVEN MORE secure if you want...
Under advanced you can tell TeamViewer to make a new Random Password when every session is terminated.
In the TeamViewer Management website you can turn on Two Factor Authentication. Be sure to read about this and what is involved in it as many users do it and then loose their recovery info and permanatly lock them selves out of their account... A real bummer. If you choose to impliment this I suggest using an App on your phone called Authy and be sure to set it up with their cloud backup function.
...Wow sorry I wrote such a novel... But I think that covers all of it that I can help you with.
Obviously, I can't see your log files, but I'll break down a couple points of your post.
First, seeing connection attempts that failed for bad password does NOT automatically mean that someone is trying to hack you. The best example of this is someone misreading an ID to the person trying to connect to them and help, in this case, the 'helper' would inadvertently attempt a connection to you or some other incorrect person without ill intentions.
Second, the session timeout window does indicate that a connection was made, so my first suggestion is if you use a static password to change it as soon as possible. Next, visit https://www.teamviewer.com/en/support/ and submit a ticket directly to the support team with the information from your post to see if they can track the ID of the system that connected and possibly logs or ways to check what (if any) files may have been accessed/altered.
Sorry for taking so long to get back. I appreciate your responses.
I feel like this timeout window was different than what I was used to, so I tried replicating the situation by remotely connecting and then disconnecting the device that was connecting, but couldn't reproduce the timeout message.
As far as contacting support, it seems that is only available to licensed users, which I am not. Unfortunate, as you would think the TV team would want to know of any potential vulnerabilities in software that has such potential for exposing systems to attackers.
I'm actually considering purchasing it, and it is not cheap, but purchasing it just to make sure my systems wasn't comprimised. Almost feels like a ransom...
Oh, one other thing to point out, I do have 2FA on, and anytime I try to login to my account from any new system, I do get an email requesting auth to add the device. And, again, I didn't get one of those.
I'm starting to think this may have been a lost connection to the TV servers, and that popped up a timeout window, as opposed to a remote session timeout. Other than that timeout window, I haven't found any indication of a successful login.
If you are worried about it, check this article out and contact TeamViewer Fraud at the appropriate email address
i just re-read your last reply and it occurs to me to point out that unless you are running a whitelist with yourself exclusively listed, 2FA only protects your account not your computers. If you have TeamViewer installed on the computer and it has a random password then in theory a very lucky person could guess it. the chances that this happens is super remote. Regurardless, I always recomend people setup a whitelist in TeamViewer. Doing so garuntees you know what user is getting into your system. It is also a good idea to turn on logging. If you would like help with either of these configurations, let me know.
The whitelist thing makes sense. I think I'll also do this on my family's machines. I'm the goto IT guy for a bunch of my family members, and that's my main use for TV, so I don't see anyone else needing to get to their machines either.