Forensic discussion for my hacked home network
Dear Experts,
Here is a strange thing for you. I went to bed Tuesday and everything in my home network was working well.
Wednesday morning before going to work I want to reply an email. My internet is not accessible from my laptop. I see that my wireless connection is established, but my NIC card is not connected to the Netgear router. The Netgear router is not able to connect with the ISP modem, not obtaining the public IP address.
I came back that day and figure that my Raspberry Pi also does not have connectivity via NIC with the Netgear Router. After checking the Netgear router I see that all its network cards are not able to establish a connection. I called Cox to see if it was them and it wasn’t. I put a second laptop (work) in the network and got the same result no connectivity. I put that same laptop directly to the ISP modem and yes I get to go to the internet this way. So for sure it was not my ISP modem.
Basically all the NICs are affected for the Netgear router, Raspberry Pi and even my laptop.
To make matters worse I purchased a new home router and my laptop now only works with the wireless card to access the internet and it shuts down every ½ hour or so. It shuts down if I do certain things like down load from the web something or try to check this file that I see in the event viewer an “MSS.log”(C:\ProgramData\M
For all this to happen overnight leads me to believe that my systems were hacked somehow.
I will rebuild tonight my laptop and see how it goes. It stinks I lost for now my Raspberry Pi card for my XBMC application.
I think the hack comes from my Raspberry Pi new Add-on repository entry.
Thank you, M
Here is a strange thing for you. I went to bed Tuesday and everything in my home network was working well.
Wednesday morning before going to work I want to reply an email. My internet is not accessible from my laptop. I see that my wireless connection is established, but my NIC card is not connected to the Netgear router. The Netgear router is not able to connect with the ISP modem, not obtaining the public IP address.
I came back that day and figure that my Raspberry Pi also does not have connectivity via NIC with the Netgear Router. After checking the Netgear router I see that all its network cards are not able to establish a connection. I called Cox to see if it was them and it wasn’t. I put a second laptop (work) in the network and got the same result no connectivity. I put that same laptop directly to the ISP modem and yes I get to go to the internet this way. So for sure it was not my ISP modem.
Basically all the NICs are affected for the Netgear router, Raspberry Pi and even my laptop.
To make matters worse I purchased a new home router and my laptop now only works with the wireless card to access the internet and it shuts down every ½ hour or so. It shuts down if I do certain things like down load from the web something or try to check this file that I see in the event viewer an “MSS.log”(C:\ProgramData\M
For all this to happen overnight leads me to believe that my systems were hacked somehow.
I will rebuild tonight my laptop and see how it goes. It stinks I lost for now my Raspberry Pi card for my XBMC application.
I think the hack comes from my Raspberry Pi new Add-on repository entry.
Thank you, M
ASKER
Mmmm no, is not so much every 30 minutes that my windows 7 laptop shuts down. It depends if I am doing something like messing with a file. I was okay streaming with the new home router via wireless netflix. I will confirm this when I get home tonight and begin a netflix stream without doing anything else. I check the laptop event viewer and no hardware issue is detected. Neither is over heating.
It is crazy how over night 3 different devices NICs stopped working.
Another thing is that I can't get the NIC from the laptop to work getting an IP address. Still it looks fine in the device manager.
The NICs from the old Netgear router, the Raspberri Pi and my laptop are not connecting. The Raspberry pi looks fine but does not look as an attached device in the new home router. Does not get an ip address if set to do via DHCP or if enter an static IP address.
It is crazy how over night 3 different devices NICs stopped working.
Another thing is that I can't get the NIC from the laptop to work getting an IP address. Still it looks fine in the device manager.
The NICs from the old Netgear router, the Raspberri Pi and my laptop are not connecting. The Raspberry pi looks fine but does not look as an attached device in the new home router. Does not get an ip address if set to do via DHCP or if enter an static IP address.
Sounds to me that suspects are Raspberri Pi and Netgear, let assume the home laptop is scanned with AV and FW log has nothing found suspicious at this moment...wondering any activity log in router to see anyone has reached it before since it is reachable via Wifi (hope you set WPA2 PSK with complex password)...
recently there is netgear vulnerable to exploit..
e.g. Consumer Broadband ISP Routers Exposed via New Backdoor Exploit for example Netgear’s DGN2000 and DG834B, appeared to be listening on an undocumented service via TCP port 32764 (note: not all models will listen via this port over the Internet / WAN but some do).
http://www.ispreview.co.uk/index.php/2014/01/consumer-broadband-isp-routers-exposed-via-new-backdoor-exploit.html
e.g. Netgear WNDR4700 router is susceptible to an authentication bypass attack.
http://securityevaluators.com/knowledge/case_studies/routers/netgear_wndr4700.php
e.g. Complete, Persistent Compromise of Netgear Wireless Routers
http://www.pcworld.idg.com.au/article/529872/vulnerabilities_some_netgear_router_nas_products_open_door_remote_attacks/
recently there is netgear vulnerable to exploit..
e.g. Consumer Broadband ISP Routers Exposed via New Backdoor Exploit for example Netgear’s DGN2000 and DG834B, appeared to be listening on an undocumented service via TCP port 32764 (note: not all models will listen via this port over the Internet / WAN but some do).
http://www.ispreview.co.uk/index.php/2014/01/consumer-broadband-isp-routers-exposed-via-new-backdoor-exploit.html
e.g. Netgear WNDR4700 router is susceptible to an authentication bypass attack.
http://securityevaluators.com/knowledge/case_studies/routers/netgear_wndr4700.php
e.g. Complete, Persistent Compromise of Netgear Wireless Routers
http://www.pcworld.idg.com.au/article/529872/vulnerabilities_some_netgear_router_nas_products_open_door_remote_attacks/
ASKER
Nice information on the Netgear router.
It has been like an hour no problems with the laptop yet. Facebook, youtube and wikipidia fine so far. The NIC car looks fine except will not acquire an IP address from the new router (Belkin). The laptop has AVG for anti-virus. Has not found a thing.
I 'll try to download something later to verify. I will rebuild my laptop anyway later.
It has been like an hour no problems with the laptop yet. Facebook, youtube and wikipidia fine so far. The NIC car looks fine except will not acquire an IP address from the new router (Belkin). The laptop has AVG for anti-virus. Has not found a thing.
I 'll try to download something later to verify. I will rebuild my laptop anyway later.
thanks for update. better to have firmware update and security patch up to date where possible though i know most tends to think of "dont fix it when it isnt broken"
ASKER
So far so good with the laptop. I updated my itunes no problem. Will push more later.
for Raspberry pi itself, I think it is still fine though it is not a simple “device” with limited capabilities; it is a fully capable computer. For many uses of the Raspberry Pi, security isn’t much of a concern – it will never be online or even exposed to external input that could be used as an infection vector. The trouble comes when it’s used in situations where it is online – particularly as a server – where it’s at potential risk. For example, some automated scanners are already trying to log in with the pi user. Just some thought...:)
http://www.raspberrypi.org/forums/viewtopic.php?t=42592&p=343005
for netgear, some latest one
https://isc.sans.edu/forums/diary/Hardcoded+Netgear+Prosafe+Switch+Password+/18357
Yet another hard coded password. This time it's Netgear's Prosafe Switch (GS105PE) running firmware version 1.2.0.5 and earlier [1]. The pre-configured username is "ntgruser" and the password is "debugpassword". If you have any Netgear equipment, it may be worthwhile checking for this username and password even if your device isn't listed as vulnerable.
http://www.raspberrypi.org/forums/viewtopic.php?t=42592&p=343005
for netgear, some latest one
https://isc.sans.edu/forums/diary/Hardcoded+Netgear+Prosafe+Switch+Password+/18357
Yet another hard coded password. This time it's Netgear's Prosafe Switch (GS105PE) running firmware version 1.2.0.5 and earlier [1]. The pre-configured username is "ntgruser" and the password is "debugpassword". If you have any Netgear equipment, it may be worthwhile checking for this username and password even if your device isn't listed as vulnerable.
ASKER
Update here.
I rebuild my windows 7 laptop.
And when I go to kick-ass torrents and try to download something. The laptop shutdown. Downloading the boxing match or Audio book collection. No luck, in case you wonder the download content.
Who is doing this I wonder.
Pirate Bay I think is fine not sure yet.
I rebuild my windows 7 laptop.
And when I go to kick-ass torrents and try to download something. The laptop shutdown. Downloading the boxing match or Audio book collection. No luck, in case you wonder the download content.
Who is doing this I wonder.
Pirate Bay I think is fine not sure yet.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you so much for your help and time on this. I am weird out as to how all these devices went down over night together.
My RaspBerry Pi does not have a working NIC.
Laptop has thermal shutdown issues (diagnostic result).
The Netgear Router has no working NICs.
What I do is stream from the web soccer games with the XBMC raspberry pi, etc. Download from web shows, etc... I will need to rethink this internet usage....
Thanks a bunch!!!
My RaspBerry Pi does not have a working NIC.
Laptop has thermal shutdown issues (diagnostic result).
The Netgear Router has no working NICs.
What I do is stream from the web soccer games with the XBMC raspberry pi, etc. Download from web shows, etc... I will need to rethink this internet usage....
Thanks a bunch!!!
luckily it is hardware going cranky but this is a good path to up security alertness as always - be inquisitive..but do be careful with those torrent activities and vulnerable devices. Always be safe than sorry
So you replaced your home router and things work, but you ave problems every 30 minutes.
Do you have multiple devices in your home that are working right now?
If so, when you are having the "30 minute" problem can one your home devices ping each other?