I got pwned

norcalkeith

norcalkeith

Hola
Internet slowed down today, had Comcast reset the modem. I checked the router logs tonight....remote accesses starting earlier today. Had Comcast reset the modem again in hopes of getting a new IP address, (didn't compare old/new, don't know if I get a new one.)

UtjxP.png


Hmmmm....I just realized that that IP address is set-up as forwarded to my xbox 360....FUCK! How the fuck did that work?

What do I need to do, other than disable the port forward, to fix this?
 
Burning1

Burning1

I'm scareoused!
Changing your IP may or may not work. If the attacker installed a rootkit anywhere on your network, it'll most likely phone home and inform him of the new IP.

First order of business is to identify what's been compromised, and clean it. You're probably best off performing a full re-install if any of your computers were compromised.
 
norcalkeith

norcalkeith

Hola
Okay, thanks. I'll reinstall the computer tomorrow using restore/recuse disks.

Router is off at the moment, posting from phone. I installed Norton Security Suite via Comcast (figured at first Win Security Essentials/Win firewall weren't cutting it) and am running the whole scan. Once it's done I'll restart and turn the router back on.

I think you're right about it phoning home, as after the modem was reset everything was fine for a couple minutes then Dos attacks started again for about 10 minutes and he got in, the picture posted.

If I watch the log and nothing gains access/ dos attacks again am I okay? It should I just be safe and reinstall anyway? (Why do I think I already know the answer to this.... :( )
 
norcalkeith

norcalkeith

Hola
Going for the overly-excited triple post!

Okay.....speed is back and this robust Norton program is saying that I am all secure and dandy...so far. Watching the log, nothing showing either, yet. :nchantr

Would anybody be kind enough to explain to me how to safely forward ports for my Xbox 360, because apparently this was used to gain access. Would placing the 360 on a DMZ be safer...worse? Should I just rely on UPnP for that? So humbling....:(:laughing
 
Ozymandias

Ozymandias

Well-known member
Well, in the interest of not having personal data compromised. Turn off port forwarding in your router... NOW! Also disable UPnP as a virus can take advantage of that as well.

Next step is to either reload your system(s) or take the harddrive out and put it in a known clean system to do a full virus scan and note any malware found. Then you get the fun part of putting it back in the system and removing any of the damage.

Once all that is done, probably best to change your passwords.

It's painful getting infected/rooted. Best to avoid it by proper AV software and passwords based on dictionary words.
 
norcalkeith

norcalkeith

Hola
Thank-you Rodr and Ozy for responding, first off.

rodr said:
What does this mean? Why do you think you were hacked?
Click to expand...

Because my log showed remote LAN access via port 80, on a local IP that I had set-up to forward port 80, (Xbox)?


Ozymandias said:
Well, in the interest of not having personal data compromised. Turn off port forwarding in your router... NOW! Also disable UPnP as a virus can take advantage of that as well.

Next step is to either reload your system(s) or take the harddrive out and put it in a known clean system to do a full virus scan and note any malware found. Then you get the fun part of putting it back in the system and removing any of the damage.

Once all that is done, probably best to change your passwords.

It's painful getting infected/rooted. Best to avoid it by proper AV software and passwords based on dictionary words.
Click to expand...

Damn, that's a royal PITA, (but you already knew that. :laughing)

I need somebody to clarify for me.....just because my system is acting normal now, and seems quick, doesn't mean that it's not infected, right? So I pretty much need to reload to be safe, huh? :x

url


Ozy, are there any viable, safe alternatives that you could actually feel confident letting your system run after with out restoring? (IE running Kapersky's TDSS killer, rootkit scanner + others?) Probably not, but I just want to check.

(Router logs show nothing except a single ACK scan Dos attack, which from what I've read, can also be a dropped packet that the router is 'complaining' about and it shows up as that....correct? No other remote accesses were or have been made since seemingly regaining control last night.)

Disabled UPnP last night, then turned it on again once everything seemed 'okay' again; will go disable once again. Already got rid of all port forwarding. Now, is there any safe way to get ports open for my Xbox, such as a DMZ for just the Xbox?
 
Last edited:
Ozymandias

Ozymandias

Well-known member
I'd keep any port forwarding off until you are 100% sure you're clean. And yup, for about 8 years I was doing nothing but consumer and small business system repair and probably the last 3 of that 90% of my work load was malware mitigation. I actually got so tired of saying the same thing over and over again (many times to the exact same people) that I decided to stop doing consumer repairs and I'm better off professionally for it. :thumbup

Here's the thing. Rod is correct, what makes you think you've been hit? A single ACK DoS doesn't necessarily mean you've been compromised. That could just be exactly what it is... a DoS. A remote LAN access on an open port 80 means nothing either. Port 80 is where most webtraffic goes to/from. You're hitting port 80 of BARF right now. There are millions of scans on port 80 a day by people just trying to see what's there and what might be able to be compromised. Hell, I get 300-500 a day on my home server alone. Both of those are external events. While the DoS is a PITA I have also known routers to claim DoS when there were only 5 attempts and the port 80, I'm not so sure that it's a problem.

The thing about viruses and root kits is that the more nasty ones will actually bury deep enough in the system that they are able to hide from the Windows API which prevents any other application running on the same system from being able to actually detect it and it's possible that a system restore won't remove it either. Rootkits and malware can be seriously nasty. That's why I recommended taking the harddrive out and putting it in a known clean system for a full scan. You could probably take the drive out of the system and take it to a local shop for them to scan for you if you don't have one yourself that you could do it with.

As far as virus scanner to use, I HATE HATE HATE HATE those bulky "security" packages all the AV manufacturers are selling. They don't offer anything more than what a standard AV package and router does and actually use a considerable amount of system resources so don't waste your $ on them.

Ultimately, if you're concerned take that drive out and to a shop to let them scan it and give you a report and go from there. Couldn't hurt and shouldn't be that expensive and it will give you some peace of mind.
 
norcalkeith

norcalkeith

Hola
Ozymandias said:
I'd keep any port forwarding off until you are 100% sure you're clean. And yup, for about 8 years I was doing nothing but consumer and small business system repair and probably the last 3 of that 90% of my work load was malware mitigation. I actually got so tired of saying the same thing over and over again (many times to the exact same people) that I decided to stop doing consumer repairs and I'm better off professionally for it. :thumbup

Here's the thing. Rod is correct, what makes you think you've been hit? A single ACK DoS doesn't necessarily mean you've been compromised. That could just be exactly what it is... a DoS. A remote LAN access on an open port 80 means nothing either. Port 80 is where most webtraffic goes to/from. You're hitting port 80 of BARF right now. There are millions of scans on port 80 a day by people just trying to see what's there and what might be able to be compromised. Hell, I get 300-500 a day on my home server alone. Both of those are external events. While the DoS is a PITA I have also known routers to claim DoS when there were only 5 attempts and the port 80, I'm not so sure that it's a problem.

The thing about viruses and root kits is that the more nasty ones will actually bury deep enough in the system that they are able to hide from the Windows API which prevents any other application running on the same system from being able to actually detect it and it's possible that a system restore won't remove it either. Rootkits and malware can be seriously nasty. That's why I recommended taking the harddrive out and putting it in a known clean system for a full scan. You could probably take the drive out of the system and take it to a local shop for them to scan for you if you don't have one yourself that you could do it with.

As far as virus scanner to use, I HATE HATE HATE HATE those bulky "security" packages all the AV manufacturers are selling. They don't offer anything more than what a standard AV package and router does and actually use a considerable amount of system resources so don't waste your $ on them.

Ultimately, if you're concerned take that drive out and to a shop to let them scan it and give you a report and go from there. Couldn't hurt and shouldn't be that expensive and it will give you some peace of mind.
Click to expand...

Awesome, thanks.

To clarify, the reason I think I got 'hacked' is because my internet connection suddenly went to shit, and when I looked at the logs, there were multiple remote access being made onto/into the LAN - if they hadn't actually gained access, why was my bandwidth suddenly throttled from 25Mb down/4Mb up to 2Mb down/.43Mb up? It sure seemed like my internet was being 'shared'; but then again, the Comcast Rep said something about a power cycle being needed to 'get all of the speed back.'
 
Last edited:
rodr

rodr

Well-known member
norcalkeith said:
Awesome, thanks.

To clarify, the reason I think I got 'hacked' is because my internet connection suddenly went to shit, and when I looked at the logs, there were multiple remote access being made onto/into the LAN - if they hadn't actually gained access, why was my bandwidth suddenly throttled from 25Mb down/4Mb up to 2Mb down/.43Mb up? It sure seemed like my internet was being 'shared'; but then again, the Comcast Rep said something about a power cycle being needed to 'get all of the speed back.'
Click to expand...

Ozy is right. DoS means "denial of service". That just means someone is sending you a lot of network traffic. Might be intended to disrupt your connectivity, maybe not. It doesn't mean your stuff is otherwise compromised.

Port 80 is normally for web servers and will be frequently queried by those taking an interest in your IP. Do you have a compelling need to open it up to the world? If not, turn that shit off. If yes, there's probably a better way.
 
norcalkeith

norcalkeith

Hola
I think we have a slight miscommunication. I haven't been worried about the 'Dos attacks' much at all, what alarmed me was the 'remote access to LAN from (random) IP '255.235.25.2' or '52.256.24.6' or '214.214.21.5' - obviously international IP addresses that occurred on the port that I had set-up on my LAN to be forwarded for my Xbox.

I suppose here is the question that I need to ask: does seeing,
"[LAN access from remote] from 119.10.115.139:38770 to 192.168.1.9:80, *current day and time*" mean that that IP address (119) has made access to the LAN, therefore granting him access to the network? Or does that just mean that an attempt was made? I read it literally, as in 119.10 has access the LAN - Locally; so I imagine him now being able to Telnet via php, (or is that that initial access method...?) run commands, install malware, gain control, etc., - do whatever, or is this mistaken?
 
Ozymandias

Ozymandias

Well-known member
To be fair, the people you talk to at Comcast on the first call usually don't have much knowledge and just follow a script. There are 3 Rs that any support will look at first.

  1. Reboot - did that fix it? You'd be surprised how often it actually does
  2. Reinstall - reboot didn't fix... reinstall the application
  3. Reimage - that failed, reload the system

That's over generalized but ALL first level consumer/SB support will look in one of those 3 directions to some degree and 95% or more of all problems occur at the consumer's location anything from PEBKAC (Problem Exists Between Keyboard And Chair) to consumer quality end user equipment that simply fails or isn't up to par.

As Rod said a DoS is a fancy term for a flood, really. Your internet connection only has so much bandwidth just like a pipe (we nicknamed them pipes even because it really isn't a big truck :)) too much and you can't get the stuff you want through it.
 
rodr

rodr

Well-known member
norcalkeith said:
I think we have a slight miscommunication. I haven't been worried about the 'Dos attacks' much at all, what alarmed me was the 'remote access to LAN from (random) IP '255.235.25.2' or '52.256.24.6' or '214.214.21.5' - obviously international IP addresses that occurred on the port that I had set-up on my LAN to be forwarded for my Xbox.

I suppose here is the question that I need to ask: does seeing,
"[LAN access from remote] from 119.10.115.139:38770 to 192.168.1.9:80, *current day and time*" mean that that IP address (119) has made access to the LAN, therefore granting him access to the network? Or does that just mean that an attempt was made? I read it literally, as in 119.10 has access the LAN - Locally; so I imagine him now being able to Telnet via php, (or is that that initial access method...?) run commands, install malware, gain control, etc.
Click to expand...

No, it just means that someone connected to port 80 of your external IP address which in turn was forwarded by your router to port 80 on your xbox (which is on your LAN). The only thing they can do from there is whatever the xbox web server allows them to do.
 
norcalkeith

norcalkeith

Hola
Ozymandias said:
A remote LAN access on an open port 80 means nothing either. Port 80 is where most webtraffic goes to/from. You're hitting port 80 of BARF right now. There are millions of scans on port 80 a day by people just trying to see what's there and what might be able to be compromised. Hell, I get 300-500 a day on my home server alone. Both of those are external events. While the DoS is a PITA I have also known routers to claim DoS when there were only 5 attempts and the port 80, I'm not so sure that it's a problem.
Click to expand...

Looking back, I see where you are coming from now when you mentioned getting tired of repeating things. :laughing

Ozymandias said:
Ultimately, if you're concerned take that drive out and to a shop to let them scan it and give you a report and go from there. Couldn't hurt and shouldn't be that expensive and it will give you some peace of mind.
Click to expand...

Recommend any in the North Bay if it really comes down to it? Nothing good around here from what I know of, and it'll be a cold day in hell before I take it to a place like Staples or Office Depot.


rodr said:
No, it just means that someone connected to port 80 of your external IP address which in turn was forwarded by your router to port 80 on your xbox (which is on your LAN). The only thing they can do from there is whatever the xbox web server allows them to do.
Click to expand...

Thank-you rodr! Okay, cool; so it looks like I was panicking for no reason then, sort of, (because port forwarding is a no-no.) Alright! Progress and knowledge, nice.

May I ask, why do so many forums/sites/people tell others to forward their ports in the manner that I did? Or is it alright since I am forwarding the port of the Xbox, based on the information that, " The only thing they can do from there is whatever the xbox web server allows them to do."? Wouldn't that mean that, unless the Xbox has the ability to control other devices on the network/router, it shouldn't pose a personal information security risk beyond what is on my Xbox? Hmmm....curveball, but the xbox is streaming media from the PC, so does that mean my personal media being streamed is 'at risk' as well?

I'm getting the feeling that this is stuff that I can learn by reading some books or taking some classes....so I truly appreciate the explanations so far guys, thanks.
 
Last edited:
rodr

rodr

Well-known member
norcalkeith said:
Thank-you rodr! Okay, cool; so it looks like I was panicking for no reason then, sort of, (because port forwarding is a no-no.) Alright! Progress and knowledge, nice.

May I ask, why do so many forums/sites/people tell others to forward their ports in the manner that I did? Or is it alright since I am forwarding the port of the Xbox, based on the information that, " The only thing they can do from there is whatever the xbox web server allows them to do."? Wouldn't that mean that, unless the Xbox has the ability to control other devices on the network/router, it shouldn't pose a personal information security risk beyond what is on my Xbox? Hmmm....curveball, but the xbox is streaming media from the PC, so does that mean my personal media being streamed is 'at risk' as well?
Click to expand...

Type your external (public) IP address into your web browser's URL field (go to whatismyip.com if you're not sure what that is). Whatever you see as a result, if anything, is what others can access.

I have no idea why someone would tell you to forward a port that you do not wish to make public, but if you can point to an example I may get a clue. :)
 
norcalkeith

norcalkeith

Hola
That is a bit outdated it seems, here is current info straight from Microsoft, (includes port 80 TCP)

If you have a firewall or network hardware, such as a router, you might need to make a configuration change in order for your PC or Xbox 360 console to communicate with Xbox LIVE. This configuration change is sometimes called “opening ports” or "port forwarding."

Xbox LIVE requires the following ports to be open:

Port 88 (UDP)
Port 3074 (UDP and TCP)
Port 53 (UDP and TCP)
Port 80 (TCP)

Note If you cannot chat with someone using Video Kinect, you might need to open port 1863 (UDP and TCP).

If you're connected to a network through your workplace or school, ask the network administrator to open the above ports used by Xbox LIVE.

If you receive a NAT warning when connecting to Xbox LIVE, please see the Error: Your NAT type is set to strict (or moderate) page.
Click to expand...
 
You must log in or register to reply here.
Top