Third times the charm

I KNOW I have something wrong with my system now. First, all of my copies of TCPView were deleted off of all of the systems I have. All copies of Process Explorer were also deleted. I re-downloaded and ran TCPView and there were all of these processes running connected to other computers that I never had anything to do with.

To top it all off - when I got onto the majorgeeks website TCPView exploded with hundreds of connections to localhost on port 44080. Check out the screen snapshot I took of my system's TCPView. This is only a small fraction of all of the processes that popped up when I connected to majorgeeks.com I'm also including a Hijackthis log from my web server. It too had a massive number of connections. in the TCPView.

I will run the standard things on the Malware list and post those afterwards. Just wanted to give you guys a heads up on this.

 

I am back awake and running the programs. Logs in a few. To show you what TCPView is showing me - here are a few of the hundreds of lines I'm getting for just going to majorgeeks.com. (Sorry about the HiJackThis logs.

[System Process] 0 TCP lost-site 44080 localhost 1745 TIME_WAIT
[System Process] 0 TCP lost-site 44080 localhost 1824 TIME_WAIT
[System Process] 0 TCP lost-site 1818 localhost 44080 TIME_WAIT
[System Process] 0 TCP lost-site 44080 localhost 1870 TIME_WAIT
[System Process] 0 TCP lost-site 1868 localhost 44080 TIME_WAIT
[System Process] 0 TCP lost-site.google 1875 theta.majorgeeks.com http TIME_WAIT
[System Process] 0 TCP lost-site 1872 localhost 44080 TIME_WAIT
[System Process] 0 TCP lost-site 1858 localhost 44080 TIME_WAIT 16 19,885
[System Process] 0 TCP lost-site 1874 localhost 44080 TIME_WAIT
[System Process] 0 TCP lost-site 1828 localhost 44080 TIME_WAIT 4 3,680
[System Process] 0 TCP lost-site 1860 localhost 44080 TIME_WAIT 2 1,252

Note that almost all of these use port 44080. There are hundreds of these that I am killing. A lot of them have other TCP/IP websites. I've also written to the Avira people since I use Avira on this machine. (Bit Defender is on others - same problem there too.)

Be back in a bit with the logs.

 

Ok - here are the logs.

I went into add/remove programs (I have Win XP) and my version of Java has been sent back to Java 6 v24 and Java 7 v7 insteadl of just having Java 7 v13 (which I think is the latest). I will have to uninstall and then re-install Java again. :-(

Also, processdll.exe died with an unspecified termination error. I have the .NET Framework installed so I guess I will have to go take a look at that also. :-(

Anyway - here are the logs. Only RogueKiller found (and said it found) anything.

 

I was reading JBSCH's "unauthorized remote http connections" posting. Chaslang - you might want to suggest to him/her that they download Microsoft's TCPView program, unarchive it, and look to see if they are having the same issue I am (See Post #1). If so - they probably been hacked. (I tried to post there but was told I did not have permission to do so. Which is why I am posting here.) JBSCH should probably also check their Java version to make sure it isn't set to something earlier than v7 update 15. Last, but not least, they should also check to see if all of their hard drives have been set to being shared with whoever wants to share them. They can do this by going to Start->Control Panel->Administrative Tools->Device Management and look for the shared folders area. All they have to do is to open up the shared folder and it will list all disk drives that are being shared. There shouldn't be any shared drives/folders unless they, themselves, set them up.

Just a FYI. For JBSCH.

 

Actually I have already uninstalled the old Java's (re my post that I used to have Java v7 u15 installed and the hackers reverted back to the old Java versions). I have already uninstalled Personal Firewall and installed ZoneAlarm but for some weird reason Personal Firewall just won't go away. I may have to go through the registry and just get rid of all entries for it. CCleaner doesn't see it as having been uninstalled either - but the software is no longer on my hard drive. So I'm thinking it is a registry thing. Like they didn't clean up everything when I uninstalled. it. More as I know more.

What else do you have?

By the way:
[System Process] 0 TCP 99.31.70.205 5900 211.174.182.45 39135 TIME_WAIT

is going on my system presently and I can not kill it. A whois on the above says it is from someplace in Asia.

NetRange: 211.0.0.0 - 211.255.255.255
CIDR: 211.0.0.0/8
OriginAS:
NetName: NET-211
NetHandle: NET-211-0-0-0-1
Parent:
NetType: Allocated to APNIC
Comment: This IP address range is not registered in the ARIN database.
Comment: For details, refer to the APNIC Whois Database via
Comment: WHOIS.APNIC.NET or http://wq.apnic.net/apnic-bin/whois.pl
Comment: ** IMPORTANT NOTE: APNIC is the Regional Internet Registry
Comment: for the Asia Pacific region. APNIC does not operate networks
Comment: using this IP address range and is not able to investigate
Comment: spam or abuse reports relating to these addresses. For more
Comment: help, refer to
http://www.apnic.net/apnic-info/whois_search2/abuse-and-spamming
RegDate: 1996-07-01
Updated: 2010-08-02
Ref: http://whois.arin.net/rest/net/NET-211-0-0-0-1

OrgName: Asia Pacific Network Information Centre
OrgId: APNIC
Address: PO Box 3646
City: South Brisbane
StateProv: QLD
PostalCode: 4101
Country: AU
RegDate:
Updated: 2012-01-24
Ref: http://whois.arin.net/rest/org/APNIC

ReferralServer: whois://whois.apnic.net

OrgTechHandle: AWC12-ARIN
OrgTechName: APNIC Whois Contact
OrgTechPhone: +61 7 3858 3188
OrgTechEmail: search-apnic-not-arin@apnic.net
OrgTechRef: http://whois.arin.net/rest/poc/AWC12-ARIN

OrgAbuseHandle: AWC12-ARIN
OrgAbuseName: APNIC Whois Contact
OrgAbusePhone: +61 7 3858 3188
OrgAbuseEmail: search-apnic-not-arin@apnic.net
OrgAbuseRef: http://whois.arin.net/rest/poc/AWC12-ARIN

 

Add/Remove did not show Private Firewall as being there. CCleaner DID show it. Tried to uninstalled it - could NOT.

Downloaded Private Firewall again. Re-installed it after stopping ZoneAlarm. Now uninstalling ZoneAlarm so I can then uninstall Private Firewall again.

More later.

 

Ok - update.

1. The HijackThis log I had posted I had also said came from my web server and not the system I was talking about.
2. ZoneAlarm vs PrivateFirewall: I had to re-install PrivateFirewall because it was looking for a temporary file that wasn't there. So I did a search in the c:\Document and Settings\Mark\Local Temp directory until I found the missing MSI file, redirected the install there and PrivateFirewall installed. This allowed me to uninstall ZoneAlarm (which would not uninstall for unknown reasons and unknown reasons why it allowed me to uninstall afterwards).
3. Did a reboot after uninstall of ZoneAlarm so I would have a clean boot for PrivateFirewall. Side note: The reason I uinstalled PrivateFirewall was because it suddenly would not allow anything to run. Which is why I will uninstall it again. I have no idea why it began refusing to allow anything to run - but it did. So I got rid of it and installed ZoneAlarm in its place. Don't know why Add/Remove said it uninstalled it correctly but CCleaner found an entry for it today. CCleaner did not find an entry for it days ago - but now it did. Don't know why that happened - would like to figure out why it happened so it doesn't happen in the future - but have no idea presently why it happened.
4. PrivateFirewall is up and running presently. Going to uninstall it again and see if it goes away permanently this time. It will be my luck that it spawns a billion subprocesses.

You say I have not been hacked. If that is so then how did the Java viewer for TightVNC get turned on? I did not set it like that and (as now) I made sure all of the check boxes were not checked. So someone had to have set them. My wife is not computer literate enough to have networked over to my system. Nor does she know the passwords to even log in to my system (or the admin passwords I've got set up for TightVNC). Couple with this the fact that all of my disk drives were shared (when I hadn't shared them - and I just checked and they were all shared again) and it begins to be a stretch to say I have not been hacked in some way, shape, or form. Honest - I have sharing turned off completely. I don't have the "Simple File Sharing" option on - I have removed all folders from the sharing folder, I've even gone in to the security settings to ensure sharing is not on. Yet if I do a My Computer->Right Click->Manage->Shared Folders there is IPC$, C$, Admin$ (and the other disk drives if I turn them on). Something somewhere is turning on sharing on everything every time I reboot the system - and it is not me.

Under Local Users and Groups - everything is turned off except my account and the SQLAgentCmdExec which I have on because I am using MySQL. Oh yeah - and ASPNet All other accounts are disabled. I renamed my Guest and Administrator accounts so they don't even use the same names anymore and there aren't any folders in the Documents and Settings for them either.

Yet I'm getting:
[System Process] 0 TCP 99.31.70.205 5900 203.156.144.209 42705 TIME_WAIT
[System Process] 0 TCP 99.31.70.205 5900 203.156.144.209 42705 TIME_WAIT
[System Process] 0 TCP 99.31.70.205 5900 203.156.144.209 42706 TIME_WAIT
[System Process] 0 TCP 99.31.70.205 5900 203.156.144.209 42707 TIME_WAIT

TightVNC uses port 5900. So who is trying to get into my system via TightVNC?

It's that pesky
OrgName: Asia Pacific Network Information Centre

person again. That's who 203.156.144.209 is. Someone from Asia trying to log in to my system via TightVNC.

So I'm sorry if the logs don't show anything but that doesn't mean someone isn't trying to get into the system - or succeeding to do so. We may just not know what back door has been put in to something (like TightVNC) but these people know about it and can obviously exploit it. That's how the Java viewer got turned on, my copy of Java reverted to an earlier version, and why TCPView was removed from all of my systems. They didn't want me to be able to see that they were using port 5900 (TightVNC), and 5800(TightVNC Java Viewer port).

(After some more work...)
Here is what the TCPView looks like now:
FileZilla Server Interface.exe 2396 TCP server1 1129 localhost 14147 ESTABLISHED 299 1,495 299 1,495
FileZilla server.exe 1848 TCP server1 14147 localhost 1129 ESTABLISHED
gzserv.exe 1332 UDP server1 1025 * * 311 311 311 311
gzserv.exe 1332 UDP server1 1028 * * 10 506 10 870
lsass.exe 1164 UDP server1 isakmp * *
lsass.exe 1164 UDP server1 4500 * *
svchost.exe 1012 UDP 99.31.70.205 1900 * * 2 266
svchost.exe 1012 UDP server1 1900 * *
svchost.exe 1012 UDP server1.google 1900 * *
System 4 TCP server1 microsoft-ds server1 0 LISTENING
System 4 TCP 99.31.70.205 netbios-ssn server1 0 LISTENING
System 4 UDP 99.31.70.205 netbios-dgm * *
System 4 UDP server1 microsoft-ds * *
System 4 UDP 99.31.70.205 netbios-ns * * 86 4,300
System 4 TCP server1.google netbios-ssn server1 0 LISTENING
System 4 UDP server1.google netbios-ns * *
System 4 UDP server1.google netbios-dgm * *
tcpsvcs.exe 2132 UDP server1 chargen * *
tcpsvcs.exe 2132 UDP server1 discard * *
tcpsvcs.exe 2132 UDP server1 daytime * *
tcpsvcs.exe 2132 UDP server1 qotd * *
tcpsvcs.exe 2132 UDP server1 echo * *
tvnserver.exe 2280 TCP 99.31.70.205 5900 adsl-99-31-70-201.dsl.hstntx.sbcglobal.net 2334 ESTABLISHED

That is how it should look. Not with hundreds of bogus requests going out to who knows where. All it took (so far that is!) is to completely uninstall Java and install Java v7 update 15,

Well what have we here? Someone turned on Offline Files. Turned that off too now. Now all that's left is to figure out how to turn off that IPC$ shared folder. Once I get that turned off I will probably be safe again for a while. Then I'm going to track down whoever did this to my system.

Thanks for the help though. I really do appreciate it!

 

I don't know if you know about Emsisoft but I did some research and decided to download and run their Emergency Kit. It is a huge program and runs very slowly but on every machine so far I have gotten what I am uploading as a snapshot.

I also did some checking on the Offline and Shared files. It turns out that on Windows XP (and other MS OSs) that file sharing is turned on by default. Under Windows XP if you right-click on the My Computer icon and select the Manage option you get a dialog. Left-click on the plus sign next to the Shared Folder and you will get three subfolders. The Shares subfolder you can see there is an IPC$ and possibly a <DRIVE>$ for each drive on your system. These are all of the shared disks on your system. Although you can right-click on each and stop them - when you reboot your system they come right back. There is only one way to stop that from happening.

And that way is to insert a new option that tells Windows to not share the folders. I found this out by going to http://www.petri.co.il/disable_administrative_shares.htm and reading up on how to do it.

By doing all of the above my system began running a lot faster.

 

Ok - let me answer all of your posts.

1. Sharing - we don't share at our house. I found out a long time ago that my wife likes to go to places she should not. Limewire, on-line game places, etc... So she is the entry point a lot of times for unwanted people/software/whatever to come into our network. To protect all of the systems I've isolated them from each other to try to make it harder for someone to take over all of the various systems. It works somewhat except that I installed TightVNC so I could still log on to each of the systems.
1a. So to summarize - we do not do sharing or offline files. I use FTP to move big files from one system to the other or TightVNC to move small files around.
1b. Because we specifically do not use sharing or offline files - when those came on - it had to be because someone else turned them on. I did not. My wife does not even know how to do this.

2. I am glad you can use sharing. We do not. Nor do we use offline files.

3. TightVNC has the capability of using Java as another type of viewer. There is an option in TightVNC to use it (see uploaded image). I will never enable that because Java has a lot of holes to it. I use Java to run PCGen and D20Pro uses it. (So when I play D&D I use it.) Otherwise, I do not use it. I installed Java version 7 update 13 about a month ago. This was because of a security notification we received at the University of Houston around that time talking about one of the gaping holes in Java that was being exploited. They recommended updating to v7.13 which I did on all systems.
3a. When the hacker attacked, all copies of TCPView were removed. This was installed on all of our computers.
3b. When the hacker attacked all copies of Process Explorer were removed. This was installed on all of our computers.
3c. Files sharing was re-enabled.
3d. Offline Files was re-enabled.
3e. My system began running slower and my wife's computer began running slower. So I thought maybe they just needed to be defragged or maybe something had gotten out of whack with the system. But when I walked by the router and saw it was transmitting information at a high rate of speed and none of the computers were doing anything that merited that high of a transmission rate - I knew something was wrong and immediately turned off the router. I have a fail-safe network in place that allows me to still go between systems. This network remains turned off except in emergencies. So I turned it on and moved the ethernet lines over to it.

4. I first ran the SUPERAntiSpyware program, then Avira (on the systems that had it) and they found nothing.
4a. I then looked at TightVNC and found the Java view turned on - on all systems. I turned all of those off and changed the passwords on all TightVNC installations.
4b. I then changed all of the passwords on all of the PCs.
4c. I then turned off all of the PCs except my own and rehooked up the router and checked to see how much traffic was going across the network with just my PC. There was some - but it was fairly normal. (Turned out not to be normal - but eyeballing it - the router wasn't going crazy.)
4d. I then got on here to ask for help.
4e. I ran all of the programs and uploaded the logs.
4f. I then began researching things because it has been about ten years since we last had some kind of major intrusion and I was sure I had forgotten some things. Here is where I came across file sharing and then offline files again.
4g. So I then checked to see if sharing was enabled and it was again. I turned that off. Offline files was also enabled on those systems that had external hard drives connected to them. I turned that off.
4g1. To be clear - I turned off the external hard drives so they could not be uploaded to some other site, turned back on the system, ensured there wasn't any kind of heavy traffic on the router because the system was back up and going, and then logged in to the system via TightVNC from my computer, and made the changes.
4h. I then went back and did some more research and remembered about RPCs. These had been turned off by me a long time ago also. When I checked them - they were all turned on too. So I turned them back off.
4i. I also uninstalled all versions of Java from all of the systems and then downloaded the latest version which is Java version 7 update 15. So now all of the systems have this version installed on them.
4j. Under the Local Security Policies - four accounts with funky names had been given access to the system as remote logins. These were all removed. These were on three of the five systems I have up and running. There were also a large number of folders on one system set up for one of these accounts. They were all removed.

Todate - here is my status:
1. The possible trojans that the Emsisoft software found are now in Quarantine until I can test them with other software to ensure they are not really trojans.
2. TCPView once again shows a reasonable number of requests happening when I go to a website and all entries can be accounted for.
3. The strange Asian and Latin America connections that were being made are no longer happening.
4. Process Explorer doesn't have any kind of strange programs running.
5. Task Manager no longer shows network usage at very high rates.
6. The router is no longer showing an extraordinary number of transmissions on it.
7. I feel confident that all traces of the hackers have been removed and I have begun tracking down the people who did this. If I am successful in my endeavors I will remove all traces of my belongings from their systems as well as probably do something not to nice to their system or systems so they can know the pain I have gone through this past two weeks.

I would like to thank you for your time and effort in helping me. When I was going AHHHHHHH you were going "Stay calm - you can get past this". I realize I raced off into the unknown but I was fighting to save our systems as our files were being sucked off into the great unknown. Your help is greatly appreciated. If I get on my feet financially again I will see about donating some money or maybe some equipment to you guys. Thank you again.

PS: I did some research on the DLL you mentioned and every was saying it was some kind of virus so I put it into quarantine as well.

 

Follow-up

I thought I'd just post a quick follow-up:

Wife's Computer: Fixed. After reading the recommendations for firewalls I downloaded and installed the Comodo Firewall Free. All viruses and other anomalies have been removed. She is happy again.

My Development Computer: I changed out Private Firewall for Comodo Firewall. My system appears to be clean of problems.

Graphics Computer: Unfortunately - the backup I had made of this system failed during the backup of the Windows OS - it will have to be re-installed. This computer is the lowest on my list so it will be worked on last.

Server: This computer definitely has something wrong with it. I believe some kind of malware has been installed onto it that I have not seen before. All scans return nothing but when I plug the backup/archive external disk drive in to it and go to the Local Security Policies program there is a new object location given called MININT and the if you are trying to add/remove someone the security panels now all refuse to work with anything other than the MININT location. Further, the backup drive begins trying to send files off to unknown areas and the shared locations and offline file items become re-enabled. A complete search of both the laptop's hard drive and the external disk drive do not turn up any information about MININT, there are no hidden partitions on either drive, and none of the programs I have downloaded and tried have found anything wrong. Yet now the laptop will not connect to any wireless connection anymore and the router goes crazy when I plug the system in to it. This is (in my honest opinion) some kind of software that got installed and kicks in to gear the moment the conditions are right. So I am going to just wipe and re-install the OS. That should fix the problem. Hate to do it because then I have to re-install all of the servers but better that than having this offline/shared folder stuff happening.

Thanks again.

 

Update 3/2/2013 @ 10:05am

Development Computer (My Computer):

TCPView is deleted again off of my computer.

Luckily I have the ZIP file from Microsoft. I unarchived it and re-installed it. When I went here to post this I got the hundreds of entries. Most hooking up to remote port 44080 again.

Not good. :-/

 

Sorry it is taking so long to answer. Last week of my contract so we are trying to get a lot done there and the system is turned off until I can work on it more.

Avira -> Yes - it is still installed. Why?

 

My main computer (Developer Computer):

Only things quarantined by Avira are e-mail attachments. I installed Spyware Blaster two days ago. Current install of TCPView is staying around.

Web Server/Email Server/FTP Server/SVN Server/Everything Server:
I brought up the server again after having cleaned off everything and it began relaying spam like crazy. Put a stop to that. The hacker had set options in the e-mail server to do this. I had no idea just how many other computers were trying to log in to the e-mail server! Must have had over 200 attempts in just a few moments. The auto-block had been turned off and the "Allow SMTP Authentication" had been turned on. Luckily no new e-mail addresses had been created and the old passwords are only shown as dots. But I'm thinking of setting up a Perl script to grab the TCP/IP addresses so I can automate the sending of abuse letters to the owners of the TCP/IP addresses. The server is now sitting quietly and only doing a little traffic again.

Wife's computer:
It is back up and running again without incident. Installed Spyware Blaster on to it also.

Graphics computer:
Still down. Just need to do the same things to it and it will be back up and running.

I currently have:
Avira on all systems (Paid)
Personal Firewall or Comodo Firewall (free) on all systems
Spyware Blaster on all systems (Free)
SUPERAntiSpyware on all of the systems (Paid)

I am looking at buying Firewall software so I can have the professional versions but I don't want to buy Firewall software that has antivirus software in it too (or anti-malware). Like you have on the readme - only ONE of each. Not five or six.

Very tiring and emotional day today. Last day of work at the UofH. Our lawsuit against Sears is coming up. Lawyer pressed hard for us to settle out of court but Sears is not willing to give us enough to repair the damage they caused to our house. I am also behind in the scanning of my older books I have into my computers. Trying to get rid of the paper versions. Over 300 books left to scan. Can't afford to re-buy them as electronic versions. :-/ Need to get the graphics computer up and running so I can go back to working on that effort.

But in any event, it appears either Avira, SUPERAntiSpyware, SpywareBlaster, or the firewall software has put a stop to the hackers from being able to get rid of TCPView. However that was done. Thanks again for the help!

 

Yeah, I ran into that before I started using Spamcop. Well, at least things are back to normal (more or less). I will be back if something strange begins happening again. Later!

 

I hate to keep popping up like this but....


I just got two requests - both from my web server. It attempted to log in to two systems I had put Comodo firewall on to. Maggie is also back on the router as a DHCP entry which I never put there.

What I have done so far:

1. Immediately used Roboform's Generate a secure password, regenerated passwords for the admin account on both routers and set them to the new passwords.
2. After that I generated new 64 character passwords for the routers and set them.
3. Rebooted both routers.

It was after this that I got the pop-ups from Comodo Firewall saying the web server was trying to make a connection back to me. First via 192.168.1.100(web server's wireless) and second by 99.31.70.205 (actualy web server IP address).

So I am taking it the web server has been compromised.

Brought up Microsoft's Process Explorer. Nothing running that should not be running. Rebooting router.

The Linksys Router is not coming back up. Unknown why not. More as I know more.

 

Ok.

The hacker had already gotten to the web server and started up some program that overlaid the e-mail server's information with a copy-cat screen. I always move the tools option dialog around a bit because someone (possibly the same hacker) did this same trick on Avira. So now I move the dialogs around a bit after they come up to see if there is some kind of thing like this going on. I have as of yet to figure out what the program is called. It doesn't seem to show up in either Process Explorer or Task Manager. (Process Explorer had been deleted again by the way.)

I decided to reboot the web server and that always seems to get rid of the program. So maybe there is some connection between being able to trick Task Manager into not seeing the program and not hanging around after a reboot? Unknown but I believe it got to everything before the hacker could do any harm this time. My main web pages are still down because php5cache.dll is now deleted. I had posted a fairly nasty "I hate hackers" thing on my site so it is possible they were just targeting that. I guess the truth hurts.

I'm going to work on getting things back up and running and then we will see what they have done to the website.

 

Well, all I can say right now is that the person was deleting the PHP install. About half of the install is missing on the web server. I should have that fixed in another hour. Amazing how much damage someone can do in a few minutes if they know what they are doing.

 

Yesterday the hacker attacked again. The person attempted to get in to my computers but Comodo intercepted them and asked me if I wanted to allow a connection into my computer. I declined. I reset the passwords on all of my routers, made sure everything was ok, and went to bed.

This morning I got up and the passwords had all been reset to a previous password. I generated a new 64character (512bit) encryption key and set all of the passwords again. I found a log file on my desktop that wasn't there yesterday and was wondering if you guys would like to look at it. It is creating and deleting registry keys. I'm not all that good with knowing which registry keys do what. Or to put that another way - I know enough to be dangerous - if you know what I mean.

I'll upload it.

 

Ok thanks!

I had to reset everything last night because I was getting the 169.224.x.x numbers. I have done that before but do not remember having seen the reset.log file before.

Web server is still acting up. Haven't found what the hacker did to PHP but no matter what I have done so far (checked the PATH, checked the Apache config file, PHP.ini file) has shown me what they did to make PHP no longer run properly. I copied over the PHP version I have installed on my Developer machine but that still gets the same errors. Still looking at this.

 

Yeah, I did run everything on the server and it was clean. I use DD-WRT on the routers. I'm still thinking our biggest security risk is my wife's playing those online games. She has admin privileges on her computer because she does bring home computer programs from her school (where she works) and installs them onto her system because she has been told to do so.

Two nights ago the hacker was back. I was trying to set up the new ASUS rt-n10+ router I'd bought and as fast as I would set the passwords up they would be changed to something I had never used before. Once I realized the guy was on I set the router's password and then unplugged it. After waiting a few moments I plugged it back in and checked all of the statuses. Only me on so I set the thing up and then unplugged it again. I then replaced the ASUS rt-n12 I had with the rt-n10+, reflashed the rt-n12 and began working on it. At 3:00am this morning I finished with the router. (I was attending a convention up until midnight and worked on it when I got home.) The guy must have went "He's in bed and not going to do anything else until tomorrow" because no one tried to do anything while I was working on the router.

We did have a Zeno (from Dell) which was set up to let us watch TV over the internet. I went in and changed it to be a limited account on the box. I've got an account which shows on the login that has full admin rights but it also has a password ("STRONG" from the websites I use similar passwords on).

Tonight I have to modify the rt-n10+ so it becomes a repeater. That will up our overall speed here at the house. I'm also having GoDaddy check to make sure people from the outside can still get to the website. I've tested it but it was taking a long time to up come. So I want to make sure something with the network leaving the house isn't mucked up.

I use 64 character passwords on the routers (512bits). Again, I'm thinking the problem is more from within than without. Not sure. Maybe I can convince my wife to let me put another account onto her system that she can log in to in order to install software (or remove it) and then her main account could be a limited account. In this way she could still do what she wants but it wouldn't leave us with an open door for someone to come in and begin mucking around with everything.

At least all of the computers now have either Private Firewall or Comodo (versus Avira's firewall which is almost at the bottom of the list). So it could just be that I had the worst firewall installed on our systems possible and that is why they could get in. Unknown. But Comodo has come up several times in the past few days "##.##.##.## wants to make a connection to your computer" and I just say no.

Sorry to keep posting but things are beginning to totally stabilize again. I just need to finish up with these routers and we will be back to normal again. (Or the hacker got tired of playing around with me and left.)

I do have a question. Not the right part of the forum to ask this I think - but I'm already here. Question: When the hacker set my e-mail server to accept SMTP authenticantion I saw hundreds of attempts go by very quickly on the server as I was frantically trying to figure out what option the hacker had set. Is there some program that would be able to catch those attempts to log in to the system and send them off to a blacklist? What I was seeing was something like:

##.##.##.## [account/password] - failed <date><time>

There were maybe ten or fifteen websites trying to log in over and over again. I figure I could write something in like PHP or AutoIt and do the lookups and emailing myself - but if there is something already out there to catch these IPs and send them somewhere (like I do with Spamcop) - I'd like to do that instead. (I know - I'm just lazy that way! :-o)

Thanks in advance for any thing you can think of.

 

To Chaslang - I have not run the suggested software yet. Just got back on the site today. Been very busy lately.

Update:

I finally got a screen snapshot of the hacker being on the router. See attached. Not that it does me a whole lot of good to have that information (other than to be able to say I wasn't insane saying there was a hacker on the system!).

Our main problem was that we were using WPA instead of WPA2. I went and read the Wikipedia about WEP, WPA, and WPA2. It is very interesting. I did not know that WPA was an unfinished release - but am not surprised as I have seen this same kind of mentality (of releasing unfinished programs or programs using unfinished specs) many times.

The hacker struck last week again which was when I started reading up on WPA2 because I would change the key and a day or so later the hacker would be back. So they were doing a brute force attack on us to crack the WPA key as quickly as possible. I had turned on logging on the router and no fewer than 1,000 attempts to log in were done within a 24 hour period. I tracked the IP address given to Frankfurt, Germany and a dial-up line but that just means whoever owns that computer probably doesn't even know they are doing this. In any event within two days the hacker was back, I changed the key again, and then began reading the Wikipedia write-up. Two of my computers had to have their mini-wireless drivers updated so they even knew what WPA2 was. As I was adjusting the main router the hacker attacked again. As fast as I changed the router to WPA2 he was resetting it back to WPA. So I unplugged all of the routers and waited a few hours. Then I reset the router to the default set up, logged in (using DD-WRT on the routers), set it to WPA2, and then began rebuilding all of the options.

After the first router I did the second one and even got it work better than it had been in a while. I then wrote a script that logs in to both routers and changes their keys at night to a new unique key and then logs back in around 5:00am and changes it the one I had set up. The hacker hasn't been able to get back in although there are still a lot of attempts to do so. I'm looking in to modifying the IPTables so only certain ports are available for anyone to use (like 21, 25, 110, 80, 8080, etc...). The ports they are trying to log in to are like 4193 or higher.

Most (but not all) of the problems have stopped. I fixed the e-mail server again so it works correctly. I've set TightVNC so it automatically locks the server when I disconnect and you have to know the password to get in. The troubling thing is - sometimes I get knocked off of the server via TightVNC. Since I set it so that only one person at a time can be on the server via TightVNC this gives me cause for concern. I have tried changing the password to get on to the server's TightVNC connection but it still drops every now and then. Could just be my system is overloaded with protection software now and it is dropping the connection because of the load. Better safe than sorry I say.

As before, all systems (except the server) have Comodo free firewall on them now. The server has Private Firewall. I didn't put Comodo on it because I do not know if Comodo will allow a server to run on it since people from the outside would have to be able to make connections to it. Private Firewall does allow connections to be made. So I went with it.

I will try out the software you said I should try and I will let you know what happens. Later!

Oh! And no - I don't know who this Steven person is.

 

I am happy to report that with the upgrade to WPA2 - we have not had a break-in for the past two weeks. I also set up the auto-emailing of myself whenever someone gets on to the router. Although there are still a lot of attempts to log in - none of them are able to do so thus far. I think I can let this thread go now.

Again - THANK YOU! To everyone at MajorGeeks.com who has helped me with this. I do greatly appreciate the help and advise.

Later guys and gals!

Mark

 

Hey! Just dropping by. Latest is - I got a letter from my 401K company saying someone tried to get into my account. So now I'm going through changing all of my passwords on all of the websites I go to. There are about 450 websites I frequent so by midnight last night I was up to the G's. I just reached the M's and here I am - changing my password.

If you want to see a very poorly designed website (security-wise) - check out Macy's. Once you have signed up - there is no way to change your e-mail address or password or anything else for that matter. All of the links send you back to the sign-in screen. Once you have signed in again you are just sent back to the screen where they start trying to sell you something. Or in other words - there just isn't any way to get back to your personal information. I've written to them in the only way I could: Their "Tell us about your credit card experience". None of the other links either work or you just get sent back to the "Sign In" screen.

Anyway - still hacker free.

Later!

Mark