1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Hacked

Discussion in 'Networking' started by Danwilliams1989, Feb 19, 2018.

Thread Status:
Not open for further replies.
Advertisement
  1. Danwilliams1989

    Danwilliams1989 Thread Starter

    Joined:
    Feb 19, 2018
    Messages:
    26
    .

    I have a BT hub 6A it’s my 4th one.

    So my walls are thin enough for me to know my neighbours have hacked me. I can often hear them bragging about it. I’ve called BT so many times like more than 15 and they say it’s fine their end but yet every device I have has been modified. Anyway.

    I have used an app called Fing to do some port scans and to get some info. I have screenshots but I can’t put them up in here by the looks of it.

    Anyway my router shows up as BTHUB.
    It says it’s netbios name is BTHUB (have no idea what that is) and it’s saying it’s a file server.

    So a scan reveals that the following ports are open

    53
    Domain name server
    80
    Http

    But then I get this
    139
    Netbios-ssn

    443
    Secure World Wide Web ssl

    445
    Microsoft-ds
    Smb directly over IP

    8888
    Sun-answerbook
    Sun answer http server or gnump3d streaming music server

    10080
    Amanda
    Amanda backup util

    Sometimes I’m getting a upnp port opening as well on 1900
    5000

    When I use another device I constantly have this port open

    62078
    Iphone-sync

    I read online that apparently this is a way that some hackers are able to remotely access devices.
    Is there anyone who can tell me what’s going on.

    I keep upnp off now because of it but yet they are still able to log on and switch it on and come set port forward rules from port 0 to 0 it says on the technical log.

    I’m not sure if this is supposed to happen but I have a loop back on my router 127.0.0.1 and I’m pretty sure they have forced my IP to remain static.

    Not only this when you go to the IPv6 settings there is no dns it says not available.

    When I went on my pc it said there was no IPv6 connection at all.

    Also when I do a portscan localhost using my iPhone I get the following ports open

    1080
    Socks

    1083
    Ansoft-lm-1
    Anasoft license manager

    8021
    FTP-proxy
    Common ftp proxy port.

    Also I have seen something on my computer screen called teredo isatap where it says media disconnected.

    I’ve had my email password blocked about 40 times this is not an exaggeration.

    I think they are using Cisco equipment to link up our hubs.

    When I leave the house and connect to a friends Wifi if I do a localhost scan on fing I get

    1990
    Stun p1 Cisco

    It is saying my address assignment is static.
    That IPv6 is not configured on the technical logs it has shown some unusual MAC addresses but then they disappear off the devices.

    I am getting new static route added with an External IP address that hasn’t changed.

    Also with this fing app you can see upnp service info.
    For my router I get this

    Hostname bthub
    Upnp name BT Homehub 6.0A

    Upnp services

    WanCommonInterfaceConfig(1)
    WanPPPConnection(1)

    Net bios name BTHUB
    File server : Yes

    I am also getting NFLC Media Server show up when there is nothing except my phone connected.

    I did a cmd net local group I think and it came up with IPC$ and ADMIN$ which means someone is remotely logging in as admin and is sharing files.

    I have done a scan over my mums she lives across the road and they’ve tried to stop me from using her Wifi in the past.

    When I do a port scan on her router she’s with virgin we get

    80
    Http

    1900
    Upnp

    5000
    Complex main upnp

    Her upnp services then show as

    Layer3Forwarding(1)
    WanCommonInterfaceConfig(1)
    WanIPConnection(1)

    And she had a few unknown devices on there as well.

    I’ve spoke to BT and they are swearing blind that I can’t be hacked it’s not possible but it seems to be all these servers popping. I have a upnp scanner on my android and randomly after some code has been changed it’s showing that they are trying to make requests using that.

    The ping chart is what happens when I ping my router should it be like that

    I just don’t know what or who else to ask please help
     

    Attached Files:

  2. plankton23

    plankton23

    Joined:
    Feb 7, 2018
    Messages:
    206
    The very first thing to do when one gets a modem/router is change the default user name and password to log into the modem/router. Next is to turn off the SSID. That's the broadcast signal of your modem/router.....it saying, "hey, here I am and this is my name" for everyone to see that has a wifi signal.

    This is what I would do. First, do a factory reset of your device by using the reset button on the back of the device. There's a tiny hole and inside is the reset button. Use a paper clip to push and hold down reset button until modem/router restarts itself. When it does, release the button. Then log into router and make changes as mentioned above.
     
  3. Danwilliams1989

    Danwilliams1989 Thread Starter

    Joined:
    Feb 19, 2018
    Messages:
    26
    Sounds like a plan but I’ve done a reset and it hasn’t closed the ports. I think I’m linked to their network somehow and I believe that because I’m getting stun p1 that there’s something on my mobile now that’s tracking me. But my plan was to change providers buy a router itself and do what you’ve just said. As well as dispose of all the equipment that has been infected. And buy new. It’s samba server but I don’t know how they have set it up over my router and how they are keeping these ports open. I don’t think they care but this is also leaving me very vulnerable to other hackers as well. A part of me wishes they would do some financial damage so the police would swing into action. I havent made a complete report but my concern is where do you draw the line at hacking and stalking they are watching me wherever I go. I go out and find that there’s been tracking activity on my google account when I’ve been out when I know I’ve turned location history off. It’s very strange
     
  4. Danwilliams1989

    Danwilliams1989 Thread Starter

    Joined:
    Feb 19, 2018
    Messages:
    26
    Is it normal for a ping chart to look like that
     
  5. plankton23

    plankton23

    Joined:
    Feb 7, 2018
    Messages:
    206
    You maybe correct as it sound like they are using your mobile device to gain access to your user name and password information. For that reason alone is why I never set any of my families mobile devices to use the wifi.
     
  6. Danwilliams1989

    Danwilliams1989 Thread Starter

    Joined:
    Feb 19, 2018
    Messages:
    26
    I think I’m gonna take a trip to maplins I’m not sure yet
     
  7. lunarlander

    lunarlander

    Joined:
    Sep 21, 2007
    Messages:
    9,479
    Admin$ and IPC$ shares are default hidden shares. Having them does not mean someone is hacking you.
    The above are default open ports that exist on Windows machines. Or do you also have a Linux machine ?


    The above ports don't usually exist on a Windows machine.


    UPnP is a firewall self-configuration technology. Programs can use UPnP to request a port opening. Usually found in networked games.


    Which version of Windows are you using? Or do you also have a Linux machine?

    When you say you may have a static ip. You can check that. In Windows, go to Control Panel > Network and Sharing > Change Adapter Settings > Ethernet/WiFi > Properties > IPv4 and see if you manually typed in an ip address ( which is called static ) or Automatic ( which is an ip address assigned through DHCP )
     
    Last edited: Feb 20, 2018
  8. Danwilliams1989

    Danwilliams1989 Thread Starter

    Joined:
    Feb 19, 2018
    Messages:
    26
    Hey first thanks for the response.

    I am running a recently upgraded win 7. But I had vista before. And it’s made no change. The ports are still open when I port scan my router IP.

    I though SMB was samba to do with file sharing but I’ve had this off all along and also upnp is switched off on my router. In fact this was there about 3 months before I had a laptop up and running. I was just using my iPhone and my android handset.

    I read online that this was an old exploit that hackers used to use to for ftp to a device to maybe spread malware.

    I did not set this up I have no idea where it’s come from. All I know is that I’m getting files and applications on my devices I didn’t install.
    And these files and apps tell me I don’t have the correct permission to remove them when I tried to using my android.

    I found out that I have some sort of IPsec VPN tunnel set up on my devices. So I’m guessing thats why I have some sort of stunp1 following me around.

    Again these are things I have not even touched. Things I would not even understand.
    At one point I had a port open for tinyurl which is a proxy. That was over my router IP.

    What would you make of it all in all. If you could explain what could be going on I’d really appreciate it please
     
  9. lunarlander

    lunarlander

    Joined:
    Sep 21, 2007
    Messages:
    9,479
    Were you using Windows to scan you Andriod?
    Were you using Windows to scan your router?
    Were you using Andriod to scan your Windows?
     
  10. Danwilliams1989

    Danwilliams1989 Thread Starter

    Joined:
    Feb 19, 2018
    Messages:
    26
    No I was using a Motorola XOOM tablet, HTC Desire 510 and iPhone 6s using Fing and Landroid and a few other apps.

    On fing it shows net bios names, and shows my router as a file server (see screenshot 1)

    When I port scan my hub I get screenshot 2

    And when I port scan over localhost so my device (iPhone) I get screenshot 3

    Oh and when I ping my router I get a chart looking like this on screenshot 4. Does that look normal ?
     

    Attached Files:

  11. lunarlander

    lunarlander

    Joined:
    Sep 21, 2007
    Messages:
    9,479
    Unfortunately I don't have any your equipment except a Windows 7 PC. So I cannot tell you if your readings are normal. Hackers rarely attack routers and networking equipment, because that's not where the money is. Your PC holds credit card transaction records and juicy business correspondence to your competitors. And, since lots of talented hackers target Windows, there exist lots of existing hacks for reuse. Most so-called hackers reuse exploitss from other talented hackers and are not tek savvy.
     
  12. Danwilliams1989

    Danwilliams1989 Thread Starter

    Joined:
    Feb 19, 2018
    Messages:
    26
    I don’t think it’s for money never have and it’s just constant over the last 7 months since I moved in. I know who it is. I just have to prove it. They are using Linux with every security blanket to block me from tracing them I’m not sure what to do. If I can get concrete evidence it’s them I’ll be fine
     
  13. lunarlander

    lunarlander

    Joined:
    Sep 21, 2007
    Messages:
    9,479
    What have they done to your PC?
     
  14. Danwilliams1989

    Danwilliams1989 Thread Starter

    Joined:
    Feb 19, 2018
    Messages:
    26
    So far I have had a remote admin login. The workgroup keeps turning itself on by itself so all my files are being shared. When I’ve gone to roll back to a prev restore point there’s avast and avg stopping me which I didn’t install. It keeps failing because of a running anti software. I got svchost.exe like a lot of them. When I’ve gone to uninstall these antivirus there has been no programs there. They’ve made a hidden partition which I don’t know how to delete because I think they’ve encrypted it with bit locker. I saw it in the registry. But I’ve never downloaded it.

    That SMB is a samba server over an IP to allow file sharing because my router was logging them all before but I lost the info. So I’m think maybe they are using something like SSH and putting these files onto server because I have synced files from my router by mistake before and they were from someone else phone.
     
  15. lunarlander

    lunarlander

    Joined:
    Sep 21, 2007
    Messages:
    9,479
    Is your Windows 7 PC a name brand PC like a Dell or HP ?

    You can right click on Computer > Manage. And the last item on the left is Disk management (or something like that) You can create and delete partitions there. Some name brand PC's have a recovery partition used for rebuilding a PC back to default condition, and the ability to do so is in the recovery partition, so make sure you don't delete that one.

    Start Task Manager. pull down View menu, choose Select Columns and checkmark Command Line. Then examine all the svchost entries and make sure the command line says c:\windows\system32 and not somewhere else. Attackers usually try to hide thier programs by renaming it to svchost but it is not stored in Windows\System32 folder.

    For your remote admin login, you can usually find that in the Event Viewer. Cllick on Create Custom View and find the Event ID field, type in 4672, 4624. Then hopefully you can remember the date you would be able to find it. In the event details box in the middle, you can see Logon Type; remote login's are of type 3. It also helps if you don't use an admin account all day long and only login as admin when you need to do maintenance of the PC.

    Also in Computer > Manage, you can see all the shares you have made on the PC. The ones with a $ are default built in shares by Windows.
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/1205236

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice