Overclock.net › Forums › Software, Programming and Coding › Networking & Security › Compromised network???
New Posts  All Forums:Forum Nav:

Compromised network???

post #1 of 9
Thread Starter 
Let me begin by saying that I am pretty much a complete dumby when it comes to networking, I can do the bare minimum to keep my small home networks going, and that's about it. The issue I am trying to resolve is not my own, however, but my girlfriend's. Just so happens to be her birthday that we've run into this, and she's kind of upset. Anyway, on to the issue, hopefully you guys can point me in the right direction...

She is with Rogers. and the modem/router is a "Cisco DPC 3825" that rogers has flashed with their own custom firmware that I cannot get into, do to the password/name being changed from the router/modem default by Rogers...tried several names/passwords to no avail. We don't even know the WPA key to sign on to her wireless, the only way to do so is by using the USB stick Rogers sent with the modem. You can't even use the wireless on her Android phone, that I know of, because of this. Or even on a non Mac or Windows PC...

First, she noticed that a random name was appearing at the Facebook login page, with the name "karlee@live.com" filled in by "auto-complete", and asked if I knew anything about. Wiped a bunch of stuff from her comp, just in case (passwords for banking and such).

A couple hours later, she noticed the name in the Facebook login again, only this time, with the password "auto-completed" as well, so we obviously attempt to sign in to her Facebook to see who it is, but either he account is deleted, or hidden and password changed. Google searching "karlee@live.com" brings up nothing, but an email sent to it went through as expected...

The network is secured, and not open, though due to the Rogers firmware I don't even know how to tell WPA, WPA2, or what...

I ran a bunch of scans through AVG, and it keeps bring back the same two files, haven't yet tried to get rid of them manually, wanted to make sure the network was secure before going through the trouble, though I don't need assistance with this and can do it myself. I am running the scan again to get the specific names of these files for this thread, and will update when the scan is completed with that information.

Oh, one more thing to add, is that she is using AVG Internet Security 2014, and that's it. Though all I have used for years is the free AVG, and never had any issues with infections, though I am a "careful" browser.

Here's a screen of "ipconfig" from one of the computers on the network, the computer that we noticed this on has since been disconnected from the internet.



EDIT - the two reappearing virus that AVG turned up are "FlashPlayer_V.153803073b.exe" and "FlashPlayerUpdateService.exe"

Another note is that my girlfriend is not a very tech-oriented person, and it's very likely those infected files have been there for awhile due to her clicking things without looking them fully over, or it could be that today's issue is a result of being infected by these files. I am really not sure if I should be so worried, if I should just clean the system, or what. I don't like that Rogers has essentially locked down their customer modem/routers, and my girlfriend is calling to cancel their service tomorrow and use my provider instead.

Any other precautions I should be taking? Or am I making a big deal out of some minor Facebook glitch I was not aware was possible? I told her I would go as far as cancelling my internet banking, just to be safe...I'm not sure if her network was even truly compromised...though to me it would seem is has, and I honestly kind of feel this is somehow an issue at Rogers end. Any thoughts, opinions, or help, would be greatly appreciated. I'd really like to hear that I am being concerned for nothing...and so would she.
Not sure yet...
(13 items)
 
Xbox PC
(8 items)
 
 
CPUMotherboardGraphicsRAM
Intel Xeon W3565 (i7 960) Dell Precision T3500 Gigabyte R9 290X Windforce 6GB DDR3 PC3-10600 (3x2GB)  
Hard DriveOSMonitorKeyboard
Not sure yet... Windows 7 Ultimate Samsung 245BW 24" 1920x1200 Ducky "OCN" Edition 
PowerCaseMouseMouse Pad
Corsair CX600 Corsair Carbide Spec 01 Cooler Master CM Storm Spawn Steel Series QCK 
Audio
Kinter MA-160 
CPUMotherboardRAMHard Drive
J1900 Asrock Q1900M 2GB Mushkin DDR3 1333 250GB 2.5" 7200 rpm 
OSMonitorPowerCase
Windows 7 Ultimate 32" 1080P 1U PSU (housing removed) Original Xbox Case 
CPUMotherboardGraphicsRAM
Intel i5 2500K @ 5GHz Asrock Z68 Exteme 3 Gen 3 Asus R9 290X Direct CU II OC 8GB (2x4GB) Corsair Vengeance DDR3 1600 
Hard DriveCoolingCoolingCooling
750GB  Swiftech Apogee GT Danger Den CPX-1 Swiftech MCR220 
CoolingMonitorKeyboardPower
Swiftech Micro Res 23" 1080P Samsung Ducky "OCN Edition" 1008 Antec TruePower New 650 
CaseMouseMouse PadAudio
Bitfenix Shinobi XL window Cooler Master Storm Spawn Steel Series QCK+ Kinter MA-160 
  hide details  
Reply
Not sure yet...
(13 items)
 
Xbox PC
(8 items)
 
 
CPUMotherboardGraphicsRAM
Intel Xeon W3565 (i7 960) Dell Precision T3500 Gigabyte R9 290X Windforce 6GB DDR3 PC3-10600 (3x2GB)  
Hard DriveOSMonitorKeyboard
Not sure yet... Windows 7 Ultimate Samsung 245BW 24" 1920x1200 Ducky "OCN" Edition 
PowerCaseMouseMouse Pad
Corsair CX600 Corsair Carbide Spec 01 Cooler Master CM Storm Spawn Steel Series QCK 
Audio
Kinter MA-160 
CPUMotherboardRAMHard Drive
J1900 Asrock Q1900M 2GB Mushkin DDR3 1333 250GB 2.5" 7200 rpm 
OSMonitorPowerCase
Windows 7 Ultimate 32" 1080P 1U PSU (housing removed) Original Xbox Case 
CPUMotherboardGraphicsRAM
Intel i5 2500K @ 5GHz Asrock Z68 Exteme 3 Gen 3 Asus R9 290X Direct CU II OC 8GB (2x4GB) Corsair Vengeance DDR3 1600 
Hard DriveCoolingCoolingCooling
750GB  Swiftech Apogee GT Danger Den CPX-1 Swiftech MCR220 
CoolingMonitorKeyboardPower
Swiftech Micro Res 23" 1080P Samsung Ducky "OCN Edition" 1008 Antec TruePower New 650 
CaseMouseMouse PadAudio
Bitfenix Shinobi XL window Cooler Master Storm Spawn Steel Series QCK+ Kinter MA-160 
  hide details  
Reply
post #2 of 9
It could be possible that she accidentally installed one of those fake FlashPlayer updates. There are shady people out there that put up pop-ups of their spyware infested versions of Flash. If you read carefully under the ad there is a disclaimer saying that they are not official Adobe FlashPlayer updates but 3rd party customized FlashPlayer. I wouldn't be surprised if that's what those FlashPlayer executables are. Chances are she could've ended up installing them thinking that doing so would get rid of the pop-ups and that the pop-up look legit due to bearing the Adobe name.

Run a Malwarebytes scan and see if anything turns up. That is pretty evil that the ISP blocks you out of accessing the router as that's the only way to configure WiFi and block unwanted connections when people decide to connect wirelessly.
Skylake Is Here!
(17 items)
 
  
CPUMotherboardGraphicsRAM
Intel i7 6700K Batch #L535B021 4.7Ghz @ 1.296V GIGABYTE G1 Gaming GA-Z170X-Gaming 7 EVGA Geforce GTX 970 SSC ACX 2.0+ G.SKILL TridentZ 16GB DDR4 3000 
Hard DriveHard DriveHard DriveCooling
Samsung 950 Pro M.2 512GB  Crucial BX100 250 GB SanDisk SSDPlus 240 GB NZXT Kraken X61  
OSMonitorKeyboardPower
Windows 8.1 & 10 Dell UltraSharp 2913WM 21:9 2560x1080 Ducky Shine 4, CODE WASD, Deck Legend, G710+ EVGA SuperNova G2 850W 
CaseMouseMouse PadAudio
Phanteks Enthoo Evolv ATX Mid-Tower Ducky Secret SteelSeries Fostex Purple Heart TH-X00 
Audio
AKG K553 Pro, Philips SHP9500, Superlux 668B, S... 
  hide details  
Reply
Skylake Is Here!
(17 items)
 
  
CPUMotherboardGraphicsRAM
Intel i7 6700K Batch #L535B021 4.7Ghz @ 1.296V GIGABYTE G1 Gaming GA-Z170X-Gaming 7 EVGA Geforce GTX 970 SSC ACX 2.0+ G.SKILL TridentZ 16GB DDR4 3000 
Hard DriveHard DriveHard DriveCooling
Samsung 950 Pro M.2 512GB  Crucial BX100 250 GB SanDisk SSDPlus 240 GB NZXT Kraken X61  
OSMonitorKeyboardPower
Windows 8.1 & 10 Dell UltraSharp 2913WM 21:9 2560x1080 Ducky Shine 4, CODE WASD, Deck Legend, G710+ EVGA SuperNova G2 850W 
CaseMouseMouse PadAudio
Phanteks Enthoo Evolv ATX Mid-Tower Ducky Secret SteelSeries Fostex Purple Heart TH-X00 
Audio
AKG K553 Pro, Philips SHP9500, Superlux 668B, S... 
  hide details  
Reply
post #3 of 9
It definitely sounds like something is installed on your system which is causing that name to pop up... The name even sounds like one of those porn bots ("Hey cutie; come see my pics wink.gif")

I'm not sure how much this will help (it depends what else is on your system), but you can reboot the computer, and without opening any additional programs that access the network, open up cmd and run "netstat -na" to see if your system is listening on any ports.
post #4 of 9
Thread Starter 
Quote:
Originally Posted by The Hundred Gunner View Post

It definitely sounds like something is installed on your system which is causing that name to pop up... The name even sounds like one of those porn bots ("Hey cutie; come see my pics wink.gif")

I'm not sure how much this will help (it depends what else is on your system), but you can reboot the computer, and without opening any additional programs that access the network, open up cmd and run "netstat -na" to see if your system is listening on any ports.

I am heading over to her place today, and will give that a go...post what I find. Thanks guys.
Not sure yet...
(13 items)
 
Xbox PC
(8 items)
 
 
CPUMotherboardGraphicsRAM
Intel Xeon W3565 (i7 960) Dell Precision T3500 Gigabyte R9 290X Windforce 6GB DDR3 PC3-10600 (3x2GB)  
Hard DriveOSMonitorKeyboard
Not sure yet... Windows 7 Ultimate Samsung 245BW 24" 1920x1200 Ducky "OCN" Edition 
PowerCaseMouseMouse Pad
Corsair CX600 Corsair Carbide Spec 01 Cooler Master CM Storm Spawn Steel Series QCK 
Audio
Kinter MA-160 
CPUMotherboardRAMHard Drive
J1900 Asrock Q1900M 2GB Mushkin DDR3 1333 250GB 2.5" 7200 rpm 
OSMonitorPowerCase
Windows 7 Ultimate 32" 1080P 1U PSU (housing removed) Original Xbox Case 
CPUMotherboardGraphicsRAM
Intel i5 2500K @ 5GHz Asrock Z68 Exteme 3 Gen 3 Asus R9 290X Direct CU II OC 8GB (2x4GB) Corsair Vengeance DDR3 1600 
Hard DriveCoolingCoolingCooling
750GB  Swiftech Apogee GT Danger Den CPX-1 Swiftech MCR220 
CoolingMonitorKeyboardPower
Swiftech Micro Res 23" 1080P Samsung Ducky "OCN Edition" 1008 Antec TruePower New 650 
CaseMouseMouse PadAudio
Bitfenix Shinobi XL window Cooler Master Storm Spawn Steel Series QCK+ Kinter MA-160 
  hide details  
Reply
Not sure yet...
(13 items)
 
Xbox PC
(8 items)
 
 
CPUMotherboardGraphicsRAM
Intel Xeon W3565 (i7 960) Dell Precision T3500 Gigabyte R9 290X Windforce 6GB DDR3 PC3-10600 (3x2GB)  
Hard DriveOSMonitorKeyboard
Not sure yet... Windows 7 Ultimate Samsung 245BW 24" 1920x1200 Ducky "OCN" Edition 
PowerCaseMouseMouse Pad
Corsair CX600 Corsair Carbide Spec 01 Cooler Master CM Storm Spawn Steel Series QCK 
Audio
Kinter MA-160 
CPUMotherboardRAMHard Drive
J1900 Asrock Q1900M 2GB Mushkin DDR3 1333 250GB 2.5" 7200 rpm 
OSMonitorPowerCase
Windows 7 Ultimate 32" 1080P 1U PSU (housing removed) Original Xbox Case 
CPUMotherboardGraphicsRAM
Intel i5 2500K @ 5GHz Asrock Z68 Exteme 3 Gen 3 Asus R9 290X Direct CU II OC 8GB (2x4GB) Corsair Vengeance DDR3 1600 
Hard DriveCoolingCoolingCooling
750GB  Swiftech Apogee GT Danger Den CPX-1 Swiftech MCR220 
CoolingMonitorKeyboardPower
Swiftech Micro Res 23" 1080P Samsung Ducky "OCN Edition" 1008 Antec TruePower New 650 
CaseMouseMouse PadAudio
Bitfenix Shinobi XL window Cooler Master Storm Spawn Steel Series QCK+ Kinter MA-160 
  hide details  
Reply
post #5 of 9
Usually it is cusadmin/password.

That should be the default that is set by rogers.
ESXi Home Box
(6 items)
 
The Workstation.
(16 items)
 
 
CPURAMHard DriveOS
Dual L5630 72GB DDR3 RECC 120GB VERTEX 4 + 6TB RAID5 ESXi 6.0 U2 
Other
Dell PowedgeR710  
CPUGraphicsRAMHard Drive
Intel Core i5 2.4GHZ Intel Iris Pro 16GB DDR3 256GB PCI-e x2 
OSKeyboardMouse
OSX 10.11 + Win 10 Apple Wireless Keyboard Apple Magic Trackpad 
  hide details  
Reply
ESXi Home Box
(6 items)
 
The Workstation.
(16 items)
 
 
CPURAMHard DriveOS
Dual L5630 72GB DDR3 RECC 120GB VERTEX 4 + 6TB RAID5 ESXi 6.0 U2 
Other
Dell PowedgeR710  
CPUGraphicsRAMHard Drive
Intel Core i5 2.4GHZ Intel Iris Pro 16GB DDR3 256GB PCI-e x2 
OSKeyboardMouse
OSX 10.11 + Win 10 Apple Wireless Keyboard Apple Magic Trackpad 
  hide details  
Reply
post #6 of 9
Thread Starter 
Quote:
Originally Posted by linkinparkfan007 View Post

Usually it is cusadmin/password.

That should be the default that is set by rogers.

It's not, trust me, I tried that long before making a thread, though thanks for the help regardless. To my understanding, after reading posts from a Rogers employee, it's as I stated, it is cusadmin, I think, but the password is a randomly generated number, unique to each modem or something to that effect. And the only way to connect to it through Wi-Fi is to use the supplied internet stick. I am going to go through the stick at some point, to see if I can find this number, or how it is generated, but I still think she'll probably just end up switching providers in the end.
Not sure yet...
(13 items)
 
Xbox PC
(8 items)
 
 
CPUMotherboardGraphicsRAM
Intel Xeon W3565 (i7 960) Dell Precision T3500 Gigabyte R9 290X Windforce 6GB DDR3 PC3-10600 (3x2GB)  
Hard DriveOSMonitorKeyboard
Not sure yet... Windows 7 Ultimate Samsung 245BW 24" 1920x1200 Ducky "OCN" Edition 
PowerCaseMouseMouse Pad
Corsair CX600 Corsair Carbide Spec 01 Cooler Master CM Storm Spawn Steel Series QCK 
Audio
Kinter MA-160 
CPUMotherboardRAMHard Drive
J1900 Asrock Q1900M 2GB Mushkin DDR3 1333 250GB 2.5" 7200 rpm 
OSMonitorPowerCase
Windows 7 Ultimate 32" 1080P 1U PSU (housing removed) Original Xbox Case 
CPUMotherboardGraphicsRAM
Intel i5 2500K @ 5GHz Asrock Z68 Exteme 3 Gen 3 Asus R9 290X Direct CU II OC 8GB (2x4GB) Corsair Vengeance DDR3 1600 
Hard DriveCoolingCoolingCooling
750GB  Swiftech Apogee GT Danger Den CPX-1 Swiftech MCR220 
CoolingMonitorKeyboardPower
Swiftech Micro Res 23" 1080P Samsung Ducky "OCN Edition" 1008 Antec TruePower New 650 
CaseMouseMouse PadAudio
Bitfenix Shinobi XL window Cooler Master Storm Spawn Steel Series QCK+ Kinter MA-160 
  hide details  
Reply
Not sure yet...
(13 items)
 
Xbox PC
(8 items)
 
 
CPUMotherboardGraphicsRAM
Intel Xeon W3565 (i7 960) Dell Precision T3500 Gigabyte R9 290X Windforce 6GB DDR3 PC3-10600 (3x2GB)  
Hard DriveOSMonitorKeyboard
Not sure yet... Windows 7 Ultimate Samsung 245BW 24" 1920x1200 Ducky "OCN" Edition 
PowerCaseMouseMouse Pad
Corsair CX600 Corsair Carbide Spec 01 Cooler Master CM Storm Spawn Steel Series QCK 
Audio
Kinter MA-160 
CPUMotherboardRAMHard Drive
J1900 Asrock Q1900M 2GB Mushkin DDR3 1333 250GB 2.5" 7200 rpm 
OSMonitorPowerCase
Windows 7 Ultimate 32" 1080P 1U PSU (housing removed) Original Xbox Case 
CPUMotherboardGraphicsRAM
Intel i5 2500K @ 5GHz Asrock Z68 Exteme 3 Gen 3 Asus R9 290X Direct CU II OC 8GB (2x4GB) Corsair Vengeance DDR3 1600 
Hard DriveCoolingCoolingCooling
750GB  Swiftech Apogee GT Danger Den CPX-1 Swiftech MCR220 
CoolingMonitorKeyboardPower
Swiftech Micro Res 23" 1080P Samsung Ducky "OCN Edition" 1008 Antec TruePower New 650 
CaseMouseMouse PadAudio
Bitfenix Shinobi XL window Cooler Master Storm Spawn Steel Series QCK+ Kinter MA-160 
  hide details  
Reply
post #7 of 9
How about trying to reset the Router using a paperclip.

On the other hand there is always Teksavvy tongue.gif
ESXi Home Box
(6 items)
 
The Workstation.
(16 items)
 
 
CPURAMHard DriveOS
Dual L5630 72GB DDR3 RECC 120GB VERTEX 4 + 6TB RAID5 ESXi 6.0 U2 
Other
Dell PowedgeR710  
CPUGraphicsRAMHard Drive
Intel Core i5 2.4GHZ Intel Iris Pro 16GB DDR3 256GB PCI-e x2 
OSKeyboardMouse
OSX 10.11 + Win 10 Apple Wireless Keyboard Apple Magic Trackpad 
  hide details  
Reply
ESXi Home Box
(6 items)
 
The Workstation.
(16 items)
 
 
CPURAMHard DriveOS
Dual L5630 72GB DDR3 RECC 120GB VERTEX 4 + 6TB RAID5 ESXi 6.0 U2 
Other
Dell PowedgeR710  
CPUGraphicsRAMHard Drive
Intel Core i5 2.4GHZ Intel Iris Pro 16GB DDR3 256GB PCI-e x2 
OSKeyboardMouse
OSX 10.11 + Win 10 Apple Wireless Keyboard Apple Magic Trackpad 
  hide details  
Reply
post #8 of 9
Thread Starter 
Tried the reset as well, just doesn't accept any password or username I can find on the net still, unfortunately. I am pretty sure it is custom Rogers firmware, not just changed modem settings. Here's the results from "netstat -na", ran from the infected PC in safe mode, though I am not sure what I am really looking at -

Not sure yet...
(13 items)
 
Xbox PC
(8 items)
 
 
CPUMotherboardGraphicsRAM
Intel Xeon W3565 (i7 960) Dell Precision T3500 Gigabyte R9 290X Windforce 6GB DDR3 PC3-10600 (3x2GB)  
Hard DriveOSMonitorKeyboard
Not sure yet... Windows 7 Ultimate Samsung 245BW 24" 1920x1200 Ducky "OCN" Edition 
PowerCaseMouseMouse Pad
Corsair CX600 Corsair Carbide Spec 01 Cooler Master CM Storm Spawn Steel Series QCK 
Audio
Kinter MA-160 
CPUMotherboardRAMHard Drive
J1900 Asrock Q1900M 2GB Mushkin DDR3 1333 250GB 2.5" 7200 rpm 
OSMonitorPowerCase
Windows 7 Ultimate 32" 1080P 1U PSU (housing removed) Original Xbox Case 
CPUMotherboardGraphicsRAM
Intel i5 2500K @ 5GHz Asrock Z68 Exteme 3 Gen 3 Asus R9 290X Direct CU II OC 8GB (2x4GB) Corsair Vengeance DDR3 1600 
Hard DriveCoolingCoolingCooling
750GB  Swiftech Apogee GT Danger Den CPX-1 Swiftech MCR220 
CoolingMonitorKeyboardPower
Swiftech Micro Res 23" 1080P Samsung Ducky "OCN Edition" 1008 Antec TruePower New 650 
CaseMouseMouse PadAudio
Bitfenix Shinobi XL window Cooler Master Storm Spawn Steel Series QCK+ Kinter MA-160 
  hide details  
Reply
Not sure yet...
(13 items)
 
Xbox PC
(8 items)
 
 
CPUMotherboardGraphicsRAM
Intel Xeon W3565 (i7 960) Dell Precision T3500 Gigabyte R9 290X Windforce 6GB DDR3 PC3-10600 (3x2GB)  
Hard DriveOSMonitorKeyboard
Not sure yet... Windows 7 Ultimate Samsung 245BW 24" 1920x1200 Ducky "OCN" Edition 
PowerCaseMouseMouse Pad
Corsair CX600 Corsair Carbide Spec 01 Cooler Master CM Storm Spawn Steel Series QCK 
Audio
Kinter MA-160 
CPUMotherboardRAMHard Drive
J1900 Asrock Q1900M 2GB Mushkin DDR3 1333 250GB 2.5" 7200 rpm 
OSMonitorPowerCase
Windows 7 Ultimate 32" 1080P 1U PSU (housing removed) Original Xbox Case 
CPUMotherboardGraphicsRAM
Intel i5 2500K @ 5GHz Asrock Z68 Exteme 3 Gen 3 Asus R9 290X Direct CU II OC 8GB (2x4GB) Corsair Vengeance DDR3 1600 
Hard DriveCoolingCoolingCooling
750GB  Swiftech Apogee GT Danger Den CPX-1 Swiftech MCR220 
CoolingMonitorKeyboardPower
Swiftech Micro Res 23" 1080P Samsung Ducky "OCN Edition" 1008 Antec TruePower New 650 
CaseMouseMouse PadAudio
Bitfenix Shinobi XL window Cooler Master Storm Spawn Steel Series QCK+ Kinter MA-160 
  hide details  
Reply
post #9 of 9
Quote:
Originally Posted by Aaron_Henderson View Post

Tried the reset as well, just doesn't accept any password or username I can find on the net still, unfortunately. I am pretty sure it is custom Rogers firmware, not just changed modem settings. Here's the results from "netstat -na", ran from the infected PC in safe mode, though I am not sure what I am really looking at -


That looks pretty normal... It looks like you've got windows file-sharing-type stuff open (135 and 139), and then you've got bittorrent on 49152-49154? As long as you have an idea of what's using those ports, it should be ok. Of course, that doesn't mean that any potential malware just happens to not be listening right now and may beacon out or listen in later on (when you haven't done a netstat -na).
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: Networking & Security
Overclock.net › Forums › Software, Programming and Coding › Networking & Security › Compromised network???