[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 935
  • Last Modified:

Forensic discussion for my hacked home network

Dear Experts,

Here is a strange thing for you. I went to bed Tuesday and everything in my home network was working well.

Wednesday morning before going to work I want to reply an email. My internet is not accessible from my laptop. I see that my wireless connection is established, but my NIC card is not connected to the Netgear router. The Netgear router is not able to connect with the ISP modem, not obtaining the public IP address.

I came back that day and figure that my Raspberry Pi also does not have connectivity via NIC with the Netgear Router. After checking the Netgear router I see that all its network cards are not able to establish a connection. I called Cox to see if it was them and it wasn’t. I put a second laptop (work) in the network and got the same result no connectivity. I put that same laptop directly to the ISP modem and yes I get to go to the internet this way. So for sure it was not my ISP modem.

Basically all the NICs are affected for the Netgear router, Raspberry Pi and even my laptop.

To make matters worse I purchased a new home router and my laptop now only works with the wireless card to access the internet and it shuts down every ½ hour or so.  It shuts down if I do certain things like down load from the web something or try to check this file that I see in the event viewer an “MSS.log”(C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log).

For all this to happen overnight leads me to believe that my systems were hacked somehow.

I will rebuild tonight my laptop and see how it goes. It stinks I lost for now my Raspberry Pi card for my XBMC application.

I think the hack comes from my Raspberry Pi new Add-on repository entry.  
Thank you, M
0
marceloNYC
Asked:
marceloNYC
  • 5
  • 5
1 Solution
 
giltjrCommented:
If connecting a PC directly to your ISP's modem allows Internet connectivity, but going through your Netgear router does not, it sounds like your Netgear router has a problem.

So you replaced your home router and things work, but you ave problems every 30 minutes.

Do you have multiple devices in your home that are working right now?

If so, when you are having the "30 minute" problem can one your home devices ping each other?
0
 
marceloNYCAuthor Commented:
Mmmm no, is not so much every 30 minutes that my windows 7 laptop shuts down. It depends if I am doing something like messing with a file. I was okay streaming with the new home router via wireless netflix. I will confirm this when I get home tonight and begin a netflix stream without doing anything else. I check the laptop event viewer and no hardware issue is detected. Neither is over heating.

It is crazy how over night 3 different devices NICs stopped working.

Another thing is that I can't get the NIC from the laptop to work getting an IP address. Still it looks fine in the device manager.

The NICs from the old Netgear router, the Raspberri Pi and my laptop are not connecting. The Raspberry pi looks fine but does not look as an attached device in the new home router. Does not get an ip address if set to do via DHCP or if enter an static IP address.
0
 
btanExec ConsultantCommented:
Sounds to me that suspects are Raspberri Pi and Netgear, let assume the home laptop is scanned with AV and FW log has nothing found suspicious at this moment...wondering any activity log in router to see anyone has reached it before since it is reachable via Wifi (hope you set WPA2 PSK with complex password)...

recently there is netgear vulnerable to exploit..

e.g. Consumer Broadband ISP Routers Exposed via New Backdoor Exploit for example Netgear’s DGN2000 and DG834B, appeared to be listening on an undocumented service via TCP port 32764 (note: not all models will listen via this port over the Internet / WAN but some do).
http://www.ispreview.co.uk/index.php/2014/01/consumer-broadband-isp-routers-exposed-via-new-backdoor-exploit.html

e.g. Netgear WNDR4700 router is susceptible to an authentication bypass attack.
http://securityevaluators.com/knowledge/case_studies/routers/netgear_wndr4700.php

e.g. Complete, Persistent Compromise of Netgear Wireless Routers
http://www.pcworld.idg.com.au/article/529872/vulnerabilities_some_netgear_router_nas_products_open_door_remote_attacks/
0
 
marceloNYCAuthor Commented:
Nice information on the Netgear router.

It has been like an hour no problems with the laptop yet. Facebook, youtube and wikipidia fine so far. The NIC car looks fine except will not acquire an IP address from the new router (Belkin). The laptop has AVG for anti-virus. Has not found a thing.

I 'll try to download something later to verify. I will rebuild my laptop anyway later.
0
 
btanExec ConsultantCommented:
thanks for update. better to have firmware update and security patch up to date where possible though i know most tends to think of "dont fix it when it isnt broken"
0
 
marceloNYCAuthor Commented:
So far so good with the laptop. I updated my itunes no problem. Will push more later.
0
 
btanExec ConsultantCommented:
for Raspberry pi itself, I think it is still fine though it is not a simple “device” with limited capabilities; it is a fully capable computer. For many uses of the Raspberry Pi, security isn’t much of a concern – it will never be online or even exposed to external input that could be used as an infection vector. The trouble comes when it’s used in situations where it is online – particularly as a server – where it’s at potential risk.  For example, some automated scanners are already trying to log in with the pi user. Just some thought...:)

http://www.raspberrypi.org/forums/viewtopic.php?t=42592&p=343005

for netgear, some latest one
https://isc.sans.edu/forums/diary/Hardcoded+Netgear+Prosafe+Switch+Password+/18357

Yet another hard coded password. This time it's Netgear's Prosafe Switch (GS105PE) running firmware version 1.2.0.5 and earlier [1]. The pre-configured username is "ntgruser" and the password is "debugpassword". If you have any Netgear equipment, it may be worthwhile checking for this username and password even if your device isn't listed as vulnerable.
0
 
marceloNYCAuthor Commented:
Update here.

I rebuild my windows 7 laptop.

And when I go to kick-ass torrents and try to download something. The laptop shutdown. Downloading the boxing match or Audio book collection. No luck, in case you wonder the download content.

Who is doing this I wonder.

Pirate Bay I think is fine not sure yet.
0
 
btanExec ConsultantCommented:
I am suspecting that before you install the application such as torrent client has the host AV and FW updated to latest signature and scan first to see if any alerts. Then with the installation  for the torrent purpose, I suggest uploading to online Virustotal , VirSCAN and Jotti) for checks on any malice intent on this package prior to installation. Really to play safe and isolate since there is such recurrence and "shut down" unexpected.

I dont see how can the laptop shut down due to running torrent and if possible may want to try even in VM to download torrent to see if this recurs. Else it is the online website directed or redirected (in background) has some active script running or downloaded other payload to run and install some backdoor etc...can also try to run the browser in sandboxie before the "downloading". To even add on is to even run the process explorer in background to see new process spawned before the torrent activities and the "after activities - but this likely will be noisy though...we cna try tracking the iexplorer or explorer if there are strange child process under it
0
 
marceloNYCAuthor Commented:
Thank you so much for your help and time on this. I am weird out as to how all these devices went down over night together.

My RaspBerry Pi does not have a working NIC.

Laptop has thermal shutdown issues (diagnostic result).

The Netgear Router has no working NICs.

What I do is stream from the web soccer games with the XBMC raspberry pi, etc. Download from web shows, etc... I will need to rethink this internet usage....

Thanks a bunch!!!
0
 
btanExec ConsultantCommented:
luckily it is hardware going cranky but this is a good path to up security alertness as always - be inquisitive..but do be careful with those torrent activities and vulnerable devices. Always be safe than sorry
0
  • 5
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now