Help Me Please

[Rich]

Dear Hak 5 Community,

I thought I had a good grasp on internet security. I have Clam X AV which I run on all my machines. I have the following machines two windows 7 laptops. Running avast antivirus. Then two macs one a macbook 13 inch running Tiger and one Mac Mini running snow leopard. I have tried Sophos,kapersky and no infections found. I have been experiencing the worst symptoms and indications of a hacking attack. I have Verizon FIOS as my internet service provider and I was noticing severe loss and slow down in video quality of Verizon video on Demand services. Then just much slower upload and download speeds. It seemed to just clear itself up after I got a firewall on the Network you see though I was never able to successfully add the firewall to the network. I tried to add a Zyxel model USG50 I thought this firewall and intrusion detection detection unit was defective. It would not allow me to assign me IP addresses that were different than 192.168.1.1. Which is the Verizon Actiontec routers default. I assigned a static IP for the WAN that was applied ok and the problem comes to the Lan it will not let me change that IP address. My brother and I have tried a last resort hard reset multiple times. Then we took it back and got a USG 100 supposedly Enterprise class same exact problem. This time before attaching I want to a website called F-Secure and ran all their Virus scans. Still nothing there. The same effect. I am convinced that this is a rootkit on or something along those lines from all the Hak5 shows I have watched. I believe it's the router itself that's infected and infecting and controlling the other computers. It even turns on the webcam on my macbook once or twice. Where does one even begin with an infection like this. Please help me because this is just so insanely off the wall. I Thank All You Guys So Much In Advance :).

[bobbyb1980]

You can't get viruses from watching hak5.

Reinstall windows on all ur machines and try again if you really think theyre infected.

[Rich]

You can't get viruses from watching hak5.

Reinstall windows on all ur machines and try again if you really think theyre infected.

I never said I got the virus from Hak 5 . I have done 35 pass erase on both Macintosh Hard Drives. I have reinstalled their OS twice it seems as soon as they reconnect to the internet they immediately change behavior. The laptop is slower. The other indication is when running Applejack. Applejack is a single user command line interface utility for macs. When I would run it in the past the VRAM and all the Cache. Files would need to rebuilt. In addition all network settings would have to be reconfigured. This is not the case. All the networks are in the computers memory despite running Applejack and resetting the PRAM for you MAC users out there. This is brand new highly erratic behavior and I have had Macs for over 14 years. The same occurs on my G4 tower. In addition despite a perfectly clean install of windows the laptop within turning back on goes right back into it's unusual opening programs. Freezing and these are two brand new toshibas. This is impossible for all five machines to have the same problem. That is why I am please asking for help in recommendations for a network root kit for the Verizon FIOS modem. Please help me with a suggestion.

[Mr-Protocol]

35 pass overwrite is not needed, that just thrashes the drive.

Try the free tool from F-secure called "Blacklight" http://www.f-secure.com/en/web/labs_global/removal/blacklight

Also easyclean http://www.f-secure.com/en/web/labs_global/removal/easy-clean

Also, there seems to be a Mac related thing going around called "Flashback", removal tool: http://www.f-secure.com/weblog/archives/00002346.html

[Infiltrator]

Have you tried running AVAST in Boot-time scan mode? Also, try downloading malwarebyte and Search and Destroy. Another thing you could try is not only formatting your HDD but also wiping off the boot sector, some virus/rootkits will lodge itself in there, instead of the disks itself, so even if you format your hard drive, the infection will still re-occur.

Edited April 22, 2012 by Infiltrator

[Rich]

Thanks so much for your replies in the detail and all the great suggestions. I will try them all and report back on how effective they were. I really hope they fix something. In the questions further well the Verizon Actiontec router despite hard resets with the button in the back. The router becomes unresponsive at times. Even now that I have called Verizon. I have gotten up to the point of starting a tech support case with Verizon. I suspect that the infection is the router because no matter how many resets or how long with out power. The Routers logs stay intact all the way till April. It has never been like this before. When ever I used to reset those routers it would always be a clean reset. Thanks once again for all the suggestions. I am trying them today and I will report back :). You guys are the best.

[Rich]

35 pass overwrite is not needed, that just thrashes the drive.

Try the free tool from F-secure called "Blacklight" http://www.f-secure.com/en/web/labs_global/removal/blacklight

Also easyclean http://www.f-secure.com/en/web/labs_global/removal/easy-clean

Also, there seems to be a Mac related thing going around called "Flashback", removal tool: http://www.f-secure.com/weblog/archives/00002346.html

Thanks Mr.Protocol I have been able to get a negative on the Mac for the Flashback and the Easyclean comes up clean. The weirdest thing is the Blacklight comes up as permissions issue in Windows? It says this needs to be installed as Admin in Windows. I have installed windows clean and the only account I have on each laptop is an Admin account. Just curious if you know of a work around if there are permissions issues for an install on windows 7 premium accounts?

[Rich]

Have you tried running AVAST in Boot-time scan mode? Also, try downloading malwarebyte and Search and Destroy. Another thing you could try is not only formatting your HDD but also wiping off the boot sector, some virus/rootkits will lodge itself in there, instead of the disks itself, so even if you format your hard drive, the infection will still re-occur.

One of the machines has Avast on it. I am doing this now. Once again Thank You for all your advice. I will post my results of your advice. I hope this works out.

[Rich]

One of the machines has Avast on it. I am doing this now. Once again Thank You for all your advice. I will post my results of your advice. I hope this works out.

I tried everything and nothing came up. This is what I am talking about when I talk about unusual behavior. I am going to burn Blacklight to CD since as I mention in this Video the USB stick did not take. My brother has an A plus certification from a long time ago. He was just like do a clean install make sure your Anti-Virus is up to date and do a comprehensive scan. He told me to get CLAM X AV. I love my Brother but, I do not know. I do not know anymore. This problem is pretty recent. This is what I am talking about with the two firewalls/VPN devices. I am sorry the Video is so long and of such poor quality. Here is the link from YouTube http://youtu.be/M8F1VyZRcrQ Thank You All So Very Much in Advance. I really appreciate any feedback you can give me. :)

[digip]

I can't really follow the video, or see what is what, but can you draw for us a topology for the network. Show all conenctions from the ISP to your modem, to the router, firewall, etc, and the other of the connections.

Your WAN IP will be set by the ISP itself from the modem, or should be, so you shouldn't be setting the WAN address. In my mind, it should be setup as such:

modem > firewall > router(if even needed, say wireless for example) > lan workstations. The firewall should be before any other network device except the modem, otherwise, what good is it? From the looks of this, your Zyxel is also a router/gateway, by which, remove the router from the entire scenario??

So that would be modem > Zyxel > workstations unless you need wireless from the router, that would just be another client on the zyxel like the wired workstations.

It doesn't matter that the lan side of both the Zyxel and Router are 192.168.1.1, because their WAN side, will be different and NAT should be in use to take care of that for you, but if you had to, you could make the router a different subnet to segment off the two, or just bridge it which I wouldn't recommend. Especially if you only need the router for wireless, it would be smart to put those devices on a separate subnet.

This is how I would set things up, if the Zyxel Firewall is also a gateway/router itself:

Edited April 23, 2012 by digip

[redhook]

Sounds to me like the issue is on Verizon's end.

and I was noticing severe loss and slow down in video quality of Verizon video on Demand

That is a dead giveaway.

[Rich]

I just called and demanded to speak to a Verizon Supervisor OMFG they are like freaking Nazis. I can not see your Devices do you have one on your network now? Then it goes none of your devices are pingable is it a wireless problem? Then I told him the whole thing was both wired and wireless. I think it's time to leave Verizon. He told me that Verizon is the Superior Premium product. I told him what's the point of paying a premium price for a premium product that does not work!

[Radau]

I didn't see it above so I'll post it here, do the symptoms stay even after disconnection and reboot?

[Rich]

I didn't see it above so I'll post it here, do the symptoms stay even after disconnection and reboot?

Thanks for your reply and yes it does Radu. There is another interesting symptom that the Router sometimes maintains it's settings after it is reset with the reset button. It also is unresponsive when Verizon tried to reset it from their end this is after they have replaced the ONT. I asked for a SECOND replacement router. iF THE PROBLEM STILL IS THE SAME IT'S TIME TO LEAVE VERIZON.

[Radau]

This sure is an odd problem, I can't see how misconfiguration could effect the overall performance of the machine. Yet I also doubt the router itself could be infected, at least I've never heard of anything like that, though it could be an MBR virus. If you do run a Cable modem into a router or firewall/router, perhaps try one machine plugged directly into the modem, while eliminating the router from the equation, if it is a possibility. Another thing you could do is boot up a LiveCD of Ubuntu, Mint, Backtrack, or whatever you want, really. If the problem occurs during a linux live boot, I would stop worrying about it, make them get off their asses and come out to replace everything. Just be sure if you do hardline into the cable modem that you do not leave anything important on the system as you'll pretty much be flying blind as far as firewalls go. If the problem doesn't occur here follow the basic principle that many of us in the hardware world use for troubleshooting, and start adding back the pieces until the problem reoccurs, so that you can isolate it if it's able to be isolated. Hope this helps somewhat. ;)

Edited April 28, 2012 by Radau

[Suren white hat]

Have you tried running AVAST in Boot-time scan mode? Also, try downloading malwarebyte and Search and Destroy. Another thing you could try is not only formatting your HDD but also wiping off the boot sector, some virus/rootkits will lodge itself in there, instead of the disks itself, so even if you format your hard drive, the infection will still re-occur.

Righty said by gray hat, some virus keep on replicating even after u deleting and formating ur drive, recently i encounterd with this issue ..!!and try using the Sophos anti-root kit scanner, its one of the best stuff to remove root kits..guaranteed<a href="www.sophos.com/en-us/products/free.../sophos-anti-rootkit.aspx">Take it</a><br>Thanks,<br>Suren<br>

Edited April 28, 2012 by Suren white hat

[Suren white hat]

Thanks Mr.Protocol I have been able to get a negative on the Mac for the Flashback and the Easyclean comes up clean. The weirdest thing is the Blacklight comes up as permissions issue in Windows? It says this needs to be installed as Admin in Windows. I have installed windows clean and the only account I have on each laptop is an Admin account. Just curious if you know of a work around if there are permissions issues for an install on windows 7 premium accounts?

This software aasks permissions to install The F Secure Black light ??

Which means after installing the Win7 did u joined the computer to domain or workgroup ??

if yes ur system might get a new policy, that prevent u to install the apllication !

and apart from that will u able to install any other softwares ?

Is ur ""admin"" name is the network computer user account name ? i doubt

Log in as User Name "ADMINISTRATOR" password must be blank press Enter ...and then install and Do a Full scan ..! Kill the Rottkit ,..

Dishuum ..!!!! Dishuum..!!!!

[Suren white hat]

Thanks for your reply and yes it does Radu. There is another interesting symptom that the Router sometimes maintains it's settings after it is reset with the reset button. It also is unresponsive when Verizon tried to reset it from their end this is after they have replaced the ONT. I asked for a SECOND replacement router. iF THE PROBLEM STILL IS THE SAME IT'S TIME TO LEAVE VERIZON.

Yeah bro, Its time for Router replacement , Aftr reading whole i think its a issue related with ur router ?

Reset Button UNRESPONSIVE means ? Its not working at all or working at sometimes only ?

I think u better report bro , ok then ask for replacement if it still holds the warranty stuff....or invest smal bucks and purchase better one. i bet its not gonnna take more bucks for us..!!

[Suren white hat]

I can't really follow the video, or see what is what, but can you draw for us a topology for the network. Show all conenctions from the ISP to your modem, to the router, firewall, etc, and the other of the connections.

Your WAN IP will be set by the ISP itself from the modem, or should be, so you shouldn't be setting the WAN address. In my mind, it should be setup as such:

modem > firewall > router(if even needed, say wireless for example) > lan workstations. The firewall should be before any other network device except the modem, otherwise, what good is it? From the looks of this, your Zyxel is also a router/gateway, by which, remove the router from the entire scenario??

So that would be modem > Zyxel > workstations unless you need wireless from the router, that would just be another client on the zyxel like the wired workstations.

It doesn't matter that the lan side of both the Zyxel and Router are 192.168.1.1, because their WAN side, will be different and NAT should be in use to take care of that for you, but if you had to, you could make the router a different subnet to segment off the two, or just bridge it which I wouldn't recommend. Especially if you only need the router for wireless, it would be smart to put those devices on a separate subnet.

This is how I would set things up, if the Zyxel Firewall is also a gateway/router itself:

Great Job bro..a Big kudos..Appreciate ur effort taken bbro ..!!

[Rich]

Thanks Guys. Yeah, it's their connection not the Router. I have to Thank Them for a Router OverNight. Except their service still sucks. That Supervisor Ken his ass never called me back. You guys were better Tech Support than Verizon. Live Free Or Die From A Shitty Ass ISP!

[Rich]

Here's another weird thing. Have you heard of a virus like this. It seems to change content on the web on the fly. Turn wen cams and blue tooth on and off. The final on and off is my Neighbor told me that his router had me connected to him on two laptops now. It was really interesting because in the network profiles of the laptop. I had saved only one network and that is mine and my Neighbor has his passworded. I am going to talk to him more today but, still this is really weird guys. Just looking for any shots in the Dark.

[digip]

Here's another weird thing. Have you heard of a virus like this. It seems to change content on the web on the fly. Turn wen cams and blue tooth on and off. The final on and off is my Neighbor told me that his router had me connected to him on two laptops now. It was really interesting because in the network profiles of the laptop. I had saved only one network and that is mine and my Neighbor has his passworded. I am going to talk to him more today but, still this is really weird guys. Just looking for any shots in the Dark.

Sounds more like you have someone in the neighborhood, who is hacking into your networks, possibly changing DNS or doing redirects like MITM stuff. Verizon modems are often wireless AP's as well, is yours? If so, reset it and logon to it to change the admin interface password(as you should on all hardware they send to you). It should still connect back to them based on its MAC address being in their white listed pool of hardware addresses. You can also setup static entries in ARP for your router and workstations, so no one can MITM your connections, as well as run arpwatch to see if anyone tries tampering with your gateway. If they try to MITM your connection, arpwatch will alert you that your gateway MAC address has changed. Under linux I think it might be arpwatch-ng, but either way you should be able to apt-get install arpwatch. Not sure on MAC and Windows versions, but you could build it from source I guess. I know Adrian (IronGeek) had made a tool for windows that did kind of the same thing but I forget the name of his tool.

[Rich]

Sounds more like you have someone in the neighborhood, who is hacking into your networks, possibly changing DNS or doing redirects like MITM stuff. Verizon modems are often wireless AP's as well, is yours? If so, reset it and logon to it to change the admin interface password(as you should on all hardware they send to you). It should still connect back to them based on its MAC address being in their white listed pool of hardware addresses. You can also setup static entries in ARP for your router and workstations, so no one can MITM your connections, as well as run arpwatch to see if anyone tries tampering with your gateway. If they try to MITM your connection, arpwatch will alert you that your gateway MAC address has changed. Under linux I think it might be arpwatch-ng, but either way you should be able to apt-get install arpwatch. Not sure on MAC and Windows versions, but you could build it from source I guess. I know Adrian (IronGeek) had made a tool for windows that did kind of the same thing but I forget the name of his tool.

Thanks. Yes, unfortunately the Verizon POS router is a complete Wireless Acess Point Router MOCA Modem POS if you know what I mean. That's for the heads up. I am convinced something else here is going on too. I though as per my brother's suggestion I finally found a Mac route kit remover. I can never get the Mac system processes to open properly. This is what OS X Rootkit Hunter comes up with it that it will not let me see those back ground processes. No matter what.

Performing malware checks

Checking running processes for suspicious files [ None found ]

Checking for hidden processes [ Skipped ]

Checking for login backdoors [ None found ]

Checking for suspicious directories [ None found ]

Checking for sniffer log files [ None found ]

Performing system configuration file checks

Checking for SSH configuration file [ Found ]

Checking if SSH root access is allowed [ OK ]

Checking if SSH protocol v1 is allowed [ Warning ]

The SSH configuration option 'Protocol' has not been set.

Checking for running syslog daemon [ Found ]

Checking for syslog configuration file [ Found ]

Checking if syslog remote logging is allowed [ Warning ]

Syslog configuration file allows remote logging: install.* @127.0.0.1:32376

Performing filesystem checks

Checking /dev for suspicious file types [ Warning ]

Suspicious file types found in /dev:

/dev/fd/6: data

/dev/fd/7: data

/dev/fd/8: Mach-O bundle i386

Checking for hidden files and directories [ Warning ]

Hidden file found: /usr/share/man/man5/.rhosts.5: troff or preprocessor input text

The IP address does not match up either. I am sure you guys are right. Now, fixing this freaking mess. Thanks a million again. Finally no wonder why I was having so much trouble. Thanks.

[digip]

Slightly off/on topic, but does anyone know of a live linux disc for scanning MAC systems? I know you can do it for windows, but for me, it would make sense to scan the disk while not running OSX, so you can work without anything blocking you and scan for malware. Either that, or backup your important info, and nuke the MAC system, start fresh just to be safe.

Here is another thing to look into though. If the Modem is wireless and you already have another router, do you need the Verizon wireless modem part on as well? Disable the wireless on the modem, see what happens with speeds. If they still go funky, something else might be amiss, but I think we are still somewhat in the dark on everything. This is why I asked for a topology of your network. How they are linked together, what each device does(wifi vs wired or both), and what setup is on each router, such as do you allow 802.11B in the mix, which if so, will automatically slow down any wireless if one of the devices is using B. Disable b and only use G or N if capable on other devices. Also, make sure no interference is causing network trouble, both with the wireless and the wired setups. Make sure to use proper Cat5e or Cat6 cables and not running over any electrical outlets or near noisy electrical devices, power chords, etc. There are so many things that can slow down a network, it might not be any of the hardware, but more in the setup, configuration, or even wiring or wifi interference. A cordless phone for example sitting near the router for example or more than one wireless device on the same channel as yours nearby. I'm not convinced its malware either, but you never know.

One thing you can try though, is add OpenDNS to your routers and hard code in your workstations, just one more layer to tie down that might help eliminate DNS hijacking/hacking just in case. Make sure all wireless is on at least WPA2, and if not needed, disable the wifi on the router(s) all together.

Edited April 29, 2012 by digip

[Rich]

Ok Guys when you guys asked me to draw a network diagram I only skipped that step out complete frustration and troubleshooting those past two nights. Here is how I have my network setup because it has to be this way as per Verizon's design. This router is the first device in the network. It is the Access Point,Router,Gateway and Wireless Access Point. That is the Actiontec model MI424-WR-Rev.E. I then after all those problems directly connected my laptop to Verizon AP. The connection is a direct Ethernet connection no switches or firewall in the way. In fact tomorrow I am downloading spice works just to see before I shut down wireless if anything ellse is on the Network. I am really curious if their is some freaking leeching. I really thank you guys for all the advice. I think the crucial and best advice is to shut off the wireless and lock it down I guess Mac address authentic is the best I can do. I do have the wiireless security set to WPA2 and that surprises me even more because that is the best security I can get. I like your idea of the NUKE cd and basically this falls back on Verizon. I will definitely follow your advice but, three direct ethernet connect laptops to Verizon's AP router and it's still slow it has to be them.