20

I came to my computer today and have not been here since monday afternoon. I am using windows 7. There were some error messages showing even on the log in screen about memory violations done by spotify and one more (I can't remember), and I just clicked them away, even though it is not normal on my PC. Sometimes it freezes on the login screen and I have to reboot, but this was different. But I did not take a note of the messages as I just didn't care.

After logging in, I noticed that my Teamviewer client was running (the GUI was showing). I thought this was odd, since I haven't been using it lately. I was a bit curious, so I checked the log. I will not include it here, as I don't know how to read it and I do not know what could identify me. It seems that it was an update leading to this, but I am not sure. Probably, but I don't like the fact that the GUI was showing with my ID and password showing. They could have silently updated it or have given me a message...

So, this leads me to the question: How to figure out if someone has been using TeamViewer 8 to access my computer when I was not here? What to look for in logs and perhaps the Windows 7 event logs? And a bonus Q: Is it safe to have TeamViewer 8 running in the background at all?

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
Piddien
  • 293
  • 1
  • 2
  • 7
  • If you can pull it off one of the best security things you can do with TeamViewer is under the Advanced options change the "connections to this computer" setting from full access to "confirm all". This will require that someone is sitting at the computer in order for TeamViewer to allow any inbound access. Failing that if you only connect to your computer from one or two remote systems there is a blacklist / whitelist option which you can use to restrict only certain TeamViewer IDs to. – Tim Brigham May 02 '13 at 13:25

3 Answers3

31

Running Teamviewer isn't very secure: read here

To determine who was logged in - look here:

  • C:\Program Files\TeamViewer\VersionX\Connections_incoming.txt
  • C:\Users\XXX\AppData\Roaming\TeamViewer\Connections.txt
Dr.Ü
  • 1,029
  • 8
  • 16
  • hmm. The first file Connections_incoming.txt is not present at all. Not even when searching for it. The second is there but shows nothing suspicous. Could it be that the file is simply not created, because I have never had an incoming connection (as far as I know)? – Piddien May 02 '13 at 12:53
  • 4
    Did you ever had an incoming connection? Afaik the file will be created with the first connect. But remember: the file simply can be deleted from "evil" guys... – Dr.Ü May 02 '13 at 13:00
  • yeah that was also my though. But I think it unlikely in this case. Thank you for the help :) – Piddien May 02 '13 at 13:06
  • @Per-ØivinAndersen You tried looking on `Program Files(x86)` instead of `Program Files`? – JMK May 03 '13 at 11:38
  • yes I have. It is not there but I think it is because I have never had an incoming conn. – Piddien May 03 '13 at 13:07
  • Or your intruder erased the file knowing the location of the files. You could install the portable version of recuva and see if there are any deleted files you can recover: http://www.piriform.com/recuva/builds – Sun Sep 08 '14 at 20:21
  • If the intruder is that smart he would only delete his own entry and not the entire file... – Dr.Ü Sep 09 '14 at 06:56
  • 1
    If that article was trying to prove that teamviewer is insecure - it failed. Even the conclusion doesn't say it's insecure - it's basically saying you need a better password. Which I could have told you without 3 pages of technical information about the TV protocol. – Natalie Adams Jun 02 '16 at 00:49
  • @NathanAdams Page 3 - MITM, a stronger password wouldn't help. Go check the papers again. – Dr.Ü Jun 02 '16 at 10:11
  • 1
    I read the conclusion - he spends a good 2-3 sentences talking about password length. If it can be hijacked from a MITM the conclusion should just say "susceptible to MITM attacks". Then his last sentence talks about using vectors/strings to as a way to reduce the risk. – Natalie Adams Jun 02 '16 at 14:21
  • I agree with @NathanAdams here. Of the blog analysis: good analysis, strange conclusions. "Given the default weak passcode, and the flaws in Encryption, it’s fairly straightforward to MITM the encryption and brute-force the passcode as it is sent on the wire." Those two have nothing to do with each other. Given TV has a built-in brute-force-detection-with-delay, the MITM is the bigger issue. – Otheus Jun 04 '16 at 04:59
  • 1
    What blogger meant by "brute-force the passcode as it is sent on the wire", TV sends a challenge to the client which is then hashed with the passphrase to be tried. With MITM he can easily sniff this hashed passcode. Since it's hashed with MD5 it will take very little time to find a 4-character password (he mistakenly assumes digits). A well-equipped HPC could crack an MD5 hash, containing an 8-character password, in a half hour. But again, the real issue is the MITM. – Otheus Jun 04 '16 at 05:17
  • http://arstechnica.com/security/2016/06/teamviewer-users-are-being-hacked-in-bulk-and-we-still-dont-know-how/ – Dr.Ü Jun 06 '16 at 09:15
2

In teamviewer 10 you can check the following files:

C:\Program Files\TeamViewer\Connections_incoming.txt

C:\Program Files\TeamViewer\TeamViewer10_Logfile.log

First one provides details about the incoming connections. Second one provides details of the actions performed

Airbourne
  • 271
  • 2
  • 7
  • 17
  • The log path might differ on a 64-bit system and/or if the directory of TeamViewer was changed on installation. To open the directory containing log files; go to the `Extras -> Open log files...` menu on the main TeamViewer screen. – Tim Visee Jun 03 '16 at 10:16
1

On Mac OS, you will probably find the relevant logs at

/Library/Logs/TeamViewer/Connections_incoming.txt

Log *Logfile.log is also in the same directory.

Otheus
  • 607
  • 5
  • 8