Home network got hacked, investigating the cause/infection?

Andrew_Carr

2[H]4U
Joined
Feb 26, 2005
Messages
2,593
So somehow my home network got hacked into and I'm looking for any ideas on how to track it down and determine what to do to fix things. Last year someone also got into my email and tried resetting passwords to various sites and I got IP blacklisted from a few sites for trying logins on them too often (guessing my infected desktop that I reimaged afterwards was trying to brute-force logins to various sites I had visited such as newegg, etc.). I'm wondering if the two are linked in some way, but don't have a lot of info to go off of. I'll try to describe what happened and how my network is setup (if there's some sort of network mapping tool I could run that, just not familiar with these things).

What happened:
Earlier this week computers starting going offline and when I tried logging into my router from my phone I got a "This device is blocked" error screen. I was able to login via another computer and saw that about half of my network devices had been set to blocked by the router and knew something was wrong. I unblocked all devices and saved the router logs but more kept getting blocked and one device named "Allow" popped up (I'm guessing so they knew to block all devices except theirs). At this point I started up wireshark but then decided it'd be better to just disconnect from the internet and try to scan everything and fix the vulnerability. I did some research and disabled upnp and remote access on my router (apparently their app is required to disable that since it's not visible in the web menus). I did some virus scans on my PC and picked up nothing again, but decided to remove all the hard drives and install linux on a clean one just in case. I changed the wifi and router passwords as well just in case.

Sequence of Events:
I was able to determine that a [LAN Access from Remote] event occurred for the first time from an outside IP address about a half hour before I noticed things were going bad. There were several other IPs with the same log message that occurred shortly afterwards. There were also a bunch of SYN/ACK and RST and WinNuke scan events from various IP addresses before and during this happening but I've seen stuff like this before and it turned out to be false alarms by the router. I saved some wireshark captures but honestly I'm not sure what to even attempt to filter for.

Network setup / devices:
My Orbi router connects to my comcast modem and then to the internet. No VLANs or DMZ or anything special in-between.
Internally I have a couple orbi satellites and about 30 or so devices connected (cell phones, TVs / rokus, desktop & laptops running a mix of Windows / Mac OS, and about 27 crypto mining computers running hivelos/ubuntu linux)
No home servers or anything, the closest thing I could imagine that would draw attention is sometimes I run a full-node for crypto on my desktop when opening a wallet.

Now that I've scanned everything, changed passwords, and tried to go through my logs the only odd thing I'm seeing still is a LAN Access from Remote event from outside IPs to 192.168.1.9 on port 80. This is my desktop IP that I reimaged (I put the old windows SSD in, booted up, and then these appears in the router logs). Any other thoughts on good things to check for? I'm guessing somehow remote access is occuring on my windows device and that's how they got in? I disabled all remote access to it in windows settings awhile back when I first re-installed things, but I did install teamviewer recently to access my windows laptop remotely.

[Edit: Might've just narrowed it down. I reinstalled my windows SSD into the desktop to play a game that I couldn't get working on linux. I forgot to disconnect the ethernet cable first and now I have router logs for remote lan access that match. Guessing this is it?]
 
Last edited:

Shockey

2[H]4U
Joined
Nov 24, 2008
Messages
2,249
Did you lookup the game to see if it has a list of ports it uses?
Tried going to the IP:80 in browser?
 

Andrew_Carr

2[H]4U
Joined
Feb 26, 2005
Messages
2,593
I doublechecked remote desktop settings and everything. Remote desktop and remote assistance remain turned off. But the weird thing is under remote desktop developer options I can't uncheck this option. If I uncheck it, it rechecks itself after I reopen the settings. Going into those settings though under "Show Settings" still shows everything remote desktop related as being turned off. I also checked out what my firewall exceptions were and saw a registry key for remote desktop and turned that off.

Oh, and as far as the game goes, I was just trying to play a singleplayer game on my computer and figured if I left it disconnected it would be safe. I wasn't sure at the time if it was my desktop or something else since I couldn't be sure about which IP addresses that dropped off the network after I disconnected and checked everything mapped to which device, but once I reconnected my desktop (by mistake) to play the game and the router logs confirmed someone was remotely accessing my machine I think that narrowed it down to my desktop being the cause. Still can't find any infections via malwarebytes or windows defender scans though.

[Update: Didn't think of this earlier but I checked the port forwarding rules and port 80 was being forwarded. Removed that and all other port forwarding rules and that seems to have stopped the remote access attempts. I had port 4200 open for remote management of my mining machines so maybe that was it.]
 

Attachments

  • remote desktop firewall.png
    remote desktop firewall.png
    184.3 KB · Views: 0
Last edited:

djstarfox

Limp Gawd
Joined
Sep 20, 2010
Messages
477
Yeah, so there is likely a process running on the Windows machine that the attacker is using. I.e., it's called a RAT (remote access trojan).

Possible causes:
* Your "remote access from phone to router" was likely using weak cryptography.
* Having *any* port forwarding on your router to LAN is an open door for attackers. uPNP is also an open playground for attackers to establish a foothold/persistence and should be disabled.
* Email compromise from earlier marked your public IP as a "attack me sometime in the future".

There are basically only a couple of options:
* Download MalwareBytes and run a full scan (from a known-good boot disk, not your Windows install)
* Re-image Windows with a known-good boot disk.

If the malware is a rootkit, you will be unable to detect it while booted from the compromised OS. It's also likely that other machines on the same network are compromised.

I feel for you though... definitely sucks to cleanup this mess.

PS. If you're able to change the MAC address on the WAN port of the router, do so and reboot your modem. That trick should cause your public IP to change (thus evading the attacks for a while).
 

Andrew_Carr

2[H]4U
Joined
Feb 26, 2005
Messages
2,593
Yeah, so there is likely a process running on the Windows machine that the attacker is using. I.e., it's called a RAT (remote access trojan).

Possible causes:
* Your "remote access from phone to router" was likely using weak cryptography.
* Having *any* port forwarding on your router to LAN is an open door for attackers. uPNP is also an open playground for attackers to establish a foothold/persistence and should be disabled.
* Email compromise from earlier marked your public IP as a "attack me sometime in the future".

There are basically only a couple of options:
* Download MalwareBytes and run a full scan (from a known-good boot disk, not your Windows install)
* Re-image Windows with a known-good boot disk.

If the malware is a rootkit, you will be unable to detect it while booted from the compromised OS. It's also likely that other machines on the same network are compromised.

I feel for you though... definitely sucks to cleanup this mess.

PS. If you're able to change the MAC address on the WAN port of the router, do so and reboot your modem. That trick should cause your public IP to change (thus evading the attacks for a while).
Thanks. Yeah, I didn't realize upnp and remote router access was on by default. Those are off now. Disabling port forwarding has fixed the attacks for now it seems but I'm guessing it's some sort of trojan and if they find a way in again they'd be able to get back to my computer. Malwarebytes didn't find one but I guess they have a separate rootkit scanner too that I'll try, but I'm probably just going to wipe everything from linux and stick with that for now anyway. Would just be reassuring to find the cause for sure, but probably safer to just nuke everything I guess.
 

MrGuvernment

Fully [H]
Joined
Aug 3, 2004
Messages
20,618
Nuke every device from orbit on your network
reset all devices back to factory and start from scratch

It is not worth it to "think" you solved the problem, the complexities behind most exploits these days go far beyond the avg joe blow running malware bytes or "insert av of choice" here and you are clean. Many of the current threats can easily get past modern AV systems.


You can try to find the cause, but you will never actually know.

If your email was compromised before then you need better security practices yourself. Humans are the weakest links.

  • Password manager for all passwords with a complex password / 2MFS to access
  • No same passwords on ANY thing you have
  • Router firmware updated and patched when released
  • Secure Wifi / passphrases
  • Windows / Linux / App updated always
  • Use something like openDNS or CloudFlare to get some protection around malicious sites.
  • All features on your router disabled you do not use or need (as you noted uPnP done so that is good)
 

MrGuvernment

Fully [H]
Joined
Aug 3, 2004
Messages
20,618
Setup a pfsense box?

If the OP can, def the way to go, I have zero trust for any SOHO / Home / ISP / Asus / what ever brand "router" . They all come out with massive exploits years after they happened and are not configured securuly.

ISP --> PFSense -- Router in AP mode for Wifi
-- LAN
 

Vermillion

Supreme [H]ardness
Joined
Apr 5, 2007
Messages
4,361
Nuke every device from orbit on your network
reset all devices back to factory and start from scratch
So much this ^^^^

If they were inside your network you need to assume everything is compromised. If I were you I'd be changing every password I have and rebuilding everything from the ground up. Even backups are suspect at this point IMHO.



If the OP can, def the way to go, I have zero trust for any SOHO / Home / ISP / Asus / what ever brand "router" . They all come out with massive exploits years after they happened and are not configured securuly.

ISP --> PFSense -- Router in AP mode for Wifi
-- LAN
I run an OPNsense box myself. You can't trust the major brands to not have stupid defaults or even update the device firmware.
 

djstarfox

Limp Gawd
Joined
Sep 20, 2010
Messages
477
No need to scare the guy. He had an open port true, but it's not the end of the world. Though, a full assessment is definitely in order.
 

Valnar

2[H]4U
Joined
Apr 3, 2001
Messages
3,881
If you have a way to log or capture any traffic leaving your LAN to your router, do that. Command and control malware is useless if it doesn't attempt to phone home.
Run this on your boxes for a short time too. https://www.nirsoft.net/utils/dns_query_sniffer.html

A PiHole server would be good for logging this info too, provided the infected device doesn't bypass your host's DNS.
 
Top