1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Network Hacked-Please help

Discussion in 'General Security' started by unlucklyduck, Mar 20, 2017.

Thread Status:
Not open for further replies.
Advertisement
  1. unlucklyduck

    unlucklyduck Thread Starter

    Joined:
    Mar 20, 2017
    Messages:
    4
    Hi All,

    Im wondering if anyone can help here. Let me start off with facts. Two weeks ago I correlated an event leading up to this. My phone was getting kicked off my network and so was my firestick resulting in me thinking I needed to enter in my details again including my password.

    A few hours later, my firestick was no longer able to connect to the internet. I checked it on my network and noticed that the IPv4 had changed. I didnt think anything of it at the time. I rebooted it and tried it again. The next day. Same thing except for I started noticing my other devices on my network started changing. ( i had everything set to static) All my IPv4s device names started to change names and I started to see duplicates listed on my network.

    Changed WiFi settings, unplugged router and left local LAN only connected. My wireless IP cams seemed to be broadcasting to strange addresses and attempting to reach different VPNs i changed there settings again and then started the whole process again. Changed all my 15 devices on my network. Put DDWRT on my nighthawk. 2 days later. Again I see duplicate Ipv4 addresses on my router and someone accessing my PC on my firewall doing port scans. I then started a brand new pc I had just purchased and connected it to the network. (please see pic) those are temp internet files, I thought it was strange if you look at the google question entry they are trying to access my cookies to access my email. That computer has nothing on it.

    So fast forward. I called my ISP purchased a new modem changed my IPv6 and changed my internal IPv4 switched my WIFI and bought a new router. So now I dont know if I am still infected or not or if he/she is still on it. Some of my devices on my network are not working. Because I cannot enable upnp and I am unsure how to know for certain. I keep seeing my router now accessing 239.255.255.250 and 239.255.255.252 and my router logs are showing outgoing connections again. I also got a warning from emsisoft that my a malicious connection when I opened chrome so I reflashed a back up image of windows 10 on my pc.

    Any help would be greatly appreciated. I am pulling hair at this point. ( what little i have left.) TIA
     
    Last edited: Mar 20, 2017
  2. Sponsor

  3. lunarlander

    lunarlander

    Joined:
    Sep 21, 2007
    Messages:
    8,048
    The 2 addresses 239.255.255.250 and 239.255.255.252 are related to SSDP. See below:
    https://en.wikipedia.org/wiki/Simple_Service_Discovery_Protocol

    Most attacks start by compromising a PC. And then the attackers poke around to see what they can mess with, using the PC as a base. By flashing DDWRT onto your router, it would have gotten rid of the attackers if their base of operations were on the router. But things continue to change, so their base of operations is not on the router.

    Were the names of your devices set on the device itself or were they named on the router? Very unlikely to see that the attacker was able to take over all your devices and change their names.

    Now that you have re-imaged your PC, the attacker's base of operation should be gone. But be wary that they will return. Update ALL of your applications to the latest version, and perform Windows Update. File Hippo has an App Manager which tells you if your programs has new versions. http://filehippo.com/download_app_manager/ Very handy program.
     
  4. unlucklyduck

    unlucklyduck Thread Starter

    Joined:
    Mar 20, 2017
    Messages:
    4
    Thank you so much for the response Lunar. I noticed the duplicate Mac addresses and the device name changes on a network ip scanner for IOS that I use to monitor my network. Then I logged into my router and checked the logs when I saw it said my router had Dos attacks.

    Being a novice at this I thought I could just initially call my ISP and they would change my external ip. They refused and told me I would need new hardware. Which I did, I purchased a new modem and a separate new router. Even after that, it still never changed.

    The problem is I have several pc's on my network (one with vista) and children's tablets among other devices. I reflashed the main one and haven't connected any of the others. I still am noticing things on my network. I downloaded 3 different network scanners. One of them shows a device at 192.168.1.127 but with no MAC address the other shows my main pc as a duplicate at 192.168.1.255. I also tried colasoft capsa but that might be a little complicated for me.

    Will changing my external ip stop intruders? Or what if I connect a VPN directly to the router until I figure things out? TIA
     
  5. lunarlander

    lunarlander

    Joined:
    Sep 21, 2007
    Messages:
    8,048
    well, implementing a VPN will stop the intruder if they are connecting inbound from the internet, but it will not stop them if they have something installed on a PC that is calling outbound to their home. It won't hurt to test if this is so.
     
  6. unlucklyduck

    unlucklyduck Thread Starter

    Joined:
    Mar 20, 2017
    Messages:
    4
    Thanks again for the response. Apparently my new router which cost $350 can't handle vpn which is ridiculous. So that doesn't work.

    I did discover something though. I think I found how they are getting in. I've been monitoring connections through colasoft and this keeps popping up. _googlecast_tcp.local. Funny this I have it switched off through chrome Dev and its connecting through a dns server I think. Then I connect via my phone on my wifi and and it shows _airplay._tcp.local all the same server ip and same port 5353 I have that switched off as well.
    I also noticed when I blocked all incoming connections to my PC the frequency of the Querys increased drastically. Please see the pic I took from my phone and thanks again for your help.

    Any ideas how to block this?
     
  7. unlucklyduck

    unlucklyduck Thread Starter

    Joined:
    Mar 20, 2017
    Messages:
    4
    image.jpg Hopefully this pic works
     
  8. lunarlander

    lunarlander

    Joined:
    Sep 21, 2007
    Messages:
    8,048
    Does the program tell you which program is doing all the talking?
     
  9. lunarlander

    lunarlander

    Joined:
    Sep 21, 2007
    Messages:
    8,048
    If your colasoft does not show process name/program name, then you can try Microsoft Network Monitor (free)
     
  10. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/1187145