eliminatebotnets Posted June 17, 2010 Share Posted June 17, 2010 (edited) I'll try to make this as short as possible but I need to give some background so you can see how much crazy crap I have been through. Also so my question makes more sense. I'll break it into 2 Parts: The Story and The Conclusion. The Story My router was hacked into what must have been a neighbor about 3 years ago. I granted, stupidly broadcasted a wireless signal with no encryption for the heck of it one day. I didn't care much about the stuff on my pc and figured in the event I somehow got hacked, I could just simply format and reinstall as a worst case scenario. Well big problem. Weird scary stuff starting showing up in search results in google searches that I did. For example every search I did was just about an EXACT match for what I was looking for, not just general keyword results that you would expect. Almost like it already knew what I was searching for. Also, the searches were only bringing up a few results on really basic searches, which should bring up many thousand. Later that same day my computer would just randomly lockup and crash explorer. One time it even locked up so much that my mouse pointer would not even move. To the point where my router whole connection would be lost and my modem would reset. Then the final thing that really freaked me out was a text file I happened to notice on my harddrive oddly named wizard.txt, that I did not make. It had random lines of my MySpace profile, Some moves I made in a chess game from a couple years ago, some old credit card info from years back, and finally my router password with a smiley next to it. I immediately reformatted my hd and reinstalled windows. Well things went from bad to worse. My antivirus was automatically turned off at random times for no reason. Some of the programs I tried to install would come up with bogus error messages. Etc. Believe it or not my BIOS settings were changed even. I could not belive what was going on and noone would believe it if i told them. I even built another brand new pc, not thinking about the fact that the problem could be coming from the connection. (Yeah I know, retarded) The last thing I figured it could be was my connection because I figured a hacker would have to know the ISP password to get to my network. (I knew very little about networking at the time) Of course that one had the same problems. The Conclusion Over the years I've been forced to do a ton of research on this and here in a nutshell is all the information i can come up with as to what happened: Probably using a program called Cain and Abel or similar, he saw my open network. Connected to it, poisoned my connection. Changed MY router, IP address and PC to point to the mac addresses of HIS router,ip, and pc. Then created a bridge between me and my isp. Known as the Man-In-The-Middle attack. So he could intercept any on my traffic before it reached the REAL DNS servers, point it to his local computer and then send it back to me. Thats only the beginning of it. I noticed under the network settings of ipconfig that it was configured for a secure socket tunnel adadpter. As far as I can tell it's only used in Virtual Private Networks, Using SSH(Secure Shell). Probably adding me to a BotNet. It seems that he has me as a client on his VPN and made his own customized version of windows. There are a TON of PROCESSES running in Task Manager(50+) after a FRESH INSTALLATION of windows. I used to see 20 at the very most after a fresh install before this. Mind you im only running windows home premium and not any business version. He seemingly has REMOTE control of my pc(s) at all times. To avoid making this unreadable I'll stop here even though i could write pages more of all the bs ive encountered. My main question: Is ARP Poisoning irreversable and what steps can be taken? I've tried for years to get rid off it, but it seems to almost be buried in the hardware or something impossible. It makes no sense and I'm NOT making this up. This is serious. Edited June 17, 2010 by eliminatebotnets Quote Link to comment Share on other sites More sharing options...
Infiltrator Posted June 17, 2010 Share Posted June 17, 2010 1. Have you tried changing your router ip address or buying a new router (public ip address not your lan ip address). 2. Make sure you have a firewall installed on your computer. 3. You mentioned you have a wireless router, trying turn on WPA security on it and make sure you have a very complex WPA key, making it hard to crack with rainbow tables. 4. Whenever you are not using the wireless make sure its turned off and properly secured. 5. I have also found a PDF documentation, that explains what ARP poisiong attack is how to detect and prevent it. http://www.cs.sjsu.edu/faculty/stamp/stude...ilky_report.pdf Try these suggestions and let me know how you go. Regards, Infiltrator Quote Link to comment Share on other sites More sharing options...
nykon Posted June 17, 2010 Share Posted June 17, 2010 Contact your ISP and get them to blacklist his IP. Then reset your router to its factory state and start fresh with settings, including networking settings on your computers. Quote Link to comment Share on other sites More sharing options...
eliminatebotnets Posted June 17, 2010 Author Share Posted June 17, 2010 (edited) Is there a definate way to find out his ip?? Also my router itself is actually wired, with the option to broadcast wireless, I only see the option to block wireless, but not a blacklist section for wired ip requests. I've had the people test the connection and say its fine on their end. (Well duh, if its a Man-In-The-Middle attack, the attacker is basically invisible). So noone has been able to understand or help. Ive done the basic suggestions and obvious stuff. If it was as easy as blocking an IP address I would have done it long ago. But i've heard there are ways to spoof your IP and even MAC addresses, so the ARP is confused and doesn't know the difference. Trust me this is a really unusual attack. BTW I have WireShark. So I could send you a log if that would help any. P.S. You notice how there are all kinds of articles on how to prevent DNS or ARP Poisoning attacks but not ONE that mentions what to do if you are a victim? Edited June 17, 2010 by eliminatebotnets Quote Link to comment Share on other sites More sharing options...
Netshroud Posted June 17, 2010 Share Posted June 17, 2010 The thing is that ARP poisoning only takes effect whilst the MITM is actively poisoning; unless the attacker creates a static ARP entry on your machine. Quote Link to comment Share on other sites More sharing options...
Infiltrator Posted June 17, 2010 Share Posted June 17, 2010 Change your router and your ip address if you can. Quote Link to comment Share on other sites More sharing options...
eliminatebotnets Posted June 17, 2010 Author Share Posted June 17, 2010 (edited) Change your router and your ip address if you can. I've tried using no router at all. He can still modify programs and any pretty much anything else. My lan light blinks intermittently for both the ethernet and internet pretty much all the time. I know this happens ocassionally for ARP to talk to the network. But this happens frequently and you can tell major packets are being sent even when i have no programs open. I know it sounds like bs, but this a$$hole has been doing this for years and does not quit even when i ignore him for weeks. I can't tell you how maddening it is having a problem noone else seems to have. THough I also know that many people probably have this problem but do not notice it. Possible I never would have, had i not noticed a file on my hard drive. There are millions of compromised computers that people dont notice because the criminals want it that way. I happen to have some kind of criminal software on mine, except this guy is purely using it to annoy me and spy on everything. I know for a FACT, he is on my lan and actually part of my network(or his VPN). That is the only way he could have constant access to my pc. Edited June 17, 2010 by eliminatebotnets Quote Link to comment Share on other sites More sharing options...
Infiltrator Posted June 17, 2010 Share Posted June 17, 2010 I've tried using no router at all. He can still modify programs and any pretty much anything else. My lan light blinks intermittently for both the ethernet and internet pretty much all the time. I know this happens ocassionally for ARP to talk to the network. But this happens frequently and you can tell major packets are being sent even when i have no programs open. I know it sounds like bs, but this a$$hole has been doing this for years and does not quit even when i ignore him for weeks. I can't tell you how maddening it is having a problem noone else seems to have. THough I also know that many people probably have this problem but do not notice it. Possible I never would have, had i not noticed a file on my hard drive. There are millions of compromised computers that people dont notice because the criminals want it that way. I happen to have some kind of criminal software on mine, except this guy is purely using it to annoy me and spy on everything. I know for a FACT, he is on my lan and actually part of my network(or his VPN). That is the only way he could have constant access to my pc. So you have purchased a new modem and changed your public ip address and this fucker still on your ass. Quote Link to comment Share on other sites More sharing options...
eliminatebotnets Posted June 17, 2010 Author Share Posted June 17, 2010 (edited) So you have purchased a new modem and changed your public ip address and this fucker still on your ass. I didn't purchase a new router or modem. He can still use just the plain modem for an access point. I've moved since. I've been through 2 different connections and the same crap. I had cable and now I have dsl. The problem is he must have infected my computer with a boot sector virus as well. So even getting a new connection did not get rid of it. I'm telling you it's absolutely terrifying and i have hard time trying to wrap my head around it. Most other people, including my family only part believe me. They just think its a bad virus or something, but it's way to random to be a virus. It seems like some immature 16 year old crossing the line on having fun with it. Threre is all kinds of even crazier #$%t I haven't mentioned yet, but I want people to think i have some credibility before I say anymore. Although I doubt there is any. There is a hidden folder named "BOOT" on the root of my hard drive. It contains a bunch of obscure files. A bunch of them that contain the file bootmgr.exe.mui Most computers ive seen do not have this folder on it. Usually double extention files are not used on legit files. So it's certainly fishy. It is still there after a fresh reinstall. Edited June 17, 2010 by eliminatebotnets Quote Link to comment Share on other sites More sharing options...
Netshroud Posted June 17, 2010 Share Posted June 17, 2010 That's a legit file in Windows 6.x (Vista/7). Quote Link to comment Share on other sites More sharing options...
eliminatebotnets Posted June 17, 2010 Author Share Posted June 17, 2010 (edited) That's a legit file in Windows 6.x (Vista/7). It may be a legit file but it is in several folders throughout a hidden folder labeled "BOOT" on the root directory. Just about all the files on my system are legit files but are used with malicious intent. For example there is a process called Spoolsv.exe, which I know is a legit process for printers. But this proccess often pops up at random, reguardless of whether im using a printer or not. Lots of times taking up 50% of the processor. I can close the process or even disable it, but then of course i couldn't use a printer. Which my printers don't work anyway but thats another story. Under Services in Control Panel the process Spoolsv.exe is set to logon under Local System. With a box next to it that says: Allow service to interact with desktop is checked by default. Windows even recommends that you do not check the box because it could allow a malicious user to see what you are doing. If I try to disable processes many times it corrupts my windows installation. Thats by design so I dont mess with that stuff. I know people aren't going to understand but I won't give up trying to get rid of this fool. Edited June 17, 2010 by eliminatebotnets Quote Link to comment Share on other sites More sharing options...
Mr-Protocol Posted June 17, 2010 Share Posted June 17, 2010 Contact your ISP and get them to blacklist his IP. Then reset your router to its factory state and start fresh with settings, including networking settings on your computers. If it is a neighbor that is pointless and they will not do it from just one report. If you can find out their IP with enough evidence they will send a letter to the person and quarantine the modem. I've had this happen to me personally a few times :P. Power cycling the router would clear all the ARP cache so problem solved until the malicious person ARP poisons you again. The thing is that ARP poisoning only takes effect whilst the MITM is actively poisoning; unless the attacker creates a static ARP entry on your machine. AGREED. If you are being ARP poisoned the link must ALWAYS be there in order to allow you to see things on the internet. Think of it as a physical connection between you, the MITM hax0r, and the world. You can use simple command line to clear ARP cache. The problem at least from my perspective is that you kept downloading some malicious file (backdoor R.A.T.) that you THOUGHT was legit. Quote Link to comment Share on other sites More sharing options...
eliminatebotnets Posted June 17, 2010 Author Share Posted June 17, 2010 Power cycling the router would clear all the ARP cache so problem solved until the malicious person ARP poisons you again. So your saying their is a way to clear the cache but then since he knows the MAC, he could poison it again? I have noticed that i CANNOT reset the router to its factory firmware version. I remember when I used to hold down the reset button in the back for 30 seconds or so, it would flash red and take a while to reconnect and turn green. Well it never does that anymore. No matter how long i hold reset, the led just stays green and the firmware version stays the same for the router. Apparently when your poisoned it wont let your reset the ARP of the device. AGREED. If you are being ARP poisoned the link must ALWAYS be there in order to allow you to see things on the internet. Think of it as a physical connection between you, the MITM hax0r, and the world. You can use simple command line to clear ARP cache. I'd be interested to know this command and see if it actually worked. I appreciate your help allot so far. Any ideas help allot in at least understanding what is happening even if there is not a true answer. Quote Link to comment Share on other sites More sharing options...
eliminatebotnets Posted June 17, 2010 Author Share Posted June 17, 2010 (edited) Here is some of my network info to help with the problem: Are tunnel adapters normally used on home connections? I don't use VPN or use any special connections. And here are my running processes: Is it really normal to see this many service hosts running with minimal software installed and a real basic network? Notice how one svchost.exe is taking up about 100 MB of ram. I will post more pictures later on the other stuff I find odd as well. Edited June 17, 2010 by eliminatebotnets Quote Link to comment Share on other sites More sharing options...
Mr-Protocol Posted June 17, 2010 Share Posted June 17, 2010 (edited) So your saying their is a way to clear the cache but then since he knows the MAC, he could poison it again? I have noticed that i CANNOT reset the router to its factory firmware version. I remember when I used to hold down the reset button in the back for 30 seconds or so, it would flash red and take a while to reconnect and turn green. Well it never does that anymore. No matter how long i hold reset, the led just stays green and the firmware version stays the same for the router. Apparently when your poisoned it wont let your reset the ARP of the device. I'd be interested to know this command and see if it actually worked. I appreciate your help allot so far. Any ideas help allot in at least understanding what is happening even if there is not a true answer. You are confused on what the reset button does. It does not flash the firmware. It will keep the same firmware version just clear all settings that were changed. For example port forwards, security, so on. If your network is still insecure wirelessly you can be subject to ARP poison again by someone close by. Start>Run>CMD type: ARP /? That will get you the ARP help As for the processes I'm sure it's normal. You look as if you are running Win7/Vista so yeah. As to the virtual tunnel adapters, I know Win7 makes a virtual wireless adapter to add as a sharing access point kind of thing. Google your issue for multiple tunnel adapters. I have and seen a few results but you can read and find out what other's did to fix/find out what is going on. Edited June 17, 2010 by Mr-Protocol Quote Link to comment Share on other sites More sharing options...
Netshroud Posted June 17, 2010 Share Posted June 17, 2010 What's with the 205.171.x.x DNS server? And yes, the tunnel adapters are normal. Quote Link to comment Share on other sites More sharing options...
eliminatebotnets Posted June 18, 2010 Author Share Posted June 18, 2010 (edited) What's with the 205.171.x.x DNS server? And yes, the tunnel adapters are normal. Well my bad on the tunnel adapters then. Everywhere I read it mentioned them being used in VPNs and I never remember them being used in XP. I guess the protocols have changed allot since. As for the DNS. I never specified it. For some reason it was already entered for me. I'll have to find out my isps dns servers. As for the ARP command line... I'm embarassed that i never knew it existed. Heres my info on that. Tell if this is normal or whether static or dynamic matters. I have no clue on those IPs, other than my router ip. I knew almost nothing about networking before I was attacked and now I know quite a bit more. There is still some paranoia about certain things, so sometimes I make assumptions. Edited June 18, 2010 by eliminatebotnets Quote Link to comment Share on other sites More sharing options...
Netshroud Posted June 18, 2010 Share Posted June 18, 2010 That looks right. Here's mine for comparison: Interface: 10.10.0.3 --- 0xd9   Internet Address      Physical Address      Type   10.10.0.1            00-1b-2f-XX-XX-XX    dynamic   10.10.0.2            00-16-76-XX-XX-XX    dynamic   10.10.0.6            34-15-9e-XX-XX-XX    dynamic   10.255.255.255        ff-ff-ff-ff-ff-ff    static   224.0.0.22            01-00-5e-00-00-16    static   224.0.0.251          01-00-5e-00-00-fb    static   224.0.0.252          01-00-5e-00-00-fc    static   239.255.2.2          01-00-5e-7f-02-02    static   239.255.255.250      01-00-5e-7f-ff-fa    static   255.255.255.255      ff-ff-ff-ff-ff-ff    static Quote Link to comment Share on other sites More sharing options...
eliminatebotnets Posted June 18, 2010 Author Share Posted June 18, 2010 (edited) That looks right. Here's mine for comparison: Interface: 10.10.0.3 --- 0xd9   Internet Address      Physical Address      Type   10.10.0.1            00-1b-2f-XX-XX-XX    dynamic   10.10.0.2            00-16-76-XX-XX-XX    dynamic   10.10.0.6            34-15-9e-XX-XX-XX    dynamic   10.255.255.255        ff-ff-ff-ff-ff-ff    static   224.0.0.22            01-00-5e-00-00-16    static   224.0.0.251          01-00-5e-00-00-fb    static   224.0.0.252          01-00-5e-00-00-fc    static   239.255.2.2          01-00-5e-7f-02-02    static   239.255.255.250      01-00-5e-7f-ff-fa    static   255.255.255.255      ff-ff-ff-ff-ff-ff    static Is there any way to tell what device goes with the mac and ip or is that just given automatically through your isp? Edited June 18, 2010 by eliminatebotnets Quote Link to comment Share on other sites More sharing options...
Netshroud Posted June 18, 2010 Share Posted June 18, 2010 None of that comes through the ISP. Quote Link to comment Share on other sites More sharing options...
eliminatebotnets Posted June 18, 2010 Author Share Posted June 18, 2010 None of that comes through the ISP. Then how do you tell what devices represent those addresses? I know the 255.255.255.255 is your subnet, but what about the other ones? Sorry, im a newb when it comes to this. Quote Link to comment Share on other sites More sharing options...
Netshroud Posted June 18, 2010 Share Posted June 18, 2010 10.10.0.1 is the router, 10.10.0.2 and 10.10.0.6 are computers on the local network. The rest are apparently multicast addresses for things like BITS. Quote Link to comment Share on other sites More sharing options...
eliminatebotnets Posted June 20, 2010 Author Share Posted June 20, 2010 (edited) Is data packets getting sent while you are on your lan, not connected to any computers or the internet, considered normal then? Don't see how you can explain this one. Should have mentioned this one right away, as it makes no logical sense. It's communicating wirelessly somehow, even though I have remote connections off and no wireless connection running. I'm talking about being connected DIRECTLY to the router, zero internet access, sitting on idle. Edited June 20, 2010 by eliminatebotnets Quote Link to comment Share on other sites More sharing options...
VaKo Posted June 20, 2010 Share Posted June 20, 2010 Unless the pentagon is hacking your router (I take it you've not noticed a EA-6B Prowler parked across the street recently?), if the wireless is off and your not connected to the internet your on an isolated network that cannot be hacked without some form of physical access. I'm going to call paranoid on this one. If you have moved, several times, switched between cable and dsl (which will require changes in hardware) and built a new computer then this hacker would have to be on par with Jesus to keep fucking with you. What I do see is someone who doesn't fully understand how his system works and after being hacked once has attributed a literney of random, minor computer issues that have afflicted him over the years to a malevolent super hacker hell bent on inconveniencing him from afar. As for your network traffic, that will also be normal, a combination of Vista searching the local network for other systems, windows trying to figure out why there is no internet, DNS requests, applications requesting files or data from remote servers, IPv6 shenanigans. But for shits and giggles, crank up Wireshark on that interface and see what is happening. However, if you do feel that somehow this is real, you can try the following: Re-flash router firmware, then change your routers MAC address. Use DBAN on all your hard drives to wipe them. Reinstall Windows from a store bought copy, not some dodgy hacked copy that fell off the back of bittorrent. Ensure *all* updates are applied, and that you have a working, legitimate AV client installed. Quote Link to comment Share on other sites More sharing options...
eliminatebotnets Posted June 21, 2010 Author Share Posted June 21, 2010 (edited) All I know is that I've gone through 3 printers. 2 were brand new and stopped working at all a week after using them and the latest wont let me install the software. I've had countless programs on countless devices that have stopped working out of the blue. Usually shortly after the first installation. Errors popping up or programs being shutdown in the middle of thier execution. Reinstalls and reformats that make no difference. It even effected a really old PDA that had a prehistoric version of Pocket PC and did not mention wireless capabilities anywhere in the manual. My phone constantly drops calls in the middle of a conversation while im in a strong cell zone, just standing. Either I'm using the most faulty combination of software/hardware ever made or something is seriously #$*&ed up. And it isn't me. I'm infected with some criminal program that will not go away and it won't leave me alone. I could be ignorant and pretend it's all in my head and none of it has ever happened. Already tried that and every time I'm trying to run an app and it stops working im reminded of it. Just about everyone never believes anything until it happens to them. Ignorance is bliss. There are many supposedly "Expert" computer users that have never even heard of a BotNet or a Rootkit. They think hackers are made up by the media. Yet those same people will tell me I'm not informed. Has this made me paranoid you say? Hell yes. Would you be if all this supposedly impossible stuff happened? Hell yes. Has this paranoia caused me to see things that weren't there and make up things that didn't happen? Hell NO. But that's the great part about the internet. You can say stuff you believe or know is true and not have to feel embarassed about it. Allowing you to say things you wouldn't dare say face to face with someone else for risk of looking like a fool. Then again people are less likely to believe what you say on the internet. So it's kind of a double edged sword you could say. Don't worry, this lunatic won't post again. Really appreciate the thoughts. Good Day. Edited June 21, 2010 by eliminatebotnets Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.