Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Generic User Avatar

Home network hacked


  • Please log in to reply
38 replies to this topic

#1 Ciceroo

Ciceroo

  •  Avatar image
  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:07:10 AM

Posted 24 February 2024 - 06:15 AM

Hello,
 
To put it short, I was hacked by a very gifted hacker. He gained control of my complete home network.
I'm currently trying to setup a secure PC in my home network, I bought a new laptop and a new cable modem.
The instant I connected to the web I started getting the following warnings in my firewall log:
 
2024-02-24 10:46:00 FwLog.crit [10000004]: 15,2024-02-24 10:04:00 UTOPIA: Device Blocked DROP
2024-02-24 10:46:02 FwLog.crit [10000003]: 15,2024-02-24 10:04:02 UTOPIA: Service Blocked DROP
 
My current questions are:
 
1) Are those warnings alarming ?
2) My new cable modem has very stripped down logs, for example I can't see ARP/RARP table or destinations and
sources of traffic blocked by my firewall. Is there some 3rd party program you could recommend me to monitor the
traffic in realtime all the time ?
3) What steps can I take to make sure the attacker is off my trail ?


BC AdBot (Login to Remove)

 


#2 cryptodan

cryptodan

    Bleepin Madman


  •  Avatar image
  • Members
  • 33,826 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:10 AM

Posted 24 February 2024 - 11:53 AM

Download and install min-toolbox from here: https://www.bleepingcomputer.com/download/minitoolbox/
 
minitoolbox.png
 
With the following:
 
Last 10 error messages from the logs
Installed Application
Problematic Devices 
List users and partitions

US Navy Veteran from 2002 to 2006

Masters in Computer and Digital Forensics Expert - Stevenson University Alumni 2015

Arch Desktop - https://termbin.com/epij

Arch Laptop - https://www.termbin.com/dnwk

Ubuntu Server - https://termbin.com/zvra


#3 1PW

1PW

  •  Avatar image
  • Members
  • 460 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:North of the 38th parallel.
  • Local time:09:10 PM

Posted 24 February 2024 - 12:09 PM

Hello @Ciceroo:

 

Unless the terms you use are not quite accurate, you really should have a NAT router that would isolate the Wide Area Network (WAN) from the Local Area Network (LAN) the NAT router creates.

 

Would you please reveal the exact, hardware make and model of your “cable modem”? Is the “cable modem” provided by your ISP?

 

Thank you.


All viruses are malware but not all malware are viruses and if the malware doesn't self replicate it just isn't a virus. https://forums.malwarebytes.com/profile/17252-1pw/


#4 Ciceroo

Ciceroo
  • Topic Starter

  •  Avatar image
  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:07:10 AM

Posted 25 February 2024 - 02:44 AM

Here is the MiniToolBox data. The data is from my new out of the box laptop.

 

About my cable modem/cable gateway, yes it is provided by my ISP. Is it safe to share specs of it ?

Attached Files

  • Attached File  MTB.txt   12.48KB   4 downloads

Edited by Ciceroo, 25 February 2024 - 03:29 AM.


#5 Dominique1

Dominique1

  •  Avatar image
  • Members
  • 841 posts
  • ONLINE
  •  
  • Gender:Not Telling
  • Local time:12:10 AM

Posted 25 February 2024 - 04:18 PM

I'll let Dan comment the MiniToolBox data (No clue what to check there).  However, knowing what your hardware is can help us suggest more secure solutions, unless you are a pro in that regard.


Edited by Dominique1, 25 February 2024 - 04:20 PM.


#6 cryptodan

cryptodan

    Bleepin Madman


  •  Avatar image
  • Members
  • 33,826 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:10 AM

Posted 25 February 2024 - 04:29 PM

Remove mcafee live safe with https://www.mcafee.com/support/?articleId=TS101331&page=shell&shell=article-view

And nothing of note in the mtb tgat stands our as malicious.

US Navy Veteran from 2002 to 2006

Masters in Computer and Digital Forensics Expert - Stevenson University Alumni 2015

Arch Desktop - https://termbin.com/epij

Arch Laptop - https://www.termbin.com/dnwk

Ubuntu Server - https://termbin.com/zvra


#7 Ciceroo

Ciceroo
  • Topic Starter

  •  Avatar image
  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:07:10 AM

Posted 26 February 2024 - 03:14 AM

The hacked cable gateway is Cisco EPC3828D. My ISP offers cable gateways only from 2 manufacturers, I'm not sure if it's some exclusive rights issue or not (by that I mean my broadband might not even work with devices from other manufacturers). But if you can suggest some more secure options, I can ask my ISP if those devices would work.
 
I have removed mcafee. A relief to know my new laptop still seems secure.
 
How the hack happened, I'm quite sure I downloaded a malicious file and after sometime the hacker gained control of my cable gateway and with it my home network. There are still clear signs of the hack on some devices, for example:
 
1) My TV has unknown devices connected to it (device history) and hard drive is full even though I have not downloaded or recorded anything 
2) I'm unable to access DMZ settings of the hacked cable gateway
3) I have screenshots and Wireshark logs of the time I was hacked. I do not understand Wireshark logs but the screenshots show unknown
MACs and IPs on my gateway's ARP/RARP table even though I was not connected to the web and Wifi was turned off. 
4) My desktop's Windows 10 logs show suspicious activity. For example there are entries of remotedesktop being turned on and off
 
The hacked gateway is currently under investigation and I don't physically have it on me right now. But I would like to share some of the above data here, but I don't know how to do it securely. If I use an USB stick, I'm afraid the infection would just spread to other devices.
 
Thank you for all the help.

Edited by Ciceroo, 26 February 2024 - 03:15 AM.


#8 cryptodan

cryptodan

    Bleepin Madman


  •  Avatar image
  • Members
  • 33,826 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:10 AM

Posted 26 February 2024 - 07:47 AM

Share the Wireshark screenshots of the suspected hack

US Navy Veteran from 2002 to 2006

Masters in Computer and Digital Forensics Expert - Stevenson University Alumni 2015

Arch Desktop - https://termbin.com/epij

Arch Laptop - https://www.termbin.com/dnwk

Ubuntu Server - https://termbin.com/zvra


#9 Ciceroo

Ciceroo
  • Topic Starter

  •  Avatar image
  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:07:10 AM

Posted 26 February 2024 - 10:55 AM

Sorry for being unclear, I meant to say I do not understand anything about Wireshark logs. I do not have screenshots of them, only .pcapng files. Some of the files are also quite large, screenshotting all the logs would probably require hundreds of screenshots.

 

BUT I do have screenshots of suspicious gateway activity. Picture 1 shows my DNS address constantly changing to some unknown IP. This kept happening almost all the time. Picture 2 shows two unknown IPs and MACs on my router's ARP/RARP table even though my gateway and desktop were offline and not even WIFI was turned on.

 

Attached Files

  • Attached File  1.jpg   83.66KB   0 downloads
  • Attached File  2.jpg   83.44KB   0 downloads


#10 cryptodan

cryptodan

    Bleepin Madman


  •  Avatar image
  • Members
  • 33,826 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:10 AM

Posted 26 February 2024 - 11:00 AM

Please don't crop or edit your images.

You can use a file upload site to upload them to then share the link and I can analyze them and others too.

Edited by cryptodan, 26 February 2024 - 11:02 AM.

US Navy Veteran from 2002 to 2006

Masters in Computer and Digital Forensics Expert - Stevenson University Alumni 2015

Arch Desktop - https://termbin.com/epij

Arch Laptop - https://www.termbin.com/dnwk

Ubuntu Server - https://termbin.com/zvra


#11 Ciceroo

Ciceroo
  • Topic Starter

  •  Avatar image
  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:07:10 AM

Posted 26 February 2024 - 12:24 PM

Here's the links. I have edited out my public IP.

 



#12 cryptodan

cryptodan

    Bleepin Madman


  •  Avatar image
  • Members
  • 33,826 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:10 AM

Posted 26 February 2024 - 12:59 PM

Your public IP doesnt matter and it makes reviewing logs useless.  The IP address in your images arent likely the same one have now.


US Navy Veteran from 2002 to 2006

Masters in Computer and Digital Forensics Expert - Stevenson University Alumni 2015

Arch Desktop - https://termbin.com/epij

Arch Laptop - https://www.termbin.com/dnwk

Ubuntu Server - https://termbin.com/zvra


#13 Dominique1

Dominique1

  •  Avatar image
  • Members
  • 841 posts
  • ONLINE
  •  
  • Gender:Not Telling
  • Local time:12:10 AM

Posted 26 February 2024 - 01:41 PM

Your Cisco device has a firewall feature.  Learn how it works and block all ports that you don't need.  Change your device's passwords (admin, users and WiFi).  Make sure its firmware is up to date.

About your connected PCs and mobile devices, make sure they are clean from virus and malware before connecting them back to your network.

Good luck!
 


Edited by Dominique1, 26 February 2024 - 01:46 PM.


#14 Ciceroo

Ciceroo
  • Topic Starter

  •  Avatar image
  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:07:10 AM

Posted 26 February 2024 - 02:08 PM

Umm I'm not sure what you mean by my public IP not mattering. If it doesn't matter, can't you imagine the same digits on all the edited out parts ?



#15 cryptodan

cryptodan

    Bleepin Madman


  •  Avatar image
  • Members
  • 33,826 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:10 AM

Posted 26 February 2024 - 02:09 PM

Nope I cannot imagine, and can you share the pcap files via something like MegaUploads?


US Navy Veteran from 2002 to 2006

Masters in Computer and Digital Forensics Expert - Stevenson University Alumni 2015

Arch Desktop - https://termbin.com/epij

Arch Laptop - https://www.termbin.com/dnwk

Ubuntu Server - https://termbin.com/zvra





1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users