I gad posted before on this but we now have more information as to what is going on :
We definitely got hacked by someone who knows what they are doing ( Beyond my capability to find how they got in but suspected some ways until We found out yesterday )
I might add that in the status page logs I do NOT see any log in attempts which is puzzling as well !
How in the world do they get in undetected ?
Set up some inbound rules to block ip addresses but going to a pc ( netstat -a ) I see the IP addresses on the local pc .
We also found that the intruder is able to get to local pc’s via remote assistance , Was upset that this was still enabled on 2 pc’s , so we naturally turned that off .
When we saw this we set up rules to block all IP Addresses found under the firewall settings but our intruder still gets in ( could be chasing IP ghosts but why when we block the ip it can still access thru the firewall ? )
Also is there a way to find in bound IP addresses ? A log or status type of page ?
Searching all over for some sort of log / status etc. but I am unable to find any way to see who is actually trying to " hit " the router.
Ongoing issue that we are now thinking on picking up a Fortinet 30E or 40F as We are not able to block intruders etc.
Firewall was enabled for intruder protection and an attacker got right thru ( logs are not showing enough valid IP information )
Set up blocking public known bad ip address subnets etc. and they still continue to get thru .
Not onsite as we shut almost everything down until we resolve this ( A small unimportant network until we find out how the intruder got in )
We suspect a Zero Day attack as they are quite sophisticated setting up and taking advantage of windows edge Office etc. to roam and pick info off PC’s .
I also see high usage on the router ( red 80 -90% ) but there is zero traffic .
Changed the router pwd etc.
Possible back door access on the router ?
Nothing makes sense as we take steps and the intruder continues to find ways to get in
… in the status page logs I do NOT see any log in attempts which is puzzling as well ! How in the world do they get in undetected ?
I would work under the assumption, they did not get in.
Set up some inbound rules to block ip addresses but going to a pc ( netstat -a ) I see the IP addresses on the local pc .
Inbound blocking rules are only needed if you are doing port forwarding. Are you?
What do you mean, that you saw the blocked IP addresses on the local PC?
We also found that the intruder is able to get to local pc’s via remote assistance , Was upset that this was still enabled on 2 pc’s , so we naturally turned that off .
When we saw this we set up rules to block all IP Addresses found under the firewall settings but our intruder still gets in ( could be chasing IP ghosts but why when we block the ip it can still access thru the firewall ? )
Remote control uses either an inny or an outty system. Inbound blocking has nothing to do with outty style remote control systems. For those, you need an outbound firewall rule.
Also is there a way to find in bound IP addresses ? A log or status type of page ?
Yes. When doing port forwarding, you can also create an inbound fw rule that logs every time the port is used to forward something.
The more troubleshooting I do it seems to be true as I set up a ton of security rules on one pc with Norton/Windows Defender and router inbound out bound rules . I am also running Wireshark to see the client hello and the payloads downloads etc.
Via the router I blocked a ton of IP Addresses ( FIOS front line and Pep balance media behind for an extra protection on my internal network ). Can’t get rid of FIOS as it has my tv etc.
Getting into the pc is an issue as I can only detect them when I reboot as it tells me someone is connected - I’ll set up some port forwarding rules today as you suggested ! I also held off on my 4th rebuild as I concentrated on the UEFI Boot clena etc. but not sure if that helped as originally it seemed to hence today checking all IP Addresses and find some have been false positives , and mos tof the ip addresses ? Frickin office Microsoft widgets etc. on the interent as abusive ip addresses ! Now starting to see patterns developing as I had time to sit down and review !
I reset the UAEF , and am waiting to hear form HP / Microsoft as I opened tickets .
After quite a while I may be getting close to blocking but still trying to get to a root cause
TCPView , Procmon, Task Manager and Wireshark together give me a better picture of traffic .
My FIOS experience, though with an old router of theirs, is that their router opens a port for each set top box. You can allow and log that in your Peplink router and then review the logs. Eventually only allow inbound connections on those ports for a limited number of source IP addresses. This will keep most bad guys out.
I would also run nmap against the Windows PC in question to see what ports it has open. Do this from another computer on the same subnet.
That router is a very different beast in that it has been a source of issues attempting to block items as you must take some time to learn the router and question everything …! Using Wireshark I have seen a dramatic reduction in outbound traffic so I am not sure if I got them or they are laying dormant . Usually late at night is when they rear their ugly heads but so far no bad guy ip’s showing from about 3-4 am this am until now 12 :19 PM . Just downloaded NMAP and will check this out later ! One thing I see is cloudnet on the trace outbound ip but I see no .exe or other relevant info . However it is recognized as trouble and I saw an IP Address sending out info . On my list to take care of. Small steps but I feel that for the first time in a few months I am making serious progress but not completely convinced yet .
On a Windows machine, Zenmap is a GUI interface for nmap. Also on Windows, I use some free programs from Nir Sofer at nirsoft.net when I want to trace network activity. tcplogview is a trace of outbound tcp requests TcpLogView - Creates TCP connections log
He also has two different DNS logging programs.
I’ll take a look ! New tools and methods are always of interest to me to make short work of some of this ! Using TCPView and PROCMon along with wireshark I was able to narrow down a lot of areas missed . Getting too old for this as my simple dos days and small attack resolutions are gone ! I have a 3CX phone system here and I am wondering if that had something to do with the attacks as well being on the internet - Lesson learned … As for this episode : Think I have it under control as I worked mostly on the UEIF boot Cleaning memory and checking everything that I never had a clue about . Still worried about that cloudnet stuff as I will continue looking into it but form when I started to now its like a new pc blocking so much stuff ! My network trace for the first time since pro b September seems back to normal now as well . Thanks again for the help as you gave me some great tips !
Hi Richard. Not sure if you are still fighting this or have it resolved, but let me add one suggestion - separate your networks!
We run almost 2,000 pepwaves (Max BR1, BR1-mini, B20x and new minis), all in pizza restaurants.
Issues we have to deal with include:
Absolute need for secure subnet for point of sale system, usually using a “standard” subnet such as 192.168.3.0/24. Usually also has a small number of regular PC/laptop devices in office.
need for a unique small subnet for IP phones (we are a hosted PBX provider).
common need to have a sh*t-ton of totally non-securable network devices, such as sonos speakers, every kind of web TV you can imagine, various other “internet of things” devices. All of which open OUTBOUND connections.
common need for wi-fi, both for point of sale (secure) devices and public/staff wifi
So - we create three or four networks. Some just VLAN’d, some on separate physical ports (why we like the b20x)
One for POS system (with wifi, decent password, non-published SSID), allowed to use WAN and cellular. Sometimes with no DHCP, just static IPs, or locked down to only specific MACs getting IPs, so if they plug some other device into the wrong switch it does not even get an IP.
one for IP phones (a /28, unique to every store), allowed to use wan and cellular, but mainly routed over speedfusion to our four data centers
one for every kind of crap insecure device enforced to wan only
one for public/staff wifi enforced to wan only (with wifi, usually with a very insecure password like “pizzanet”
firewall rules prevent inter subnet traffic - from public wifi subnet and “insecure” subnet you can only go out the wan. you cannot hit the POS or phone subnets
Why do we do this? why not just use firewall and policy rules? Because of these crap devices that connect outbound and have huge, weeping pus-filled holes in their security! No matter what you do today, you cannot be sure that tomorrow the ring doorbell, or the sonos speaker, or the cheapest-they-could-find web TV is not going to be hacked via it’s outbound connection to some random cloud server.
And if you just block their outbound access…then they do not work!
And of course, we are NOT the IP company for the store, and have no physical control of network. They just plug crap in.