Welcome to the New Fire Discussions
Tell us and our members who you are, what you like and why you became a member of this site.
We welcome all new members and hope to see you around a lot!
Tell us and our members who you are, what you like and why you became a member of this site.
We welcome all new members and hope to see you around a lot!
TOPIC: I need some unhacking help, please!
#761
11 years 3 months ago
I need some unhacking help, please!
It seems that I've been hacked, and my email is not working properly, among other things.
In going through my network router's syslog file, I find a few repeating patterns from certain IP addresses.
Can anybody help me identify what is going on here, and how I should best address this?
I would be most grateful for the help, as I am trying to complete a large amount of work for the MFMP right now, but instead I'm discovering that my carefully-composed emails are not getting out (sometimes!) and some large percentage (but not all!) are not arriving!
I can see some of the incoming mail in upstream network provider queues, so I know they exist but are not arriving.
Here are a few of the entries from my router's syslog that may be of use:
[INFO] Thu Aug 01 16:13:01 2013 Blocked incoming TCP packet from 208.97.132.231:143 to 10.1.10.36:51206 as ACK received but there is no active connection
[INFO] Thu Aug 01 16:10:55 2013 Blocked incoming TCP packet from 74.125.28.193:443 to 10.1.10.36:56466 as PSH:ACK received but there is no active connection
[INFO] Thu Aug 01 16:28:01 2013 Blocked incoming TCP packet from 208.97.132.231:143 to 10.1.10.36:51206 as RST:ACK received but there is no active connection
[INFO] Thu Aug 01 16:28:00 2013 Blocked incoming TCP packet from 208.97.132.231:143 to 10.1.10.36:51206 as FIN:ACK received but there is no active connection
[INFO] Thu Aug 01 16:28:00 2013 Blocked incoming TCP packet from 208.97.132.231:143 to 10.1.10.36:51206 as PSH:ACK received but there is no active connection
That pattern of messages originated at various times from these IP addresses:
74.125.239.128
208.97.132.231
173.194.79.125
184.73.219.139
157.56.98.80
157.56.98.98
157.56.98.120
I also see blocked outgoing packets, with the following syslog entries:
INFO] Thu Aug 01 16:05:41 2013 Blocked outgoing TCP packet from 192.168.0.188:49624 to 192.135.198.111:22 as PSH:ACK received but there is no active connection
[INFO] Thu Aug 01 16:04:51 2013 Blocked outgoing TCP packet from 192.168.0.188:51767 to 173.194.79.125:5222 as PSH:ACK received but there is no active connection
INFO] Thu Aug 01 16:04:48 2013 Blocked outgoing TCP packet from 192.168.0.191:26005 to 157.56.98.120:443 as RST:ACK received but there is no active connection
[INFO] Thu Aug 01 16:22:58 2013 Blocked outgoing TCP packet from 192.168.0.194:56556 to 207.46.11.152:443 as RST:ACK received but there is no active connection
[INFO] Thu Aug 01 16:22:24 2013 UPnP renew entry 255.255.255.255 <-> 10.1.10.36:50601 <-> 192.168.0.188:50601 UDP timeout:-1 'Teredo'
The following IP addresses were being sent packets:
192.135.198.111
173.194.79.125
157.56.98.120
207.46.11.152
Can anybody help me figure out what is happening here, and how I should best address it?
Thanks in advance for any insight you can offer!
In going through my network router's syslog file, I find a few repeating patterns from certain IP addresses.
Can anybody help me identify what is going on here, and how I should best address this?
I would be most grateful for the help, as I am trying to complete a large amount of work for the MFMP right now, but instead I'm discovering that my carefully-composed emails are not getting out (sometimes!) and some large percentage (but not all!) are not arriving!
I can see some of the incoming mail in upstream network provider queues, so I know they exist but are not arriving.
Here are a few of the entries from my router's syslog that may be of use:
[INFO] Thu Aug 01 16:13:01 2013 Blocked incoming TCP packet from 208.97.132.231:143 to 10.1.10.36:51206 as ACK received but there is no active connection
[INFO] Thu Aug 01 16:10:55 2013 Blocked incoming TCP packet from 74.125.28.193:443 to 10.1.10.36:56466 as PSH:ACK received but there is no active connection
[INFO] Thu Aug 01 16:28:01 2013 Blocked incoming TCP packet from 208.97.132.231:143 to 10.1.10.36:51206 as RST:ACK received but there is no active connection
[INFO] Thu Aug 01 16:28:00 2013 Blocked incoming TCP packet from 208.97.132.231:143 to 10.1.10.36:51206 as FIN:ACK received but there is no active connection
[INFO] Thu Aug 01 16:28:00 2013 Blocked incoming TCP packet from 208.97.132.231:143 to 10.1.10.36:51206 as PSH:ACK received but there is no active connection
That pattern of messages originated at various times from these IP addresses:
74.125.239.128
208.97.132.231
173.194.79.125
184.73.219.139
157.56.98.80
157.56.98.98
157.56.98.120
I also see blocked outgoing packets, with the following syslog entries:
INFO] Thu Aug 01 16:05:41 2013 Blocked outgoing TCP packet from 192.168.0.188:49624 to 192.135.198.111:22 as PSH:ACK received but there is no active connection
[INFO] Thu Aug 01 16:04:51 2013 Blocked outgoing TCP packet from 192.168.0.188:51767 to 173.194.79.125:5222 as PSH:ACK received but there is no active connection
INFO] Thu Aug 01 16:04:48 2013 Blocked outgoing TCP packet from 192.168.0.191:26005 to 157.56.98.120:443 as RST:ACK received but there is no active connection
[INFO] Thu Aug 01 16:22:58 2013 Blocked outgoing TCP packet from 192.168.0.194:56556 to 207.46.11.152:443 as RST:ACK received but there is no active connection
[INFO] Thu Aug 01 16:22:24 2013 UPnP renew entry 255.255.255.255 <-> 10.1.10.36:50601 <-> 192.168.0.188:50601 UDP timeout:-1 'Teredo'
The following IP addresses were being sent packets:
192.135.198.111
173.194.79.125
157.56.98.120
207.46.11.152
Can anybody help me figure out what is happening here, and how I should best address it?
Thanks in advance for any insight you can offer!
#762
11 years 3 months ago
I need some unhacking help, please!
Umino
What operating system are you using?
If you're using Windows XP or below I strongly suggest to upgrade to a newer version of Windows or using Linux, as it's become too insecure for use with an internet connection.
If you're using Windows XP or below I strongly suggest to upgrade to a newer version of Windows or using Linux, as it's become too insecure for use with an internet connection.
#764
11 years 3 months ago
I need some unhacking help, please!
I am using Windows 7, with auto-updates turned on. I have a metric boatload of software installed, including java and flash, with as many disabled as I can manage at any given time.
I have observed packets outgoing from high port-numbers on my workstation, so I know my workstation itself is infected, among other things.
I have observed packets outgoing from high port-numbers on my workstation, so I know my workstation itself is infected, among other things.
#765
11 years 3 months ago
I need some unhacking help, please!
You could install the free virtual box
www.virtualbox.org
Put a clean Ubuntu on there and connect via a VPN to send/receive mails.
I think that the Pirate Bay is developing tools to ensure that we get our privacy back. I think that it is important if we are discussing working in a LOS way with private companies given the vested interests in this field.
www.virtualbox.org
Put a clean Ubuntu on there and connect via a VPN to send/receive mails.
I think that the Pirate Bay is developing tools to ensure that we get our privacy back. I think that it is important if we are discussing working in a LOS way with private companies given the vested interests in this field.
#766
11 years 3 months ago
I need some unhacking help, please!
Put Ubuntu on there?? bleah. I hate administering Unix, and particularly on a graphics workstation. Ever since BSD3.2, it's been a long downhill slide, and every time one of those old neurons dissolves, my brain breathes a little bit easier.
In any case, it seems that port 50601 is being favored, in case this rings any bells:
[INFO] Thu Aug 01 16:56:48 2013 UPnP renew entry 255.255.255.255 <-> 10.1.10.36:50601 <-> 192.168.0.188:50601 UDP timeout:-1 'Teredo'
[INFO] Thu Aug 01 16:44:01 2013 Above message repeated 20 times
I'm about to turn off UPnP in that router and see what happens next.
In any case, it seems that port 50601 is being favored, in case this rings any bells:
[INFO] Thu Aug 01 16:56:48 2013 UPnP renew entry 255.255.255.255 <-> 10.1.10.36:50601 <-> 192.168.0.188:50601 UDP timeout:-1 'Teredo'
[INFO] Thu Aug 01 16:44:01 2013 Above message repeated 20 times
I'm about to turn off UPnP in that router and see what happens next.
#769
11 years 3 months ago
I need some unhacking help, please!
whois information shows that a number of those IP addresses can be identified with connections known to be active on my LAN, but the reasons for the protocol violations are unclear. After some reconfiguring of my router to block whatever possible holes I could find (like the UPnP protocol being turned on, etc) the amount of malicious-appearing activity has dropped substantially, and email is working at the moment. I'm reasonably confident I'm still hacked, but I may have frustrated one communications hole at least. Hopefully it was the only one this tool uses, but I'd be surprised if it was...
Meanwhile, I guess I'll just have to keep a close eye on all of my syslogs... not much fun!
Meanwhile, I guess I'll just have to keep a close eye on all of my syslogs... not much fun!