Overclock.net banner
Cancel

Network is hacked and I'm baffled.

10996 Views 131 Replies 41 Participants Last post by  thiussat
Z
Ok, I used to think I was pretty smart...until this #%$ $%^% piece of $#@$ invited himself into my home network about a month ago. I should point out that this is NOT a wireless hack. I busted him early on and banned his MAC address but either he gave out some information to others or got really smart, because I can't get rid of him now. I have tried everything I can think of, changing software on the router, turning off all tunneling protocols (including IPv6), banning IP addresses, etc. He's piggybacking somehow on different internal IP addresses so it doesn't even look like he's connected, but when I look at the log of the outgoing connections from the router, I can see the sites he goes to. He likes BBC and MSFT's technet sites (go figure). I thought I had him tracked down a while back, even finding an IP address in Italy somewhere, but I'm sure that's just a proxy.

I have a cable modem-ethernet to WRT160N router, and two computers hooked up to it by ethernet. The only wireless is to a laptop (not mine) and I've changed keys and all kinds of other stuff. I even changed the workgroup name to something else. I've been using netmon to track what's going on, but I can't tell how this $%^ is getting back in. I know it's not wireless because of the lights on the router. I changed the router firmware to DD-WRT thinking that would give me more control over it, but no. Apparently nobody ever thinks about LAN security, only WLAN. I've done spyware scans, virus scans, forever. The router log doesn't show any incoming activity at all, only outgoing...he's not even listed on the DHCP table. But he's using the same IP I'm on right now to do whatever he wants on the internet.

Now, I had a couple ideas about how this happened, but I have no way of telling if they're right. One was that the VMWARE linux setup that I'm folding on that uses a SMB server let him in. I have no idea how this guy is doing this, but it is really starting to piss me off. I've even turned off teredo, SSDP, every other freaking tunneling protocol I can think of, no dice. It's like he has some kind of VPN right into my router somehow.

I've never heard of anything like this before, and it really cranks me to think that I can't get control of my own $%^#^ network back from this punk. Anybody have any ideas????? +rep if anyone can help me get rid of this scumbag. :swearing:
See less See more
Reply
Save
Like
1 - 20 of 132 Posts
S
I'd just reformat your PC at this point, since you seem to be sure he's riding off your PC (same IP).

Alternatively it could be a bot net type thing, where it's not really a guy visiting sites, but your computer is accessing websites just for whatever reason.. DOS attempts or something..

Edit:

Try disconnecting the wireless for a few days and see if it continues, to 100% rule that out. If he's smart enough to gain this sort of access, he might have a bypass for the 'lights' going off on it.

It's too bad you don't have professional grade routing, then you could really have some fun with him.
Redirecting BBC and whatever to certain sites... heh.
See less See more
Reply
Save
Like
D
Can you take the router down for a day or two? That usually gets hackers uninterested.

EDIT: I need to read the OP more carefully.

EDIT2: Sacre You are right. I forgot about that.
Reply
Save
Like
S
Quote:


Originally Posted by Deth V
View Post

Can you take the router down for a day or two? That usually gets hackers uninterested.

Thing is somebody who's *this* into it will likely have a network of these computers available to them. One goes down and they don't stop monitoring it (usually automated monitoring) it just automatically switches to another one. Once it's back up they'll probably be back on it.
See less See more
Reply
Save
Like
T
Will it help to call your ISP and get your IP changed?
Reply
Save
Like
Lige
First off, turn off your router.
Second, scan all PC's for Rootkits, and scan for malware with Malwarebytes Anti malware.
Third, Change all the passwords for everything, again.
Fourth go over Mac Address so that it says only these PC's can access this router. If you are aware of a hole, close it. Even if it is Folding, close it. Then Block the ports with the firewall.

Also, make sure that you inforce strict limits on the router for Wired, if you are still using DD-WRT, then goto security and then goto VPN. Then disable all passtrhoughs. See if that stops.
Reply
Save
Like
  • Rep+
Reactions: 1
F
Disconnect your ISP from your router, Phone yours ISP, change your IP, and buy a new router, install DD-WRT to said new router, then reconnect your ISP to the router and go from there, if that doesn't work, I have no idea.

I had something similar happen to me and thats what I did
Reply
Save
Like
S
2
Quote:


Originally Posted by tindolos
View Post

Will it help to call your ISP and get your IP changed?

If he's got this sort of access already, then there's no doubt that this LAN (most likely the OPs PC) is reporting back to some sort of central server. Changing IP won't do anything.

Quote:


Originally Posted by GH0
View Post

First off, turn off your router.
Second, scan all PC's for Rootkits, and scan for malware with Malwarebytes Anti malware.
Third, Change all the passwords for everything, again.
Fourth go over Mac Address so that it says only these PC's can access this router. If you are aware of a hole, close it. Even if it is Folding, close it. Then Block the ports with the firewall.

I'd give this a shot, can't hurt. Also, Linux *is* very secure, but it's *VERY* insecure if you don't know how to administrate it... chances are he's going through there.

Have you taken down your virtual Linux box for a few days to see if it stops?
See less See more
Reply
Save
Like
Z
Quote:


Originally Posted by Sacre
View Post

Thing is somebody who's *this* into it will likely have a network of these computers available to them. One goes down and they don't stop monitoring it (usually automated monitoring) it just automatically switches to another one. Once it's back up they'll probably be back on it.

You're right about that. Resetting the router lets him into it faster than I can get into it when it starts back up. Ok, here's the really twisted, funny thing. I can unhook all ethernet outputs from the router, and turn wireless off...and he's still transferring data. How is that possible? Can a router be hacked like that?

Reformatting won't fix it, he switches to different IP addresses within the network.
See less See more
Reply
Save
Like
S
Quote:


Originally Posted by zooterboy
View Post

You're right about that. Resetting the router lets him into it faster than I can get into it. Ok, here's the really twisted, funny thing. I can unhook all ethernet outputs from the router, and turn wireless off...and he's still transferring data. How is that possible? Can a router be hacked like that?

Reformatting won't fix it, he switches to different IP addresses within the network.

Are you sure he's still transferring data? Or is it just activity lights? Activity lights can go off without being connected to PCs.

I'd try a full reset and re-flash of the router's firmware. If he actually hacked the firmware, then that would clear it up (for now).

What's your exact router revision and firmware?

EDIT: To find out if it's the router itself, disconnect your WRT160N entirely from everything. Then connect your cable modem DIRECTLY to your Wireless router, disable Wireless access, and run on that for a little while and monitor your activity. If it stops, then you know that he's hacked your router directly. If it continues, then he's inside one (or more) of your systems.

EDIT #2: Sorry, was thinking you had the main router wired and a wireless router on the side acting as a switch. Disable wireless entirely on the router and monitor for a few days - if that doesn't work, try another router, they can be had cheap.
See less See more
Reply
Save
Like
Z
Quote:


Originally Posted by Sacre
View Post

If he's got this sort of access already, then there's no doubt that this LAN (most likely the OPs PC) is reporting back to some sort of central server. Changing IP won't do anything.

I'd give this a shot, can't hurt. Also, Linux *is* very secure, but it's *VERY* insecure if you don't know how to administrate it... chances are he's going through there.

Have you taken down your virtual Linux box for a few days to see if it stops?

Yeah, it doesn't make a difference. I just did a rootkit scan with this pc 2 hours ago with the ethernet physically unplugged. Nada.
See less See more
Reply
Save
Like
S
Quote:


Originally Posted by zooterboy
View Post

Yeah, it doesn't make a difference. I just did a rootkit scan with this pc 2 hours ago with the ethernet physically unplugged. Nada.

Does it happen regardless of your Linux virtual machine's status?

Also, check my last post, I edited it (twice).
See less See more
Reply
Save
Like
Lige
Double Post
See less See more
Reply
Save
Like
Lige
zooterboy, did you do the scan in safe mode?

Check Updated Post.
Disable UPnP on the router
Disable WiFi
Make sure DMZ is turned off.
Reply
Save
Like
pr0bie
You havn't got that nasty dns changer malware? If youve got remote login for your router enabled then you can, so if he can force remote login yes he can. When you unhook all ethernet ports is that EVERY port? You could try a Hardware Firewall, or updating the firmware on your router.
Reply
Save
Like
S
Make sure you reset your firmware on that router.

I know it's unlikely, but if he really is able to jump IPs like that, then he does have direct access to your router. Whether it's because he's trojan'd you and has your password for the router now, or because something is installed, you need to reset the firmware on that router and change the password.

It's rare for the firmware to actually be hacked, but all a router is... is a computer dedicated to network traffic. The firmware is essentially a mini-OS that is as hackable as any other piece of software. (Ie. chances are this ain't no script kiddie, although I'm leaning towards some sort of bot net)
Reply
Save
Like
  • Rep+
Reactions: 1
Z
plug yourself directly into your modem
see if you're still having problems
that will show if its a vulnerability through your PC
Reply
Save
Like
Lige
^ That would be a bad idea.
Reply
Save
Like
Z
3
Quote:


Originally Posted by GH0
View Post

zooterboy, did you do the scan in safe mode?

Check Updated Post.
Disable UPnP on the router
Disable WiFi
Make sure DMZ is turned off.

Nope, didn't do it in safe mode. I'll try that.

Quote:


Originally Posted by pr0bie
View Post

You havn't got that nasty dns changer malware? If youve got remote login for your router enabled then you can, so if he can force remote login yes he can. When you unhook all ethernet ports is that EVERY port? You could try a Hardware Firewall, or updating the firmware on your router.

Well whatever it is, it's definitely nasty and undetectable, moreso than anything I've ever seen. Remote login has always been disabled. DMZ, port forwarding all off. Upnp is off. I even went so far as to go through and turn off all the services I thought could be used, but nothing worked. Already updated the firmware, twice. Change username and password three times, and reeeeeally good passwords.

Quote:


Originally Posted by Sacre
View Post

Does it happen regardless of your Linux virtual machine's status?

Also, check my last post, I edited it (twice).

Yes it does. VMware is off right now, even uninstalled the protocols, didn't work. I know routers are cheap, but punks like this should be taken out and %$^ by their *%^%^& and then set on fire. I was hoping to reward him with some of his own medicine...
See less See more
Reply
Save
Like
Lige
Did you disable Wireless Radios?
Reply
Save
Like
1 - 20 of 132 Posts
This is an older thread, you may not receive a response, and could be reviving an old thread. Please consider creating a new thread.
Overclock.net
A forum community dedicated to overclocking enthusiasts and testing the limits of computing. Come join the discussion about computing, builds, collections, displays, models, styles, scales, specifications, reviews, accessories, classifieds, and more!
Full Forum Listing
Explore Our Forums
Hardware News Intel CPUs PC Gaming NVIDIA Water Cooling
Top