Rich
-
Posts
26 -
Joined
-
Last visited
Posts posted by Rich
-
-
What about dare I suggest Google? They offer free web hosting :). If I had known that I would never have paid for it.
-
Oh I have washed my hands as of this as of now. I have given him both my laptop and Mac Mini to see about the Rootkit hidden malicious files. The remote login and detected system changes. Etc. I will just let him take it from here on it. I can honestly live without those two computers anyway. When I get them back and if I get them back this will finally get a resolution to all of this if not carry on.
-
I am also having a friend come in and take a look at my Neighbor's captures as well. I had him run Wireshark as well. He was able to run his uninterrupted though. The file is an insane 980 something megs almost a gig. That is being as obsessed as I am with this he was my best option. He knows a lot about computers too. He is nowhere near you though DigiP. I am just glad that he was willing to help me. He did it because it was that one day the Roku connected to his wireless network. He wants to know what's going on too now. He's a cop too so hopefully if he asks around he can find someone in law enforcement to check his stuff out. My main concern was I did want him to think it was me at all. He has photos of his kids and things so he's kind of upset. He really wants to know for sure. Thanks again DigiP.
-
Thanks very,very much. You have given me so many protocols to implement to fix my problem. I really appreciate it.
-
Here are some more Caps. I hope this shows some way to get rid of these issues. http://dl.dropbox.com/u/78931026/QWEFinally I found the latest version of Rootkit Hunter and it picked up remote logging enabled. I locked down the Actiontec router as best as that model allows. UPNP was turned off and then I disabled remote login for diagnostics or pings. Then Rootkit hunter picked up this. There are no Viruses detectable via Intego or this either. This also warns of hidden files but, how do I get to them and get rid of them? Do any of you guys know what type of Virus is this that it is able to go through both the Mac's firewall and Intego when I set it to no internet traffic at all? I am going to proceed as planned with the Wireshark captures. The UPNP is turned off and the other wireless traffic should be no apps running. Thanks so much for helping me Digip especially. This is turning into Sherlock Holmes Vs Moriarity on the MTIM attacks or something. This is like something out of a movie. Here is the link to the Mac screen selection. https://www.dropbox.com/sh/ji7hm4ijktw9hmm/WNCn3_KtrU/RemLoggingAllowed.tiff
-
Finally I found the latest version of Rootkit Hunter and it picked up remote logging enabled. I locked down the Actiontec router as best as that model allows. UPNP was turned off and then I disabled remote login for diagnostics or pings. Then Rootkit hunter picked up this. There are no Viruses detectable via Intego or this either. This also warns of hidden files but, how do I get to them and get rid of them? Do any of you guys know what type of Virus is this that it is able to go through both the Mac's firewall and Intego when I set it to no internet traffic at all? I am going to proceed as planned with the Wireshark captures. The UPNP is turned off and the other wireless traffic should be no apps running. Thanks so much for helping me Digip especially. This is turning into Sherlock Holmes Vs Moriarity on the MTIM attacks or something. This is like something out of a movie. Here is the link to the Mac screen selection. https://www.dropbox.com/sh/ji7hm4ijktw9hmm/WNCn3_KtrU/RemLoggingAllowed.tiffThanks so much DigiP. I really appreciate this. I am going to see what else completely no apps shows up.
-
114mb pcap..lol. Good stuff. However, nto sure how you created, but I can't open it in wireshark or networkminer.
From the looks of it, almost everything in there is you on google or microsoft(update probably). I can only get so far down in the file though and it craps out on me. 114MB is bit large for a text doc, but if it was in a normal pcap format, wireshark shouldn't have any issue opening it. Did you by chance use tcpdump to create this? Seems like its truncating the data, and just showing small portion of it.
edit:
I see 1712 entries for "169.254.1.165" and 1350 for the broadcast "169.254.1.255" which makes it seem like you have DHCP issues, or you are disconnecting and reconnecting to get on/off the router(like starting or stopping the NIC). 169.254.x.x is an APIPA address, which means its internal only and can't reach the internet. Your machine will usually assign itself an address in this range when it can't reach a DHCP server to get a valid lease.
By the way, when I mentioned this before, I meant let it run, without visiting sites, or doing anything, so any traffic generated by something malicious on the system, would be easier to see. Right now I'm filtering you visiting msdn blogs, google and the live.com, etc
I didn't see anything malicious looking in it. Roku seems to be doing SSDP stuff though, and generally its best to disable this on the router, as you can gain info form the via the interet with specially crafted packets. In general, disable uPnP and SSDP.
Thanks so much DigiP. I really appreciate this. I am going to see what else completely no apps shows up.
-
If you think a machine has been compromised, don't waste time trying to get someone to fix it. You would be better off wiping it and reinstalling fresh. More than likely, thats all a local shop would do, and they would charge you for it when you could do it yourself. What you should do though, is MITM the traffic and see where the data is truly going. Look up the IP addresses of the places you think FireFox and your Email is connecting to.
You could even just run Wireshark locally on the machine you think is infected. Just run it while no other programs are open and let it run for a while. If it is something nefarious happening, and you have no other internet programs running, you should start to see some traffic. I imagine most of it will just be ARP and SMB stuff, but if you see anything going to the outside internet, log all of it and upload somewhere so that we can take a look at the pcap file to see if it truly is malicious, or just normal traffic.
Thanks here is a plain text capture I saw some encrypted requests. I tried to get this so much cleaner. I am sorry this is like this. I wish I knew how to make this so much easier to read. Thanks so very much Guys once again. http://dl.dropbox.com/u/78931026/Plain%20Text%20Capture
-
Thanks Guys. Yeah, it's their connection not the Router. I have to Thank Them for a Router OverNight. Except their service still sucks. That Supervisor Ken his ass never called me back. You guys were better Tech Support than Verizon. Live Free Or Die From A Shitty Ass ISP!
I have officially even contacted via e-mail a Mr. Miko Hypponen who has his e-mail address online. He runs F-Secure and I have tried all his products. I got Intego's Virus barrier and it was with that I saw something truly interesting. Intego's Virus barrier and Firewall shows you which ports and apps are open for noobs like me in an easy GUI. I caught mail opening on it's own,Firefox opening on it's own. They all would run in the background open up port 443 and when I would block that port with program another one would program would open trying again. Mr. Hypponen said there is no concrete help he can give me from there. He suggests that I take it to a local computer shop and try for their help. I am please asking if any of you guys know of a reputable place online that can do this because locally I know of no one that can handle something like this. Thank you once again in advance.
-
WELCOME TO HACKING: SOCIAL NETWORKING
Thank you all for viewing this article, for this is very important for ANY hacker/penetration tester looking to exploit social networking.
Let's start out with what many hackers/penetration testers get stuck when it comes to hacking these networks.
- There is no perimeter!
- There are thousands of servers!
- Phishing is outdated, and will soon be ridden of by social networks!
This is VERY common with hackers/penetration testers because hacking is usually about Phishing, Hash Cracking, and TCP/HTTP trafficking.
But with social networks is a whole different kind of system, in reality social networking is nothing more then an online application.
So, think back to your days of learning HTML, Java, C, C++, PHP as you know you can tell the machine/compiler to do ANYTHING you wanted as long as you knew how to do it, correct?
Well, social networking works the exact same way! But you need to understand HOW to use database.
I'm going to use a simple example; Google/YouTube, the easiest one's to exploit. What I want you to do is log-in to your account on YouTube.
- - Go to your profile/channel.
- - You will find in your address bar http://www.youtube.com/user/whateveryournameis?feature=guide
- - NOTICE: The ?feature=guide
- - Right Click< View Source
Look at the top where it says, matchid. That is the ID of the profile and the session, (As your SHOULD know) so what does this mean? ALL SOCIAL NETWORKING IS CODE INJECTABLE!
Yes, that is true! In EVERY social network is a session AND profile ID that is viewable to the public. Your job as a penetration tester/hacker is to know how to get the session/profile ID so you can code inject it into the website.
So, it's time to start thinking like a computer scientist. I'm going to use my YouTube example to show you how it works, so your profile has a ?feature=guide at the end of http://www.youtube.com/user/whateveryournameis. And it doesn't show ?feature=guide on other profiles, so that must mean ?feature=guide is the gateway to the session ID and the profile ID.
- - For YouTube you need to paste ?feature=guide at the end of the victime Ex: http://www.youtube.com/user/personyouwantohack
- - Ex: http://www.youtube.com/user/whateveryournameis?feature=guide
- Right click > View source.
There you will find his/her session and profile ID and you can use things like Greasemonkey to exploit the ID, alright now that you have an understanding on how to do it. I want you to review these steps in order to apply them other places than YouTube, here's a list of things I want you to try.
- - Log-in to your account and look at source of your profile.
- - Compare your source to the victims source.
- -Find out what is different until you found the ID's.
- -Find a way to replace the victims ID by finding the Admin ID for the profile and editing the source code in things like notepad, microsoft word ETC.
- - Once you've found the admin ID and replaced the victims ID with your admin ID keep all other HTML as the victim's profile.
- - Load the code and HTML into a code injector.
Thank you for reading! Post something that YOU'VE discover for other social networks, I've found many including; Facebook, YouTube, Google, Yahoo ETC. But as you know, I'm not a script kiddie trainer.
I found it also helps if you control the ISP. LOL Then you beat the second device authen by controlling the other device. All of which is illegal.
- There is no perimeter!
-
This software aasks permissions to install The F Secure Black light ??
Which means after installing the Win7 did u joined the computer to domain or workgroup ??
if yes ur system might get a new policy, that prevent u to install the apllication !
and apart from that will u able to install any other softwares ?
Is ur ""admin"" name is the network computer user account name ? i doubt
Log in as User Name "ADMINISTRATOR" password must be blank press Enter ...and then install and Do a Full scan ..! Kill the Rottkit ,..
Dishuum ..!!!! Dishuum..!!!!
How did I miss your reply I am sorry. I tried this and it did not work. I appreciate it anyway.
-
My name is Rich and I am the Happiest when I am around technology. Unfortunately I can not get the best Tech anymore due to budget constraints but, I really appreciate all the help you guys have given me on the HAK5 forums. I look forward to things changing soon. I would love to attend a Hacker conference. Just to meet and greet people. I would really like that. I was wondering is their anything coming up soon this Summer in the NY area? I appreciate you guys helping anyway even if there is nothing coming up soon.
-
Yes, I do admin access and Verizon is refusing to help with any of my security concerns. Mine thank God is not an old Actiontec but, it just got a Firmware change mysteriously. Here is it's current revision E model running F firmware. Here some of the recent settings I captured. The best guys is that the Nintendo Wii,Playstation3 and my Roku Box are setup as Wi-Fi hot spots. How do I know? I have an Indian friend who came over and he told me that this how no matter how many times you clean your laptops or computers. The virus just will come back because they will always get out and connect to some else's router. Then I was told by the Verzon Rep. he can do nothing for me but, change my password. When I have WPA 2 protocol in place. Then I turned off UPNP. I am still amazed at what is going in here. Here are some captured settings on how a Revision E router just turned into a Revision F . I all of a sudden have WIRELESS N NOT G! WTF!Do you have admin access on the Fios router? Log on and take a look at the network settings. Make sure they don't have some weird MTU set, or QOS settings interfering. Also, depending on the model, many of the old Fios Actiontec routers, had a backdoor admin port. Newere ones are locked down now, but the old ones had pre-set, standard passwords, and if someone got in over wireless, they could definitely be leaching off your modem. Most of the Fios router/modem combos are 10/100/1000 too, so you shouldn't be seeing slow speeds unless you got faulty cables, or the router itself is misconfigured in some manner, or been hacked, like DNS hijacking. This is going back a few years too, so hopefully you don't have one of these that got whacked - http://www.ozzu.com/hardware/verizon-fios-actiontec-router-vulnerabilities-t100925.html
Is the WPA2 password on their modem/router set by Verizon, or yourself? If they set the password, logon or reset the device and change it to your own password. And I agree on the double router, having two NAT can be an issue with speeds, but I would take advantage of havine the ability of two separate subnets instead of bridging them, just for sake of separating two wireless lans but if its not needed, disable wireless on the second or first device, preferably on the first device in line and also disable WIPS on both wireless devices, as well as uPnP.
mware Version: 20.19.8
Model Name: MI424WR-GEN2
Hardware Version: F
Serial Number: CSJF0291202590
Physical Connection Type: Coax
Broadband Connection Type: DHCP
Broadband Connection Status: Connected
Broadband IP Address: 173.77.161.176
Subnet Mask: 255.255.255.0
Broadband Mac Address: 00:26:62:70:14:C7
Default Gateway: 173.77.161.1
DNS Server: 68.237.161.12
71.250.0.12
ame Network (Home/Office) Ethernet Broadband Connection (Ethernet) Coax Broadband Connection (Coax) Wireless Access Point WAN PPPoE WAN PPPoE 2
Status Connected Connected Disabled Connected Connected Connected Disabled Disabled
Network Network (Home/Office) Network (Home/Office) Broadband Connection Network (Home/Office) Broadband Connection Network (Home/Office) Broadband Connection Broadband Connection
Underlying Device Ethernet
Wireless Access Point
Coax
Coax Stats Broadband Connection (Ethernet) Broadband Connection (Coax)
Connection Type Bridge Hardware Ethernet Switch Ethernet Coax Coax Wireless 802.11n Access Point PPPoE PPPoE
MAC Address 00:26:62:70:14:c3 00:26:62:70:14:c4 00:26:62:70:14:c6 00:26:62:70:14:c5 00:26:62:70:14:c7 00:26:62:70:14:c8
IP Address 192.168.1.1 173.77.161.176
Subnet Mask 255.255.255.0 255.255.255.0
Default Gateway 173.77.161.1
DNS Server 68.237.161.12
71.250.0.12
IP Address Distribution DHCP Server Disabled Disabled Disabled Disabled Disabled
Service Name
User Name verizonfios verizonfios
Received Packets 1753 1474 93 798 186
Sent Packets 1638 2645 609 833 249
Received Bytes 348951 295699 47356 210918 39654
Sent Bytes 1139895 1287337 134352 626824 70356
Receive Errors 0 0 0 0 0
Receive Drops 0 0 0 0 0
Time Span 0:06:25 0:06:25 0:06:25 0:06:25 0:02:25
Channel 1150 MHz 1000 MHz
-
Ok Guys when you guys asked me to draw a network diagram I only skipped that step out complete frustration and troubleshooting those past two nights. Here is how I have my network setup because it has to be this way as per Verizon's design. This router is the first device in the network. It is the Access Point,Router,Gateway and Wireless Access Point. That is the Actiontec model MI424-WR-Rev.E. I then after all those problems directly connected my laptop to Verizon AP. The connection is a direct Ethernet connection no switches or firewall in the way. In fact tomorrow I am downloading spice works just to see before I shut down wireless if anything ellse is on the Network. I am really curious if their is some freaking leeching. I really thank you guys for all the advice. I think the crucial and best advice is to shut off the wireless and lock it down I guess Mac address authentic is the best I can do. I do have the wiireless security set to WPA2 and that surprises me even more because that is the best security I can get. I like your idea of the NUKE cd and basically this falls back on Verizon. I will definitely follow your advice but, three direct ethernet connect laptops to Verizon's AP router and it's still slow it has to be them.
-
Sounds more like you have someone in the neighborhood, who is hacking into your networks, possibly changing DNS or doing redirects like MITM stuff. Verizon modems are often wireless AP's as well, is yours? If so, reset it and logon to it to change the admin interface password(as you should on all hardware they send to you). It should still connect back to them based on its MAC address being in their white listed pool of hardware addresses. You can also setup static entries in ARP for your router and workstations, so no one can MITM your connections, as well as run arpwatch to see if anyone tries tampering with your gateway. If they try to MITM your connection, arpwatch will alert you that your gateway MAC address has changed. Under linux I think it might be arpwatch-ng, but either way you should be able to apt-get install arpwatch. Not sure on MAC and Windows versions, but you could build it from source I guess. I know Adrian (IronGeek) had made a tool for windows that did kind of the same thing but I forget the name of his tool.
Thanks. Yes, unfortunately the Verizon POS router is a complete Wireless Acess Point Router MOCA Modem POS if you know what I mean. That's for the heads up. I am convinced something else here is going on too. I though as per my brother's suggestion I finally found a Mac route kit remover. I can never get the Mac system processes to open properly. This is what OS X Rootkit Hunter comes up with it that it will not let me see those back ground processes. No matter what.
Performing malware checks
Checking running processes for suspicious files [ None found ]
Checking for hidden processes [ Skipped ]
Checking for login backdoors [ None found ]
Checking for suspicious directories [ None found ]
Checking for sniffer log files [ None found ]
Performing system configuration file checks
Checking for SSH configuration file [ Found ]
Checking if SSH root access is allowed [ OK ]
Checking if SSH protocol v1 is allowed [ Warning ]
The SSH configuration option 'Protocol' has not been set.
Checking for running syslog daemon [ Found ]
Checking for syslog configuration file [ Found ]
Checking if syslog remote logging is allowed [ Warning ]
Syslog configuration file allows remote logging: install.* @127.0.0.1:32376
Performing filesystem checks
Checking /dev for suspicious file types [ Warning ]
Suspicious file types found in /dev:
/dev/fd/6: data
/dev/fd/7: data
/dev/fd/8: Mach-O bundle i386
Checking for hidden files and directories [ Warning ]
Hidden file found: /usr/share/man/man5/.rhosts.5: troff or preprocessor input text
The IP address does not match up either. I am sure you guys are right. Now, fixing this freaking mess. Thanks a million again. Finally no wonder why I was having so much trouble. Thanks.
-
Here's another weird thing. Have you heard of a virus like this. It seems to change content on the web on the fly. Turn wen cams and blue tooth on and off. The final on and off is my Neighbor told me that his router had me connected to him on two laptops now. It was really interesting because in the network profiles of the laptop. I had saved only one network and that is mine and my Neighbor has his passworded. I am going to talk to him more today but, still this is really weird guys. Just looking for any shots in the Dark.
-
Thanks Guys. Yeah, it's their connection not the Router. I have to Thank Them for a Router OverNight. Except their service still sucks. That Supervisor Ken his ass never called me back. You guys were better Tech Support than Verizon. Live Free Or Die From A Shitty Ass ISP!
-
Thanks for your reply and yes it does Radu. There is another interesting symptom that the Router sometimes maintains it's settings after it is reset with the reset button. It also is unresponsive when Verizon tried to reset it from their end this is after they have replaced the ONT. I asked for a SECOND replacement router. iF THE PROBLEM STILL IS THE SAME IT'S TIME TO LEAVE VERIZON.I didn't see it above so I'll post it here, do the symptoms stay even after disconnection and reboot?
-
I just called and demanded to speak to a Verizon Supervisor OMFG they are like freaking Nazis. I can not see your Devices do you have one on your network now? Then it goes none of your devices are pingable is it a wireless problem? Then I told him the whole thing was both wired and wireless. I think it's time to leave Verizon. He told me that Verizon is the Superior Premium product. I told him what's the point of paying a premium price for a premium product that does not work!
-
One of the machines has Avast on it. I am doing this now. Once again Thank You for all your advice. I will post my results of your advice. I hope this works out.
I tried everything and nothing came up. This is what I am talking about when I talk about unusual behavior. I am going to burn Blacklight to CD since as I mention in this Video the USB stick did not take. My brother has an A plus certification from a long time ago. He was just like do a clean install make sure your Anti-Virus is up to date and do a comprehensive scan. He told me to get CLAM X AV. I love my Brother but, I do not know. I do not know anymore. This problem is pretty recent. This is what I am talking about with the two firewalls/VPN devices. I am sorry the Video is so long and of such poor quality. Here is the link from YouTube http://youtu.be/M8F1VyZRcrQ Thank You All So Very Much in Advance. I really appreciate any feedback you can give me. :)
-
One of the machines has Avast on it. I am doing this now. Once again Thank You for all your advice. I will post my results of your advice. I hope this works out.Have you tried running AVAST in Boot-time scan mode? Also, try downloading malwarebyte and Search and Destroy. Another thing you could try is not only formatting your HDD but also wiping off the boot sector, some virus/rootkits will lodge itself in there, instead of the disks itself, so even if you format your hard drive, the infection will still re-occur.
-
35 pass overwrite is not needed, that just thrashes the drive.
Try the free tool from F-secure called "Blacklight" http://www.f-secure.com/en/web/labs_global/removal/blacklight
Also easyclean http://www.f-secure.com/en/web/labs_global/removal/easy-clean
Also, there seems to be a Mac related thing going around called "Flashback", removal tool: http://www.f-secure.com/weblog/archives/00002346.html
Thanks Mr.Protocol I have been able to get a negative on the Mac for the Flashback and the Easyclean comes up clean. The weirdest thing is the Blacklight comes up as permissions issue in Windows? It says this needs to be installed as Admin in Windows. I have installed windows clean and the only account I have on each laptop is an Admin account. Just curious if you know of a work around if there are permissions issues for an install on windows 7 premium accounts?
-
Thanks so much for your replies in the detail and all the great suggestions. I will try them all and report back on how effective they were. I really hope they fix something. In the questions further well the Verizon Actiontec router despite hard resets with the button in the back. The router becomes unresponsive at times. Even now that I have called Verizon. I have gotten up to the point of starting a tech support case with Verizon. I suspect that the infection is the router because no matter how many resets or how long with out power. The Routers logs stay intact all the way till April. It has never been like this before. When ever I used to reset those routers it would always be a clean reset. Thanks once again for all the suggestions. I am trying them today and I will report back :). You guys are the best.
-
You can't get viruses from watching hak5.
Reinstall windows on all ur machines and try again if you really think theyre infected.
I never said I got the virus from Hak 5 . I have done 35 pass erase on both Macintosh Hard Drives. I have reinstalled their OS twice it seems as soon as they reconnect to the internet they immediately change behavior. The laptop is slower. The other indication is when running Applejack. Applejack is a single user command line interface utility for macs. When I would run it in the past the VRAM and all the Cache. Files would need to rebuilt. In addition all network settings would have to be reconfigured. This is not the case. All the networks are in the computers memory despite running Applejack and resetting the PRAM for you MAC users out there. This is brand new highly erratic behavior and I have had Macs for over 14 years. The same occurs on my G4 tower. In addition despite a perfectly clean install of windows the laptop within turning back on goes right back into it's unusual opening programs. Freezing and these are two brand new toshibas. This is impossible for all five machines to have the same problem. That is why I am please asking for help in recommendations for a network root kit for the Verizon FIOS modem. Please help me with a suggestion.
Watch Dogs
in Gaming
Posted
I took a look at the trailer and love the visuals of this game. Is it out now and if you are playing it how do you like it?