Reply

Re: LAN access from remote - Have I been hacked?

LAN access from remote - Have I been hacked?

So I just noticed this mess and wonder how long it's been going on?  Have I been severely compromised? I wonder what infromation they could have gotten. I am freaking out a bit. I don't even see where I have that port open or where I can close it. HELP!

 

I turned off the uPnP and it seems to have stopped the incoming traffic for now. Geez. Is there a way to block all foreign IP addresses? 

 

From log:

[LAN access from remote] from 179.216.163.136:62738 to 192.168.1.2:56349, Friday, Dec 22,2017 12:43:46
[LAN access from remote] from 189.195.127.22:31007 to 192.168.1.2:56349, Friday, Dec 22,2017 12:43:19
[LAN access from remote] from 181.66.79.66:24564 to 192.168.1.2:56349, Friday, Dec 22,2017 12:41:50
[LAN access from remote] from 181.115.141.67:23779 to 192.168.1.2:56349, Friday, Dec 22,2017 12:36:07
[LAN access from remote] from 177.43.83.66:20634 to 192.168.1.2:56349, Friday, Dec 22,2017 12:34:22
[LAN access from remote] from 173.81.48.142:52960 to 192.168.1.2:56349, Friday, Dec 22,2017 12:33:50
[LAN access from remote] from 177.3.67.136:13356 to 192.168.1.2:56349, Friday, Dec 22,2017 12:32:26
[UPnP set event: Public_UPNP_C5] from source 192.168.1.2, Friday, Dec 22,2017 12:28:32
[UPnP set event: Public_UPNP_C3] from source 192.168.1.2, Friday, Dec 22,2017 12:28:32
[LAN access from remote] from 181.49.92.3:36345 to 192.168.1.2:56349, Friday, Dec 22,2017 12:28:15
[LAN access from remote] from 187.10.158.18:23657 to 192.168.1.2:56349, Friday, Dec 22,2017 12:25:05
[LAN access from remote] from 189.34.150.211:7325 to 192.168.1.2:56349, Friday, Dec 22,2017 12:23:06
[LAN access from remote] from 181.115.140.13:28561 to 192.168.1.2:56349, Friday, Dec 22,2017 12:21:04
[LAN access from remote] from 177.17.109.16:36500 to 192.168.1.2:56349, Friday, Dec 22,2017 12:19:40
[LAN access from remote] from 177.72.14.19:47600 to 192.168.1.2:56349, Friday, Dec 22,2017 12:14:02
[LAN access from remote] from 187.103.218.200:41451 to 192.168.1.2:56349, Friday, Dec 22,2017 12:12:45
[LAN access from remote] from 177.18.144.128:22706 to 192.168.1.2:56349, Friday, Dec 22,2017 12:10:46
[LAN access from remote] from 179.104.45.5:10041 to 192.168.1.2:56349, Friday, Dec 22,2017 12:05:43
[LAN access from remote] from 181.28.134.7:5380 to 192.168.1.2:56349, Friday, Dec 22,2017 12:03:58
[LAN access from remote] from 187.70.105.210:57745 to 192.168.1.2:56349, Friday, Dec 22,2017 12:03:38
[LAN access from remote] from 189.169.85.214:27415 to 192.168.1.2:56349, Friday, Dec 22,2017 12:02:24
[LAN access from remote] from 179.232.73.137:38101 to 192.168.1.2:56349, Friday, Dec 22,2017 12:02:21
[LAN access from remote] from 181.188.175.18:49361 to 192.168.1.2:56349, Friday, Dec 22,2017 12:00:06
[LAN access from remote] from 81.34.253.147:56020 to 192.168.1.2:56349, Friday, Dec 22,2017 11:58:37

Model: R6700|Nighthawk AC1750 Smart WiFi Router
Message 1 of 19
IrvSp
Master

Re: LAN access from remote - Have I been hacked?

Might want to look at this thread, https://community.netgear.com/t5/Nighthawk-WiFi-Routers/quot-LAN-access-from-remote-quot-log-entries....

 

UPnP is the culprit. Suspect you have some camera's and they request that be enabled? It is used for remote access to the camera's. Possible a website it set to connect to them so you can access all of them when not home?

 

I checked some of those remote IP Addresses, Brazil, Peru, S.A.?

 

I could be wrong too.

Message 2 of 19

Re: LAN access from remote - Have I been hacked?

I have one IP camera that I would gladly disable if it means securing my network. I did some IP searching too. Why would my accessing my camera remotely go through Brazil, SA, Asia? Is there any way I can verify that data has not been compromised? How might I tell what that port 56349 is used for? It's not listed as a port open in my router.

Message 3 of 19
IrvSp
Master

Re: LAN access from remote - Have I been hacked?

That port, 56349 is not a well known port to use, see http://www.adminsub.net/tcp-udp-port-finder/56349 for instance. Probably opened with uPnP I'd assume.

 

What is at 192.168.1.2? That is the one communicating with those web addresses. If a PC, run some virus scans on it.

Message 4 of 19

Re: LAN access from remote - Have I been hacked?

Running now. It's my server.
Message 5 of 19

Re: LAN access from remote - Have I been hacked?

Ran a scan on all my devices. Nothing found. Did a Malware Bytes, Super Antispyware, and full Avira scans. I tried BitDefender but that didn't work out too well. Choked my computer to the point where I had to uninstall.

 

I looked up one of the recent incoming IPs and it says it's an Amazon Corporate IP address.  ????

https://whatismyipaddress.com/ip/54.229.218.178

 

I run no Amazon specific software. Have no Amazon specific devices. Occasionally shop their website on both my computer and phone. No idea why they'd be trying to connect to my computer.

Message 6 of 19
IrvSp
Master

Re: LAN access from remote - Have I been hacked?

No, that isn't really Amazon. It is Amazon AWS, it cloud web server business.

 

Could be anybody? Companies rent that 'space', like IBM, MS, and other companies have cloud services.

 

I'd open TASK MANAGER and see what is running. Google and names you do not know in the PROCESS LIST.

 

Also from a CMD prompt run as ADMINISTRATOR on that machine, run NETSTAT -abfo and look at the output. Specifically for the port.

 

I too use an AMAZON AWS server, for instance:

TCP 192.168.1.30:1764 ec2-34-211-238-217.us-west-2.compute.amazonaws.com:https ESTABLISHED 12468 [firefox.exe]

 

Possible to have a ROOTKIT too I guess? Get GMER (http://www.gmer.net/) and see what it shows...

 

Also using W10's Task Manager (if not on W10 use MSCONFIG) and look at all the STARTUP programs. Google any you don't know.

 

I suspect you have a program you gave permission to share usage details with?

 

On the router, under logging, what items have you checked?

 

Include in Log
Attempted access to allowed sites
Attempted access to blocked sites and services
Connections to the Web-based interface of this Router
Router operation (startup, get time etc)
Known DoS attacks and Port Scans
Port Forwarding / Port Triggering
Wireless access
Automatic Internet connection reset
Turn off wireless signal by schedule

 

 Just curious?

Message 7 of 19

Re: LAN access from remote - Have I been hacked?

That port shows up in Netstat info as: (log attached)

[SearchUI.exe] TCP 192.168.1.2:56349 MyComputerName:0 LISTENING 9532

 

Also noticed these two said "can not obtain..."

Can not obtain ownership information TCP 192.168.1.2:49755 DS412:microsoft-ds ESTABLISHED 4
Can not obtain ownership information TCP 192.168.1.2:51105 ec2-52-214-33-245.eu-west-1.compute.amazonaws.com:https CLOSE_WAIT 9468

Process List on TM looks clean.

Startup looks fine.

 

GMER won't run long. I started it, left for 10 minutes and came back to find my PC rebooted. Just ran it again while sitting here. Ran for 3 minutes and then disappeared.

 

Log has all items checked.

:-(

 

Message 8 of 19
IrvSp
Master

Re: LAN access from remote - Have I been hacked?

SEARCHUI is part of Cortana... you use that? I do NOT.

 

See THIS WEB PAGE. If you did a Windows Search it might have come back that way?

 

An explanation of the different connection states is given below:

State Description

CLOSEDIndicates that the server has received an ACK signal from the client and the connection is closed
CLOSE_WAITIndicates that the server has received the first FIN signal from the client and the connection is in the process of being closed
ESTABLISHEDIndicates that the server received the SYN signal from the client and the session is established
FIN_WAIT_1Indicates that the connection is still active but not currently being used
FIN_WAIT_2Indicates that the client just received acknowledgment of the first FIN signal from the server
LAST_ACKIndicates that the server is in the process of sending its own FIN signal
LISTENINGIndicates that the server is ready to accept a connection
SYN_RECEIVEDIndicates that the server just received a SYN signal from the client
SYN_SENDIndicates that this particular connection is open and active
TIME_WAITIndicates that the client recognizes the connection as still active but not currently being used

 

The CAN NOT OBTAIN for PID 4 is normal, that is the System. See https://social.technet.microsoft.com/Forums/windowsserver/en-US/1f7299da-bbb9-4b3f-8df7-2c09ed8bd44c... for instance.

 

Also, check this out, http://www.computerweekly.com/tip/How-to-use-a-netstat-command-in-Windows-to-watch-open-ports, and it will give you hints on how to watch that port, and when it actually shows activity you might be able to connect that with what is running. It also references SYSINTERNAL'S PROCESS MONITOR which could help you, but it is 'technical'.

Message 9 of 19
IrvSp
Master

Re: LAN access from remote - Have I been hacked?

I should add that the PID number, in your case 9532 indicates 'who' is doing it as well. When you open TASK MANAGER, go to the DETAILS tab, SORT on PID, and look for that number (run NETSTAT again as it might change) and it too will tell you who it is.

Message 10 of 19
IrvSp
Master

Re: LAN access from remote - Have I been hacked?

I just looked at your log. Searched for the PORT...

 

 TCP    192.168.1.2:80         MyComputerName:0               LISTENING       9532 [Skype.exe] 

TCP    192.168.1.2:139        MyComputerName:0               LISTENING       4 Can not obtain ownership information 

TCP    192.168.1.2:443        MyComputerName:0               LISTENING       9532 [Skype.exe]

 

Seems it is Skype using that PID? See https://support.skype.com/en/faq/FA148/which-ports-need-to-be-open-to-use-skype-for-windows-desktop. Were you running Skype or did someone 'call' you which could explain the remote access?

Message 11 of 19

Re: LAN access from remote - Have I been hacked?

Thank you for all your help. I really do appreciate how much time you've spent assisting me.

 

I know I had disabled Cortana a long time ago but it seems the recent Win10 update might have activated it again. I just editied my registry only to find it still in Task Manager. I then found a method by renaming the Cortana directory so it can no longer function. Seems to be off now.  Just noticed that now I have no Windows Search/Program Search at all. The magnifying class or Win + S does nothing.

 

I have only recently started using Skype on this PC.  Bad idea? Does it leave me open to potential issues?

 

Searched Task Manager - Details for that PID and it's not listed.

Doing some research here on what apps to run/scan for issues. Ran ADWcleaner and got this "PUP.Optional.Legacy, Plugin found: __MSG_newtab_chrome_extension_name__ -" --- Although it says removed after reboot, running another scan shows it's still there. Not sure what it is and have little in a Google search.

 

Ran NetStat again (son of a...)

[WDDriveService.exe] TCP 192.168.1.2:56349 Tiamat:0 LISTENING 976
I'm assuming that's the Western Digital crapware that was installed with my new external drive yet won't detect it.

Message 12 of 19
IrvSp
Master

Re: LAN access from remote - Have I been hacked?

If you want to do a search, it appears it uses Cortana. Alternatively you could use SEARCH in a browser. The only time I'll use Cortana to search is for a program on my PC (but I can do that from START menu too, but Cortana will show web options if I don't have the program).

 

Google, https://www.google.com/search?q=PUP.Optional.Legacy%2C+Plugin+found%3A+__MSG_newtab_chrome_extension..., does have a few entries for this... One here, https://forums.malwarebytes.com/topic/208570-pupoptionallegacy-keeps-coming-back/ seems it imply it might be in a cache or cookies in Edge browser???

 

PUP's are basically 'Potentially Unwanted Programs', so it might not even be a problem. Usually those get classified as that because they have Adware components vs. a virus. Probably part of the NEW TAB extension in Chrome?

 

 

Message 13 of 19
IrvSp
Master

Re: LAN access from remote - Have I been hacked?


@SirSoulBrother wrote:

I have only recently started using Skype on this PC.  Bad idea? Does it leave me open to potential issues?

 .

.

.

Ran NetStat again (son of a...)

[WDDriveService.exe] TCP 192.168.1.2:56349 Tiamat:0 LISTENING 976
I'm assuming that's the Western Digital crapware that was installed with my new external drive yet won't detect it.


No, it doesn't normally. Skype needs to allow outside access if someone should contact you. I guess you could get a problem if someone you don't know (I get women messaging me often and I just ignore and report them) and they want you to d/l a program? Don't even respond to anyone you don't know, report them, and never click on a link unless you TRUST the person.

 

I've got a WD External drive too, but not that program? I did have them installed at one time, took them off, to me they were of little value.

Message 14 of 19

Re: LAN access from remote - Have I been hacked?

Attached is my router log from today. I use a Plex Server at port 32400. Occasionally I'll connect to Plex from outside my network but have not done that in over a week. I do not know who is accessing it or what those dropped packets are. This is freaking me out a bit.
Message 15 of 19

Re: LAN access from remote - Have I been hacked?

The 74...112 address is me.... the rest I don't know.

 

see attached

 

Message 16 of 19
IrvSp
Master

Re: LAN access from remote - Have I been hacked?

It seems you were under attack, see https://whatismyipaddress.com/ip/125.212.217.215 for instance.  Ports that it is using are not assigned?  You can use this to search for ports and what they are for, http://wintelguy.com/port-search/.

 

I do see that they ALL are coming into 192.168.1.2:32400. That IS your Plex Server...

 

=============

Search result for: 32400

From: [WP]

ServicePortProt.DescriptionNotes
 32400tcp/udpUsed for Plex Media Server connections and media streams[WP] Unofficial

=====================================

 

54.229.218.178 is still Amazon's AWS. But it too goes to the same 32400 port...

Don't know if this is normal or not, don't have a Plex Server? However you might find this interesting, https://forums.plex.tv/discussion/76336/plex-security-how-to-avoid-opening-public-port. Might want to take this problem over to that forum as well?

I'd be more worried about this:

===============

[USB device attached] The USB storage device WD My Book 1140 (My Book) is attached to the router, Saturday, Dec 30,2017 07:59:52

[USB device detached] The USB storage device WD My Book 1140 (My Book) is removed from the router, Saturday, Dec 30,2017 07:59:46 [Time synchronized with NTP server] Saturday, Dec 30,2017 06:55:45

[Internet connected] IP address: 74.89.67.112, Saturday, Dec 30,2017 06:55:44

======

Why was the USB drive detaching? Usually this is done on a re-boot of the router and the only time I've seen this is with a power drop (my router is on a UPS but not the USB drive). Of course on a power drop here I've seen some devices stay on with very short drops or lower voltage drops and others stay on (microwave, stove, etc., clocks on them lose time).

 

Message 17 of 19

Re: LAN access from remote - Have I been hacked?

So a recent firmware update seems to have taken care of some of the messages that were concerning me. I no longer seem to get the [Self2WAN ICMP type b Detected!] messages. HOWEVER now I'm getting this in blocks....

 

[Internet connected] IP address: 192.168.100.20, Thursday, Mar 29,2018 22:32:54
[Internet connected] IP address: 192.168.100.20, Thursday, Mar 29,2018 22:32:43
[Internet connected] IP address: 192.168.100.20, Thursday, Mar 29,2018 22:32:33
[Internet connected] IP address: 192.168.100.20, Thursday, Mar 29,2018 22:32:23
[Internet connected] IP address: 192.168.100.20, Thursday, Mar 29,2018 22:32:12
[Internet connected] IP address: 192.168.100.20, Thursday, Mar 29,2018 22:32:02
[Internet connected] IP address: 192.168.100.20, Thursday, Mar 29,2018 22:31:52
[Internet connected] IP address: 192.168.100.20, Thursday, Mar 29,2018 22:31:42
[Internet connected] IP address: 192.168.100.20, Thursday, Mar 29,2018 22:31:32
[Internet connected] IP address: 192.168.100.20, Thursday, Mar 29,2018 22:31:22
[Internet connected] IP address: 192.168.100.20, Thursday, Mar 29,2018 22:31:12
[Internet connected] IP address: 192.168.100.20, Thursday, Mar 29,2018 22:31:02
[Internet connected] IP address: 192.168.100.20, Thursday, Mar 29,2018 22:30:52
[Internet connected] IP address: 192.168.100.20, Thursday, Mar 29,2018 22:30:42
[Internet connected] IP address: 192.168.100.20, Thursday, Mar 29,2018 22:30:32
[Internet connected] IP address: 192.168.100.20, Thursday, Mar 29,2018 22:30:22
[Internet connected] IP address: 192.168.100.20, Thursday, Mar 29,2018 22:30:12
[Internet connected] IP address: 192.168.100.20, Thursday, Mar 29,2018 22:30:02
[Internet connected] IP address: 192.168.100.20, Thursday, Mar 29,2018 22:29:52
[Internet connected] IP address: 192.168.100.20, Thursday, Mar 29,2018 22:29:42
[Internet connected] IP address: 192.168.100.20, Thursday, Mar 29,2018 22:29:32
[Internet connected] IP address: 192.168.100.20, Thursday, Mar 29,2018 22:29:22
[Internet connected] IP address: 192.168.100.20, Thursday, Mar 29,2018 22:29:12
[Internet connected] IP address: 192.168.100.20, Thursday, Mar 29,2018 22:29:02
[Internet connected] IP address: 192.168.100.20, Thursday, Mar 29,2018 22:28:52
[Internet connected] IP address: 192.168.100.20, Thursday, Mar 29,2018 22:28:42
[Internet connected] IP address: 192.168.100.20, Thursday, Mar 29,2018 22:28:32
[Internet connected] IP address: 192.168.100.20, Thursday, Mar 29,2018 22:28:12
[Internet connected] IP address: 192.168.100.20, Thursday, Mar 29,2018 22:28:01
[Internet connected] IP address: 192.168.100.20, Thursday, Mar 29,2018 22:27:51
[Internet connected] IP address: 192.168.100.20, Thursday, Mar 29,2018 22:27:41
[Internet connected] IP address: 192.168.100.20, Thursday, Mar 29,2018 22:27:22
[Internet connected] IP address: 192.168.100.20, Thursday, Mar 29,2018 22:27:11
[Internet connected] IP address: 192.168.100.20, Thursday, Mar 29,2018 22:27:01
[Internet connected] IP address: 192.168.100.20, Thursday, Mar 29,2018 22:26:51
[Internet connected] IP address: 192.168.100.20, Thursday, Mar 29,2018 22:26:41
[Internet connected] IP address: 192.168.100.20, Thursday, Mar 29,2018 22:26:31
[Internet connected] IP address: 192.168.100.20, Thursday, Mar 29,2018 22:26:21
[Internet connected] IP address: 192.168.100.20, Thursday, Mar 29,2018 22:26:02

 

 

The thing is, I have nothing with that IP address. My IP table in my router is showing up to .15.  What is this?

Message 18 of 19
IrvSp
Master

Re: LAN access from remote - Have I been hacked?

Not hacked... you lost Internet signal from your ISP.

 

Log should have showed you an Internet disconnect before those and an internet connect with your WAN IP Address after those. Router Operation probably needed to be checked in the logging.

 

192.168.100.1 is the IP Address of your router, I know it is for Arris, Surfboard, and Ubee at least. 192.168.100.20 is where your router gets its WAP IP Address from. As you can see every 10 seconds it retries, until it get the address.

 

If you open your browser to URL 192.168.100.1 you should be able to see the modem's web page.. Might need the default UID and PW or admin and password to get in.

 

If an Arris, on the STATUS page (which is where it should open to) you'll see in the middle of the page UPTIME. Calculate back and it will match the time the router logged those entries. Click on the EVENT LOG and you should see the reboot and possibly what caused it. If it happens often, contact your ISP. I certainly and unusual time, 10:30 at night. Many times, depending on your ISP and how often they update the modem you might see something like this very early in the morning.

 

I'm sure it was a signal drop though, an ISP problem. A reboot caused by some variable like signal to noise or a non-response from the ISP for TOD or DHCP request that can cause the reboot is usually 3 minutes or less.

Message 19 of 19
Top Contributors
Discussion stats
  • 18 replies
  • 26309 views
  • 2 kudos
  • 2 in conversation
Announcements

Orbi WiFi 6E