Trapped in a virtual network PLEEEZ HELP!!!
Tags:
- Security
- Internet Service Providers
- VPN
-
Business Computing
Last response: in Business Computing
lilronj
February 20, 2012 1:01:26 AM
hello all,
i could use some help badly... for approx. days someone has taken over my home network and appears to have made me a part of their virtual network or machine, ivbe switched isp's purchased new equipment built new machine off sight and introduced by itself and yet the intruder returns this is strictly lan connection. no wireless.. im at a loss and frankly its scaring the crap out of my kids. is there any way to break free from this??
thanks in advance
sincerely
Ron
i could use some help badly... for approx. days someone has taken over my home network and appears to have made me a part of their virtual network or machine, ivbe switched isp's purchased new equipment built new machine off sight and introduced by itself and yet the intruder returns this is strictly lan connection. no wireless.. im at a loss and frankly its scaring the crap out of my kids. is there any way to break free from this??
thanks in advance
sincerely
Ron
More about : trapped virtual network pleeez
alyoshka
February 20, 2012 2:22:07 AM
Ok. It would scare the crap out of me too, very frankly. But, could you spread some more light on this.
How do you make out "You're trapped into this virtual network"
How have you reached this conclusion.
You could basically, add a new domain name to all the computers in the network and change the IP's.... that would break away from the net within the net thing.
How do you make out "You're trapped into this virtual network"
How have you reached this conclusion.
You could basically, add a new domain name to all the computers in the network and change the IP's.... that would break away from the net within the net thing.
alyoshka
February 20, 2012 2:23:11 AM
You could also use a Firewall like Outpost and see what's happening and configure it to keep the intruder off. Ban him, block him, blacklist him and finally report him to the authorities.
You could create a different user group and have sharing going on only within that group. Disabling the sharing and access options to the rest of the network.
You could create a different user group and have sharing going on only within that group. Disabling the sharing and access options to the rest of the network.
Related resources
- help me pleeez - Forum
- About Virtual Private Network and Secure Shell - Forum
- Anyone help? Turtle Beach Px22 virtual sound.. - Forum
- ndis virtual network adapter enumerator - Forum
- NDIS Virtual Network Adapter Enumerator - Forum
lilronj
February 20, 2012 5:11:26 PM
OK bear with me cause im learning as i go but... jan 8 2011 i was notified by att my email was being opened remotely? jan 11 2011 found someone taking away all my local authorities on my pc.. actually saw it happening. i unplugged from internet at that time i had 3 wired pc's and multiple wireless accessories (home network) over the next few days all pc's slowly started locking up and became non functional... contacted local police as well as fbi... windows 7 credential manager had been activated then encrypted. i immediately requested a new ip address stopped all wireless and put only 1 wired machine back on internet ( i replaced all memory components before reinstalling ( ssd, hd, mobo, removed vid and aud cards) within 12hrs it begins again so i switched internet providers within 24hrs again it happened i called microsoft norton and frankly everyone i could think of i was told hes gaining entry at server level i started looking at all equipment that was destroyed noticed all hard drives now have a 68kb section of data on them that i didnt install as well as extra volumes usually numbered 1-4 that im unable to delete. then i purchased business grade firewall appliance hook up and configure. within 24 hrs its happening again so i called firewall provider had them reconfigure remotely and remove all access to the management console except for a single ip address (1 of theirs ) this is where i am currently the firewall got reconfigured friday... this is like a black hole....!! there is absolutely no support for things like this either legally or corporate.. the only thing thats been stolen is personal data local cable internet provider doesnt track incoming isp's att does and has info but will not provide without subpeona.. he has trashed half dozen mobo's hd's ssd's and the like and just doing research thoughout the ordeal and reading i believe that im a part of his virtual machine or network that would explain why hes been able to attack through multiple isp's and firewall.. story actually much longer and more detailed but thats the jist.
thanks again
ron
thanks again
ron
teaser
February 20, 2012 5:31:51 PM
scout_03
February 20, 2012 5:36:41 PM
Hi
This isnt that complicated to fix so stop worrying to start with...
Instructions...
1, PULL OUT network cable (so no net connection....)
2,Choose ONE MACHINE only to connect back to net and format the hard drive and reinstall windows on it
3, Install Norton Internet security 2012
4, Reconnect to net on that machine ONLY (ALL others turned OFF)
5, UPDATE Norton and keep updating it until it says no more updates.
6, UPDATE Windows and keep updating it until it says no more updates.
7, Connect each of your other machines to the net machine ONE AT A TIME and do a FULL SCAN on them with the Norton on the net machine....once finished and clean install Norton on those as well...
8, Repeat 7 until all finished....
9, You and all your machines are now safe...
All the best Brett
This isnt that complicated to fix so stop worrying to start with...
Instructions...
1, PULL OUT network cable (so no net connection....)
2,Choose ONE MACHINE only to connect back to net and format the hard drive and reinstall windows on it
3, Install Norton Internet security 2012
4, Reconnect to net on that machine ONLY (ALL others turned OFF)
5, UPDATE Norton and keep updating it until it says no more updates.
6, UPDATE Windows and keep updating it until it says no more updates.
7, Connect each of your other machines to the net machine ONE AT A TIME and do a FULL SCAN on them with the Norton on the net machine....once finished and clean install Norton on those as well...
8, Repeat 7 until all finished....
9, You and all your machines are now safe...
All the best Brett
lewza
February 21, 2012 9:01:37 AM
I would also suggest that you change your internal IP address network, but to something completely outside the Class C address. Move to a Class B or Class A address pool like 172.16.0.0 network. Some home routers won't allow you to configure anything other than a Class C private address though such as 192.168.0.0
To get rid of any traces of hidden partitions or files that someone might have planted on your hard drives, use a low level disk erase utility. If it is an SSD, I would suggest using a computer not hooked up to the internet (or at a different location if possible) to perform a firmware update and then use Secure Erase or a similar utility as suggested by the manufacturer of your SSD. For a hard drive, there are several free programs out there such as Active Kill Disk and others that can perform a complete erase of your hard drive. Run it through this utility a couple times and you should be able to then reuse the drive to install Windows 7 or whichever operating system you are using.
I think you did a great thing by going to a hardware firewall and getting their technicians to set up the firewall properly for you.
To get rid of any traces of hidden partitions or files that someone might have planted on your hard drives, use a low level disk erase utility. If it is an SSD, I would suggest using a computer not hooked up to the internet (or at a different location if possible) to perform a firmware update and then use Secure Erase or a similar utility as suggested by the manufacturer of your SSD. For a hard drive, there are several free programs out there such as Active Kill Disk and others that can perform a complete erase of your hard drive. Run it through this utility a couple times and you should be able to then reuse the drive to install Windows 7 or whichever operating system you are using.
I think you did a great thing by going to a hardware firewall and getting their technicians to set up the firewall properly for you.
alyoshka
February 22, 2012 1:50:09 AM
lewza
February 22, 2012 9:08:08 AM
They must get involved. I remember a similar thing happening to me when I was only a kid. I was about 10 years old (10 years ago) and my next door neighbour done a similar thing, he could control our computer like an RDP session, but from boot. He would post naked pictures of dead children on the screen.
We contacted the police and they caught him in a couple of weeks, finding child porn and mutilated images. Now he is in prison. Authorities should help.
We contacted the police and they caught him in a couple of weeks, finding child porn and mutilated images. Now he is in prison. Authorities should help.
Dropdeadly
February 22, 2012 5:23:56 PM
lewza said:
They must get involved. I remember a similar thing happening to me when I was only a kid. I was about 10 years old (10 years ago) and my next door neighbour done a similar thing, he could control our computer like an RDP session, but from boot. He would post naked pictures of dead children on the screen.We contacted the police and they caught him in a couple of weeks, finding child porn and mutilated images. Now he is in prison. Authorities should help.
Wow that's messed up.
Rockdpm
February 22, 2012 5:56:00 PM
lewza said:
They must get involved. I remember a similar thing happening to me when I was only a kid. I was about 10 years old (10 years ago) and my next door neighbour done a similar thing, he could control our computer like an RDP session, but from boot. He would post naked pictures of dead children on the screen.We contacted the police and they caught him in a couple of weeks, finding child porn and mutilated images. Now he is in prison. Authorities should help.
Scarry story Bro
mattberrytr
February 22, 2012 6:13:07 PM
the great randini
February 22, 2012 6:33:42 PM
scout_03
February 22, 2012 7:44:55 PM
lilronj
February 23, 2012 3:14:07 AM
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>netstat -b
Active Connections
Proto Local Address Foreign Address State
TCP 127.0.0.1:2869 wilma-PC:49966 ESTABLISHED
Can not obtain ownership information
TCP 127.0.0.1:5357 wilma-PC:49962 TIME_WAIT
TCP 127.0.0.1:5357 wilma-PC:49965 TIME_WAIT
TCP 127.0.0.1:5357 wilma-PC:49967 TIME_WAIT
TCP 127.0.0.1:5357 wilma-PC:49968 TIME_WAIT
TCP 127.0.0.1:49966 wilma-PC:icslap ESTABLISHED
EventSystem
[svchost.exe]
TCP [::1]:2869 wilma-PC:49963 TIME_WAIT
C:\Windows\system32>
ok the above is netstat -b
Proto Local Address Foreign Address State PID
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 748
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:554 0.0.0.0:0 LISTENING 4008
TCP 0.0.0.0:2869 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:5357 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:10243 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:49152 0.0.0.0:0 LISTENING 788
TCP 0.0.0.0:49153 0.0.0.0:0 LISTENING 904
TCP 0.0.0.0:49154 0.0.0.0:0 LISTENING 1092
TCP 0.0.0.0:49155 0.0.0.0:0 LISTENING 856
TCP 0.0.0.0:49156 0.0.0.0:0 LISTENING 900
TCP 127.0.0.1:5357 127.0.0.1:49957 TIME_WAIT 0
TCP 127.0.0.1:5357 127.0.0.1:49958 TIME_WAIT 0
TCP 127.0.0.1:5357 127.0.0.1:49961 TIME_WAIT 0
TCP 127.0.0.1:49157 0.0.0.0:0 LISTENING 1720
TCP 192.168.200.230:139 0.0.0.0:0 LISTENING 4
TCP [::]:135 [::]:0 LISTENING 748
TCP [::]:445 [::]:0 LISTENING 4
TCP [::]:554 [::]:0 LISTENING 4008
TCP [::]:2869 [::]:0 LISTENING 4
TCP [::]:3587 [::]:0 LISTENING 4408
TCP [::]:5357 [::]:0 LISTENING 4
TCP [::]:10243 [::]:0 LISTENING 4
TCP [::]:49152 [::]:0 LISTENING 788
TCP [::]:49153 [::]:0 LISTENING 904
TCP [::]:49154 [::]:0 LISTENING 1092
TCP [::]:49155 [::]:0 LISTENING 856
TCP [::]:49156 [::]:0 LISTENING 900
TCP [::1]:49158 [::]:0 LISTENING 1720
UDP 0.0.0.0:500 *:* 1092
UDP 0.0.0.0:3544 *:* 1092
UDP 0.0.0.0:3702 *:* 4148
UDP 0.0.0.0:3702 *:* 4148
UDP 0.0.0.0:3702 *:* 1256
UDP 0.0.0.0:3702 *:* 1256
UDP 0.0.0.0:4500 *:* 1092
UDP 0.0.0.0:5004 *:* 4008
UDP 0.0.0.0:5005 *:* 4008
UDP 0.0.0.0:60014 *:* 4148
UDP 0.0.0.0:60016 *:* 1256
UDP 0.0.0.0:60018 *:* 1256
UDP 127.0.0.1:1900 *:* 4148
UDP 127.0.0.1:60013 *:* 4148
UDP 127.0.0.1:60194 *:* 4680
UDP 127.0.0.1:60421 *:* 4728
UDP 192.168.200.230:137 *:* 4
UDP 192.168.200.230:138 *:* 4
UDP 192.168.200.230:1900 *:* 4148
UDP 192.168.200.230:57800 *:* 1092
UDP 192.168.200.230:60012 *:* 4148
UDP [::]:500 *:* 1092
UDP [::]:3540 *:* 4408
UDP [::]:3702 *:* 1256
UDP [::]:3702 *:* 1256
UDP [::]:3702 *:* 4148
UDP [::]:3702 *:* 4148
UDP [::]:4500 *:* 1092
UDP [::]:5004 *:* 4008
UDP [::]:5005 *:* 4008
UDP [::]:60015 *:* 4148
UDP [::]:60017 *:* 1256
UDP [::]:60019 *:* 1256
UDP [::1]:1900 *:* 4148
UDP [::1]:60011 *:* 4148
UDP [fe80::249b:bcea:53f3:3241%11]:1900 *:*
4148
UDP [fe80::249b:bcea:53f3:3241%11]:60010 *:*
4148
this is -ano........
here is my follow up i think the person has penetrated the firewall just based on my experience thus far. although sonicwall asssures me im incorrect. there have been over 800 intrusion attempts by what they term as "strange ports" since monday .. all have been dropped by the firewall. the same ip address attacks every time (bejing china) it also continuosly attempts logging into my management interface. i believe they call it a "dictionary attack" mind you (by design i no longer have access) as far as authorities response... local PD wrote report no follow up... fbi dpt is called "ic3" i upload anything i consider to be evidence daily. get automated response nothing past that yet. i am pretty confident i know someone involved in the attack but at this point nothing has been done yet. i used linux "silent runners" and found registry changes that are hidden that cause specific output that has been manipulated by whomever is doing this. kind of difficult to explain .my learning curve has been this . at first i thought it was a trojan or rootkit that opened a port to allow the remote user to inject code.. then i eliminated that. thought maybe it was someone using tactics used by netbots im pretty confident that ive eliminated that as well. just based on reading, the virtual network or machine theroy is the strongest based on comparative analysis of data that ive managed to scrub from hidden files on drives ive removed its very hard for me to explain because im not an expert and dont know all terms. here is a registry entry i found mind you i have no idea what this means other than it appears to have been modified as well as hidden by someone or something..
c:\windows\system32\tasks\microsoft\windows\customer experience improvement program "consolidator" -> launches: "%systemroot%\system32\wsqmcons.exe" [ms] "kernelCeiptask" ->(HIDDEN!) launches: {e7ed314f-2816-4c26-aeb5-54a34d02404c}" -> {HKLM...CLSID} = "UsbCeip" \inProcServer32\ (default) = "C:\windows\system32\usbceip.dll"
using this as logic: when i run "silent runners" on a fresh install of win7 there are no entries that have "(HIDDEN!) anywhere on it.. also i have no idea what any of the above means leads me to conclusion someone else put it there.. lastly i have 8 pages of hidden "startup" programs in registry..
hopefully someone does... thanks
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>netstat -b
Active Connections
Proto Local Address Foreign Address State
TCP 127.0.0.1:2869 wilma-PC:49966 ESTABLISHED
Can not obtain ownership information
TCP 127.0.0.1:5357 wilma-PC:49962 TIME_WAIT
TCP 127.0.0.1:5357 wilma-PC:49965 TIME_WAIT
TCP 127.0.0.1:5357 wilma-PC:49967 TIME_WAIT
TCP 127.0.0.1:5357 wilma-PC:49968 TIME_WAIT
TCP 127.0.0.1:49966 wilma-PC:icslap ESTABLISHED
EventSystem
[svchost.exe]
TCP [::1]:2869 wilma-PC:49963 TIME_WAIT
C:\Windows\system32>
ok the above is netstat -b
Proto Local Address Foreign Address State PID
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 748
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:554 0.0.0.0:0 LISTENING 4008
TCP 0.0.0.0:2869 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:5357 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:10243 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:49152 0.0.0.0:0 LISTENING 788
TCP 0.0.0.0:49153 0.0.0.0:0 LISTENING 904
TCP 0.0.0.0:49154 0.0.0.0:0 LISTENING 1092
TCP 0.0.0.0:49155 0.0.0.0:0 LISTENING 856
TCP 0.0.0.0:49156 0.0.0.0:0 LISTENING 900
TCP 127.0.0.1:5357 127.0.0.1:49957 TIME_WAIT 0
TCP 127.0.0.1:5357 127.0.0.1:49958 TIME_WAIT 0
TCP 127.0.0.1:5357 127.0.0.1:49961 TIME_WAIT 0
TCP 127.0.0.1:49157 0.0.0.0:0 LISTENING 1720
TCP 192.168.200.230:139 0.0.0.0:0 LISTENING 4
TCP [::]:135 [::]:0 LISTENING 748
TCP [::]:445 [::]:0 LISTENING 4
TCP [::]:554 [::]:0 LISTENING 4008
TCP [::]:2869 [::]:0 LISTENING 4
TCP [::]:3587 [::]:0 LISTENING 4408
TCP [::]:5357 [::]:0 LISTENING 4
TCP [::]:10243 [::]:0 LISTENING 4
TCP [::]:49152 [::]:0 LISTENING 788
TCP [::]:49153 [::]:0 LISTENING 904
TCP [::]:49154 [::]:0 LISTENING 1092
TCP [::]:49155 [::]:0 LISTENING 856
TCP [::]:49156 [::]:0 LISTENING 900
TCP [::1]:49158 [::]:0 LISTENING 1720
UDP 0.0.0.0:500 *:* 1092
UDP 0.0.0.0:3544 *:* 1092
UDP 0.0.0.0:3702 *:* 4148
UDP 0.0.0.0:3702 *:* 4148
UDP 0.0.0.0:3702 *:* 1256
UDP 0.0.0.0:3702 *:* 1256
UDP 0.0.0.0:4500 *:* 1092
UDP 0.0.0.0:5004 *:* 4008
UDP 0.0.0.0:5005 *:* 4008
UDP 0.0.0.0:60014 *:* 4148
UDP 0.0.0.0:60016 *:* 1256
UDP 0.0.0.0:60018 *:* 1256
UDP 127.0.0.1:1900 *:* 4148
UDP 127.0.0.1:60013 *:* 4148
UDP 127.0.0.1:60194 *:* 4680
UDP 127.0.0.1:60421 *:* 4728
UDP 192.168.200.230:137 *:* 4
UDP 192.168.200.230:138 *:* 4
UDP 192.168.200.230:1900 *:* 4148
UDP 192.168.200.230:57800 *:* 1092
UDP 192.168.200.230:60012 *:* 4148
UDP [::]:500 *:* 1092
UDP [::]:3540 *:* 4408
UDP [::]:3702 *:* 1256
UDP [::]:3702 *:* 1256
UDP [::]:3702 *:* 4148
UDP [::]:3702 *:* 4148
UDP [::]:4500 *:* 1092
UDP [::]:5004 *:* 4008
UDP [::]:5005 *:* 4008
UDP [::]:60015 *:* 4148
UDP [::]:60017 *:* 1256
UDP [::]:60019 *:* 1256
UDP [::1]:1900 *:* 4148
UDP [::1]:60011 *:* 4148
UDP [fe80::249b:bcea:53f3:3241%11]:1900 *:*
4148
UDP [fe80::249b:bcea:53f3:3241%11]:60010 *:*
4148
this is -ano........
here is my follow up i think the person has penetrated the firewall just based on my experience thus far. although sonicwall asssures me im incorrect. there have been over 800 intrusion attempts by what they term as "strange ports" since monday .. all have been dropped by the firewall. the same ip address attacks every time (bejing china) it also continuosly attempts logging into my management interface. i believe they call it a "dictionary attack" mind you (by design i no longer have access) as far as authorities response... local PD wrote report no follow up... fbi dpt is called "ic3" i upload anything i consider to be evidence daily. get automated response nothing past that yet. i am pretty confident i know someone involved in the attack but at this point nothing has been done yet. i used linux "silent runners" and found registry changes that are hidden that cause specific output that has been manipulated by whomever is doing this. kind of difficult to explain .my learning curve has been this . at first i thought it was a trojan or rootkit that opened a port to allow the remote user to inject code.. then i eliminated that. thought maybe it was someone using tactics used by netbots im pretty confident that ive eliminated that as well. just based on reading, the virtual network or machine theroy is the strongest based on comparative analysis of data that ive managed to scrub from hidden files on drives ive removed its very hard for me to explain because im not an expert and dont know all terms. here is a registry entry i found mind you i have no idea what this means other than it appears to have been modified as well as hidden by someone or something..
c:\windows\system32\tasks\microsoft\windows\customer experience improvement program "consolidator" -> launches: "%systemroot%\system32\wsqmcons.exe" [ms] "kernelCeiptask" ->(HIDDEN!) launches: {e7ed314f-2816-4c26-aeb5-54a34d02404c}" -> {HKLM...CLSID} = "UsbCeip" \inProcServer32\ (default) = "C:\windows\system32\usbceip.dll"
using this as logic: when i run "silent runners" on a fresh install of win7 there are no entries that have "(HIDDEN!) anywhere on it.. also i have no idea what any of the above means leads me to conclusion someone else put it there.. lastly i have 8 pages of hidden "startup" programs in registry..
hopefully someone does... thanks
lilronj
February 23, 2012 3:28:26 AM
a couple of other things: all normal stuff team view remote dektop virus scans ive done adnasium. ive replaced or eliminated everything that has memory or is flashable and changed isp's all at same time and within 24hrs stuff started disappearing or changing. also in device manager tree "my pc is not the highest in the tree" it is a briefcase symbol with name of my pc.. then comes "computer" just a couple examples of many many.. not to mention things like the picture on my account changing or the instant i plug in a thumb drive it gets erased and reformatted.. stuff like that
alyoshka
February 23, 2012 4:06:40 AM
dalauder
February 23, 2012 4:30:30 AM
What happens when you just run Linux? No Windows. How about running Linux no-install, from disk?
The fact that changing you IP address (through ISP) then doing a complete secure reformat and reinstall is pretty suspicious (like the info might be obtained at the ISP). Make sure to flash your bios with no HDDs attached prior to formatting the HDDs. Have you tried hooking the computer up at someone else's house to see what happens? Or is it just ALL Internet at your house that has the problem?
The fact that changing you IP address (through ISP) then doing a complete secure reformat and reinstall is pretty suspicious (like the info might be obtained at the ISP). Make sure to flash your bios with no HDDs attached prior to formatting the HDDs. Have you tried hooking the computer up at someone else's house to see what happens? Or is it just ALL Internet at your house that has the problem?
alyoshka
February 23, 2012 4:41:35 AM
What is the medium of installation for the OS on your rigs?
Since you changed everything physically, and even switched ISPs. There are just 2 ways left in which your rig could be targeted, or three actually.
To be able to sniff your rig out in the hundreds of millions out there you need to be pretty unique. Say like your rigs names is Wilma-PC... need to change it to something more random like a mixed string.
Secondly, if you use the same router/adsl which was on the earlier network, that router might be compromised by modifying the flash on it, so even if you changed the ISP the router will still manage to create a link between your rig whatever the uniqueness and the outside world.
Thirdly, if the OS medium is compromised by installing it from a Flash stick or a copied disc, either way, the basic functions could be breached to add certain hidden codes and files while booting the rig itself from those mediums.
Any other device on the network could be already breached and securities left wide open since the "Thing" that is doing this is already inside the house network.
A total flush is what would be required. Even if you have a telly connected via a LAN cable, you need to get ready to realize that it may be infected too.
Phone, HDD, USB HDD, Flash Stick, Telly, USB Printer basically anything that has a read/write data chip on it is susceptible to this sort of infection.
I can't suggest that you buy an entire new set of everything. But getting rid of this is going to be a pain as you already seem to have realized.
Your best option would be to let logic rule, like cornering a rat. Start from one end of the network and then work your way to the main gateway into the house. Do not make the mistake of connecting or linking things that are cured or disinfected or unaffected to the network once you are certain that each piece of equipment is safe and clean.
Once you are certain that nothing is in the equipment, you could go on to linking them one by one and observing at every stage. Carefully and properly.
Since you changed everything physically, and even switched ISPs. There are just 2 ways left in which your rig could be targeted, or three actually.
To be able to sniff your rig out in the hundreds of millions out there you need to be pretty unique. Say like your rigs names is Wilma-PC... need to change it to something more random like a mixed string.
Secondly, if you use the same router/adsl which was on the earlier network, that router might be compromised by modifying the flash on it, so even if you changed the ISP the router will still manage to create a link between your rig whatever the uniqueness and the outside world.
Thirdly, if the OS medium is compromised by installing it from a Flash stick or a copied disc, either way, the basic functions could be breached to add certain hidden codes and files while booting the rig itself from those mediums.
Any other device on the network could be already breached and securities left wide open since the "Thing" that is doing this is already inside the house network.
A total flush is what would be required. Even if you have a telly connected via a LAN cable, you need to get ready to realize that it may be infected too.
Phone, HDD, USB HDD, Flash Stick, Telly, USB Printer basically anything that has a read/write data chip on it is susceptible to this sort of infection.
I can't suggest that you buy an entire new set of everything. But getting rid of this is going to be a pain as you already seem to have realized.
Your best option would be to let logic rule, like cornering a rat. Start from one end of the network and then work your way to the main gateway into the house. Do not make the mistake of connecting or linking things that are cured or disinfected or unaffected to the network once you are certain that each piece of equipment is safe and clean.
Once you are certain that nothing is in the equipment, you could go on to linking them one by one and observing at every stage. Carefully and properly.
dalauder
February 23, 2012 4:52:57 AM
Don't use a router if your modem has an ethernet cable. Just plug the ethernet straight into your computer if you're not doing that already.
Have you done a clean install of Windows (from a fresh download of Windows burned to DVD) after a secure erase, installed all updates and security software elsewhere, then tried to connect to your modem at home? I'm sorry if this sounds obvious, but you haven't explained your testing regiment yet.
I got the Sasser worm back in '04 and re-installed Windows 4 times, merely because I never got around to finding a solution before reconnecting to the network. I guess I was just playing video games and didn't mind the re-installs or something?
Have you done a clean install of Windows (from a fresh download of Windows burned to DVD) after a secure erase, installed all updates and security software elsewhere, then tried to connect to your modem at home? I'm sorry if this sounds obvious, but you haven't explained your testing regiment yet.
I got the Sasser worm back in '04 and re-installed Windows 4 times, merely because I never got around to finding a solution before reconnecting to the network. I guess I was just playing video games and didn't mind the re-installs or something?
KonstantinDK
February 23, 2012 4:55:45 AM
Well, when I first read the title I was ready to write a joke about being stuck in the PC like Tron, but...
Wow. It looks like your skills are higher than mine, and that hacker really wants YOU for some reason.
My advice: since you've bought some new hardware, I assume you got some spare money. Why don't you ask professional to come over and help? Although, by the looks of it the regular part-time students won't do. You need someone with experience in eterprise security. And that won't be cheap. And hard to find.
P.S. This is the most bizzar attack I heard off. Something really more serious then regular trojan, botnet or an attempt to steal personal info. Good luck buddy.
P.P.S. What's your router model?
Wow. It looks like your skills are higher than mine, and that hacker really wants YOU for some reason.
My advice: since you've bought some new hardware, I assume you got some spare money. Why don't you ask professional to come over and help? Although, by the looks of it the regular part-time students won't do. You need someone with experience in eterprise security. And that won't be cheap. And hard to find.
P.S. This is the most bizzar attack I heard off. Something really more serious then regular trojan, botnet or an attempt to steal personal info. Good luck buddy.
P.P.S. What's your router model?
dalauder
February 23, 2012 5:06:15 AM
lilronj
February 23, 2012 5:22:24 AM
the network currently consists of 1 pc 1 firewall appliance 1 gateway thats all..
you can buy a cd for less than 10.00 that will do most of the attack and entry level script for less than $10.00US on many many "hacking" sites that much ive learned. if u use a linux live cd u never enter the OS so u are safe this is why many financial and brokerage houses use for sensitive data transfer there are no resources out there that i can find that help with stuff like this... i agree given the forensic data i have a skilled network person or ethical hacker could probably solve quickly. as of yet ive been unable to find one hence our conversation and my quick education
... it appears its going to be a long fight luckily i have lots of stamina
you can buy a cd for less than 10.00 that will do most of the attack and entry level script for less than $10.00US on many many "hacking" sites that much ive learned. if u use a linux live cd u never enter the OS so u are safe this is why many financial and brokerage houses use for sensitive data transfer there are no resources out there that i can find that help with stuff like this... i agree given the forensic data i have a skilled network person or ethical hacker could probably solve quickly. as of yet ive been unable to find one hence our conversation and my quick education
... it appears its going to be a long fight luckily i have lots of stamina
lilronj
February 23, 2012 5:25:27 AM
alyoshka
February 23, 2012 5:25:50 AM
alyoshka
February 23, 2012 5:28:54 AM
The actual question is not what the hacker can do with your data, actually, what 'xx' used to do was to use a residential rig or a server to pull off other jobs.... leaving them in a long list of footprints that would not be traced back.
SO the people who usually got screwed were the ones who owned the rigs. The scarey part is that.
SO the people who usually got screwed were the ones who owned the rigs. The scarey part is that.
szaboaz
February 23, 2012 5:45:47 AM
I was going to suggest Linux live CD too, but it has default root password, and it doesn't contain the very latest updates. So you have to be aware (knowledge! learning curve!) of some basic concepts about Linux, to achieve its full potential as a secure environment. However, if anything that you tried so far (hadware firewall monitored by a security company, fresh Windows install on new hardware) haven't prevented the attacker to take over control, then offline installing and hardening a Linux environment before go online could be a good first line of defence.
lilronj
February 23, 2012 5:47:37 AM
this is obviously a personal attack. i am a "low value target" and this fool been parked for 45 days thereby increasing his potential for capture these are crimes of the federal level..
the isp terminates with ethernet... no wireless.. the medium is more than 1 physical cd for operating system never downloaded copied or burned by me..
the isp terminates with ethernet... no wireless.. the medium is more than 1 physical cd for operating system never downloaded copied or burned by me..
lilronj
February 23, 2012 5:51:51 AM
alyoshka
February 23, 2012 5:55:42 AM
Goldengoose
February 23, 2012 10:00:15 AM
alyoshka
February 23, 2012 10:04:04 AM
silverliquicity
February 23, 2012 11:18:05 AM
http://www.send-safe.com/honeypot-hunter.html
Potentially against forums rules to post this but id say your problem is a little more serious and this may just help you solve your hacker problem.
Prepare to become tech savvy very quickly
Potentially against forums rules to post this but id say your problem is a little more serious and this may just help you solve your hacker problem.
Prepare to become tech savvy very quickly
lilronj
February 23, 2012 10:27:27 PM
AidanJC
February 23, 2012 11:00:13 PM
lilronj said:
he/she has read this thread because a copy of it was sent to my phone recently
WHAT THE HELL?! This is so weird..
Purchase a 3G USB modem. Try connecting through that.
Flash all modems/routers with the latest firmware.
Scan for Rootkits mainly, and other malicious software.
Keep an eye on your bank account too. But do so through other means such as through a mobile phone or other device.
dalauder
February 24, 2012 12:01:47 AM
AidanJC said:
Flash all modems/routers with the latest firmware. Keep an eye on your bank account too. But do so through other means such as through a mobile phone or other device.
Get your service provider to change your phone number and buy a $15 disposable Walmart phone to drop a new SIM card in.
Physically go by your bank and alert them of the situation and have them increase security measures and change the security checks since this person obviously has your SS# & DOB.
alyoshka
February 24, 2012 2:03:04 AM
lilronj said:
he/she has read this thread because a copy of it was sent to my phone recently
OK. This is cool, now if you still have that message on you, take it to the cops & get to the FBI's notice. That ought to get them closer to the guy.
Cell phones work in a different way than computers so, it's easier to get to the point of origin for a cell than that of a computer.
alyoshka
February 24, 2012 2:05:33 AM
scout_03
February 24, 2012 2:13:17 AM
do you stil use net bios on your system list of computer ports http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_n... wouls suggest you to get a new router with wpa 2 and firewall protection and use al least a capital letter and a number in your password setting also change all the name of your home computer with new ones
the next thing try one of your computer on wireless so you could find if there is someone around you try to connect to your system
make shure all machine are clean before you connect back to the net dont forget to check all your cell if you use them for internet connection
i still around if you need more help
the next thing try one of your computer on wireless so you could find if there is someone around you try to connect to your system
make shure all machine are clean before you connect back to the net dont forget to check all your cell if you use them for internet connection
i still around if you need more help
lilronj
February 24, 2012 4:15:03 AM
i am pretty confident somehow ive been made a part of someone's virtual or real network what i want to do is figure out how to break off it. this person has had access to me for over a month at least.. has created and stolen the credentials manager from my machine.. there isnt much they dont know at this point.. believe me when i tell i fully understand the pain in the A** this is..
dalauder
February 24, 2012 4:31:37 AM
lilronj
February 24, 2012 4:51:46 AM
dalauder said:
What steps (detailed) have you taken to clean your system and change your network identity?That's what's gonna "break off" of that person's virtual network.
1. stripped the network down
2.built new pc complete
3.replaced modem
4.installed firewall appliance
5. changed isp's
6.no wireless or usb connectivity not even keyboard no storage card in phone
7. configured firewall using conventional methods. i.e. i got online and configured.
(all this done same day) after many many previous failed attempts to exterminate this pest
8. transfer to new cell phone carrier
network breached within 12hrs.
1.turn over management console and configuration of firewall to remote secure pc. (cant be keylogged on my terminal)
2. monitoring center indicates continuous attacks from a lone i/p out of bejing both on firewall and management console login (state the firewall is turning all attacks away)
3. file movement and obvious manipulation of my rig slows down
4. in device management tree the highest element is not "computer" it is a briefcase with the name of my pc on it
5. strange .ini .dat .txt documents pop up now and then
6 unable to access some aspects of event viewer
strange *** like that
dalauder
February 24, 2012 5:38:04 AM
Strange--I would have expected your initial steps to work considering none of the hardware or network information is the same. Really, that's almost inexplicable.
I mean there is no reason to target you a second time since neither the computer or network info are identified the same. The only explanation I can think of is: proximity.
You must have a very fast LAN-like network with the PC in question. Do you live in an apartment building?
Have you considered the "rats abandon a sinking ship idea"? Set up some software that sends constant pings or something else that completely bogs the network down. If your computer is useless or can't reliably be accessed, it won't be targeted--unless annoying you is the purpose of this whole thing. You wouldn't happen to have a roommate who's a CS major who you pulled the "buttered floor" trick on, would you?
Sorry to be joking, I get that this is a serious matter for you. But it almost seems like a personal vendetta since the only thing linking your old system with your new one was YOU--unless you accidentally plugged in a flash stick or something that hadn't been secure erased.
How does your system work if you plug it up to ethernet somewhere else? Does the same thing happen to laptops on your network? Because you can try comparing your laptop at home versus your laptop at Starbucks.
I still think you should try re-flashing, secure-erasing, and re-installing from the start without any of the extra stuff like the hardware firewall, routers, or modems hooked up. Then after everything is updating, plugging the ethernet cable straight into your motherboard. But you've probably tried 20 permutations of that including Linux.
I mean there is no reason to target you a second time since neither the computer or network info are identified the same. The only explanation I can think of is: proximity.
You must have a very fast LAN-like network with the PC in question. Do you live in an apartment building?
Have you considered the "rats abandon a sinking ship idea"? Set up some software that sends constant pings or something else that completely bogs the network down. If your computer is useless or can't reliably be accessed, it won't be targeted--unless annoying you is the purpose of this whole thing. You wouldn't happen to have a roommate who's a CS major who you pulled the "buttered floor" trick on, would you?
Sorry to be joking, I get that this is a serious matter for you. But it almost seems like a personal vendetta since the only thing linking your old system with your new one was YOU--unless you accidentally plugged in a flash stick or something that hadn't been secure erased.
How does your system work if you plug it up to ethernet somewhere else? Does the same thing happen to laptops on your network? Because you can try comparing your laptop at home versus your laptop at Starbucks.
I still think you should try re-flashing, secure-erasing, and re-installing from the start without any of the extra stuff like the hardware firewall, routers, or modems hooked up. Then after everything is updating, plugging the ethernet cable straight into your motherboard. But you've probably tried 20 permutations of that including Linux.
szaboaz
February 24, 2012 6:04:23 AM
If he's bold enough to use the cellphone for direct contact, maybe we'll be fortunate enough to having him here.
Hey, man. Why don't you tell us, what's your beef with lilronj? Did he piss you off in the supermarket? Is he your noisy neighbour who can't let you sleep? Did he tell you off while in the middle of a road quarrel?
Oh, and since you're here anyways, let me ask this: why are you still working the firewall (with a brute force attack, no less), when you have personal control over the computer inside the firewall?
Hey, man. Why don't you tell us, what's your beef with lilronj? Did he piss you off in the supermarket? Is he your noisy neighbour who can't let you sleep? Did he tell you off while in the middle of a road quarrel?
Oh, and since you're here anyways, let me ask this: why are you still working the firewall (with a brute force attack, no less), when you have personal control over the computer inside the firewall?
KonstantinDK
February 24, 2012 9:26:21 AM
BTW, can we get a pic of your hardware info with the briefcase you told us about? (just remove your computer name).
Also, I think you got kidz in the house, since u got 3 PCs. During this time they don't touch it?
I guess it's rather personal, how else could he get your cell. Or smth. in local network is still compromised and screws up your PC. But if it's personal, why he just didn't erase everything on your PC? I understand you can still use your PC to work, not just locked out on the logon screen. And still, the cell.. Did he just send you SMS with a weblink to this tread?
P.S. We also didn't hear the make of your router and if you have wifi on it.
Also, I think you got kidz in the house, since u got 3 PCs. During this time they don't touch it?
I guess it's rather personal, how else could he get your cell. Or smth. in local network is still compromised and screws up your PC. But if it's personal, why he just didn't erase everything on your PC? I understand you can still use your PC to work, not just locked out on the logon screen. And still, the cell.. Did he just send you SMS with a weblink to this tread?
P.S. We also didn't hear the make of your router and if you have wifi on it.
confish21
February 24, 2012 9:36:16 AM
dalauder
February 24, 2012 11:29:32 PM
sonexpc
February 25, 2012 10:12:28 PM
Try TCPView from Microsoft http://technet.microsoft.com/en-us/sysinternals/bb89743...
Upload a picture to here when that happen...
Upload a picture to here when that happen...
Related resources
- SolvedHelp with virtual machine needed Forum
- Hide home network from Virtual Machine network - someone can use my VM but can't browse my home computers Forum
- Can we play counter strike source over a virtual server or virtual private network? Forum
- How to enable network in CentOS in Virtual box Forum
- Help with Virtual Server , port triggering and opening Forum
- SolvedHelp:Want to make a Box on which i can run Virtual machines and servers Forum
- SolvedNeed help 'designing' a home network solution for my house Forum
- SolvedHelp with Buying Wireless Network Card (under $50) Forum
- SolvedI accidentally deleted wireless network adapters on my windows 8.1 HELP!!! Forum
- Virtual Networking question Forum
- Like to build a PC to create 6-7 virtual machines to create virtual networks for testing. VMs take a lot of RAM! Need power t Forum
- My minecraft can't create a Java Virtual machine. Please help Forum
- SolvedNeed Help with Wireless Network Adaptor Forum
- Virtual Network Forum
- How to allow two machines(on a virtual network) to be connected static Forum
- More resources
Read discussions in other Business Computing categories
!