Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Register a free account to unlock additional features at BleepingComputer.com

Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Latest News: US charges Samourai cryptomixer founders for laundering $100 million

Featured Deal: A one-year Sam's Club membership is only $14 now

Latest Buyer's Guide: How to setup a VPN on your router: Detailed walkthrough

Home network hacked

Started by Ciceroo , Feb 24 2024 06:15 AM

Next
»

Please log in to reply

52 replies to this topic

#1 Ciceroo

Members
24 posts
OFFLINE

Local time:07:48 AM

Posted 24 February 2024 - 06:15 AM

Hello,

To put it short, I was hacked by a very gifted hacker. He gained control of my complete home network.

I'm currently trying to setup a secure PC in my home network, I bought a new laptop and a new cable modem.

The instant I connected to the web I started getting the following warnings in my firewall log:

2024-02-24 10:46:00 FwLog.crit [10000004]: 15,2024-02-24 10:04:00 UTOPIA: Device Blocked DROP

2024-02-24 10:46:02 FwLog.crit [10000003]: 15,2024-02-24 10:04:02 UTOPIA: Service Blocked DROP

My current questions are:

1) Are those warnings alarming ?

2) My new cable modem has very stripped down logs, for example I can't see ARP/RARP table or destinations and

sources of traffic blocked by my firewall. Is there some 3rd party program you could recommend me to monitor the

traffic in realtime all the time ?

3) What steps can I take to make sure the attacker is off my trail ?

Back to top"> Back to top

BC AdBot (Login to Remove)

BleepingComputer.com
Register to remove ads

#2 cryptodan

Bleepin Madman

Members
34,434 posts
OFFLINE

Gender:Male
Location:USA
Local time:05:48 AM

Posted 24 February 2024 - 11:53 AM

Download and install min-toolbox from here: https://www.bleepingcomputer.com/download/minitoolbox/

With the following:

Last 10 error messages from the logs
Installed Application
Problematic Devices
List users and partitions

US Navy Veteran from 2002 to 2006

Masters in Computer and Digital Forensics Expert - Stevenson University Alumni 2015

Arch Desktop - https://termbin.com/epij

Arch Laptop - https://www.termbin.com/dnwk

Ubuntu Server - https://termbin.com/zvra

Back to top"> Back to top

#3 1PW

Members
460 posts
OFFLINE

Gender:Not Telling
Location:North of the 38th parallel.
Local time:05:48 AM

Posted 24 February 2024 - 12:09 PM

Hello @Ciceroo:

Unless the terms you use are not quite accurate, you really should have a NAT router that would isolate the Wide Area Network (WAN) from the Local Area Network (LAN) the NAT router creates.

Would you please reveal the exact, hardware make and model of your “cable modem”? Is the “cable modem” provided by your ISP?

Thank you.

All viruses are malware but not all malware are viruses and if the malware doesn't self replicate it just isn't a virus. https://forums.malwarebytes.com/profile/17252-1pw/

Back to top"> Back to top

#4 Ciceroo

Topic Starter

Members
24 posts
OFFLINE

Local time:07:48 AM

Posted 25 February 2024 - 02:44 AM

Here is the MiniToolBox data. The data is from my new out of the box laptop.

About my cable modem/cable gateway, yes it is provided by my ISP. Is it safe to share specs of it ?

Attached Files

MTB.txt 12.48KB 5 downloads

Edited by Ciceroo, 25 February 2024 - 03:29 AM.

Back to top"> Back to top

#5 Dominique1

Members
916 posts
ONLINE

Gender:Not Telling
Local time:12:48 AM

Posted 25 February 2024 - 04:18 PM

I'll let Dan comment the MiniToolBox data (No clue what to check there). However, knowing what your hardware is can help us suggest more secure solutions, unless you are a pro in that regard.

Edited by Dominique1, 25 February 2024 - 04:20 PM.

Back to top"> Back to top

#6 cryptodan

Bleepin Madman

Members
34,434 posts
OFFLINE

Gender:Male
Location:USA
Local time:05:48 AM

Posted 25 February 2024 - 04:29 PM

Remove mcafee live safe with https://www.mcafee.com/support/?articleId=TS101331&page=shell&shell=article-view

And nothing of note in the mtb tgat stands our as malicious.

US Navy Veteran from 2002 to 2006

Masters in Computer and Digital Forensics Expert - Stevenson University Alumni 2015

Arch Desktop - https://termbin.com/epij

Arch Laptop - https://www.termbin.com/dnwk

Ubuntu Server - https://termbin.com/zvra

Back to top"> Back to top

#7 Ciceroo

Topic Starter

Members
24 posts
OFFLINE

Local time:07:48 AM

Posted 26 February 2024 - 03:14 AM

The hacked cable gateway is Cisco EPC3828D. My ISP offers cable gateways only from 2 manufacturers, I'm not sure if it's some exclusive rights issue or not (by that I mean my broadband might not even work with devices from other manufacturers). But if you can suggest some more secure options, I can ask my ISP if those devices would work.

I have removed mcafee. A relief to know my new laptop still seems secure.

How the hack happened, I'm quite sure I downloaded a malicious file and after sometime the hacker gained control of my cable gateway and with it my home network. There are still clear signs of the hack on some devices, for example:

1) My TV has unknown devices connected to it (device history) and hard drive is full even though I have not downloaded or recorded anything

2) I'm unable to access DMZ settings of the hacked cable gateway

3) I have screenshots and Wireshark logs of the time I was hacked. I do not understand Wireshark logs but the screenshots show unknown

MACs and IPs on my gateway's ARP/RARP table even though I was not connected to the web and Wifi was turned off.

4) My desktop's Windows 10 logs show suspicious activity. For example there are entries of remotedesktop being turned on and off

The hacked gateway is currently under investigation and I don't physically have it on me right now. But I would like to share some of the above data here, but I don't know how to do it securely. If I use an USB stick, I'm afraid the infection would just spread to other devices.

Thank you for all the help.

Edited by Ciceroo, 26 February 2024 - 03:15 AM.

Back to top"> Back to top

#8 cryptodan

Bleepin Madman

Members
34,434 posts
OFFLINE

Gender:Male
Location:USA
Local time:05:48 AM

Posted 26 February 2024 - 07:47 AM

Share the Wireshark screenshots of the suspected hack

US Navy Veteran from 2002 to 2006

Masters in Computer and Digital Forensics Expert - Stevenson University Alumni 2015

Arch Desktop - https://termbin.com/epij

Arch Laptop - https://www.termbin.com/dnwk

Ubuntu Server - https://termbin.com/zvra

Back to top"> Back to top

#9 Ciceroo

Topic Starter

Members
24 posts
OFFLINE

Local time:07:48 AM

Posted 26 February 2024 - 10:55 AM

Sorry for being unclear, I meant to say I do not understand anything about Wireshark logs. I do not have screenshots of them, only .pcapng files. Some of the files are also quite large, screenshotting all the logs would probably require hundreds of screenshots.

BUT I do have screenshots of suspicious gateway activity. Picture 1 shows my DNS address constantly changing to some unknown IP. This kept happening almost all the time. Picture 2 shows two unknown IPs and MACs on my router's ARP/RARP table even though my gateway and desktop were offline and not even WIFI was turned on.

Attached Files

1.jpg 83.66KB 0 downloads
2.jpg 83.44KB 0 downloads

Back to top"> Back to top

#10 cryptodan

Bleepin Madman

Members
34,434 posts
OFFLINE

Gender:Male
Location:USA
Local time:05:48 AM

Posted 26 February 2024 - 11:00 AM

Please don't crop or edit your images.

You can use a file upload site to upload them to then share the link and I can analyze them and others too.

Edited by cryptodan, 26 February 2024 - 11:02 AM.

US Navy Veteran from 2002 to 2006

Masters in Computer and Digital Forensics Expert - Stevenson University Alumni 2015

Arch Desktop - https://termbin.com/epij

Arch Laptop - https://www.termbin.com/dnwk

Ubuntu Server - https://termbin.com/zvra

Back to top"> Back to top

#11 Ciceroo

Topic Starter

Members
24 posts
OFFLINE

Local time:07:48 AM

Posted 26 February 2024 - 12:24 PM

Here's the links. I have edited out my public IP.

https://imagizer.imageshack.com/img924/1916/2MU33k.jpg

https://imagizer.imageshack.com/img922/7083/ybJV4z.jpg

https://imagizer.imageshack.com/img924/9419/FSaRg0.jpg

Back to top"> Back to top

#12 cryptodan

Bleepin Madman

Members
34,434 posts
OFFLINE

Gender:Male
Location:USA
Local time:05:48 AM

Posted 26 February 2024 - 12:59 PM

Your public IP doesnt matter and it makes reviewing logs useless. The IP address in your images arent likely the same one have now.

US Navy Veteran from 2002 to 2006

Masters in Computer and Digital Forensics Expert - Stevenson University Alumni 2015

Arch Desktop - https://termbin.com/epij

Arch Laptop - https://www.termbin.com/dnwk

Ubuntu Server - https://termbin.com/zvra

Back to top"> Back to top

#13 Dominique1

Members
916 posts
ONLINE

Gender:Not Telling
Local time:12:48 AM

Posted 26 February 2024 - 01:41 PM

Your Cisco device has a firewall feature. Learn how it works and block all ports that you don't need. Change your device's passwords (admin, users and WiFi). Make sure its firmware is up to date.

About your connected PCs and mobile devices, make sure they are clean from virus and malware before connecting them back to your network.

Good luck!

Edited by Dominique1, 26 February 2024 - 01:46 PM.