Help Me Please

[digip]

Ok Guys when you guys asked me to draw a network diagram I only skipped that step out complete frustration and troubleshooting those past two nights. Here is how I have my network setup because it has to be this way as per Verizon's design. This router is the first device in the network. It is the Access Point,Router,Gateway and Wireless Access Point. That is the Actiontec model MI424-WR-Rev.E. I then after all those problems directly connected my laptop to Verizon AP. The connection is a direct Ethernet connection no switches or firewall in the way. In fact tomorrow I am downloading spice works just to see before I shut down wireless if anything ellse is on the Network. I am really curious if their is some freaking leeching. I really thank you guys for all the advice. I think the crucial and best advice is to shut off the wireless and lock it down I guess Mac address authentic is the best I can do. I do have the wiireless security set to WPA2 and that surprises me even more because that is the best security I can get. I like your idea of the NUKE cd and basically this falls back on Verizon. I will definitely follow your advice but, three direct ethernet connect laptops to Verizon's AP router and it's still slow it has to be them.

Do you have admin access on the Fios router? Log on and take a look at the network settings. Make sure they don't have some weird MTU set, or QOS settings interfering. Also, depending on the model, many of the old Fios Actiontec routers, had a backdoor admin port. Newere ones are locked down now, but the old ones had pre-set, standard passwords, and if someone got in over wireless, they could definitely be leaching off your modem. Most of the Fios router/modem combos are 10/100/1000 too, so you shouldn't be seeing slow speeds unless you got faulty cables, or the router itself is misconfigured in some manner, or been hacked, like DNS hijacking. This is going back a few years too, so hopefully you don't have one of these that got whacked - http://www.ozzu.com/hardware/verizon-fios-actiontec-router-vulnerabilities-t100925.html

Is the WPA2 password on their modem/router set by Verizon, or yourself? If they set the password, logon or reset the device and change it to your own password. And I agree on the double router, having two NAT can be an issue with speeds, but I would take advantage of havine the ability of two separate subnets instead of bridging them, just for sake of separating two wireless lans but if its not needed, disable wireless on the second or first device, preferably on the first device in line and also disable WIPS on both wireless devices, as well as uPnP.

Edited April 29, 2012 by digip

[Rich]

Do you have admin access on the Fios router? Log on and take a look at the network settings. Make sure they don't have some weird MTU set, or QOS settings interfering. Also, depending on the model, many of the old Fios Actiontec routers, had a backdoor admin port. Newere ones are locked down now, but the old ones had pre-set, standard passwords, and if someone got in over wireless, they could definitely be leaching off your modem. Most of the Fios router/modem combos are 10/100/1000 too, so you shouldn't be seeing slow speeds unless you got faulty cables, or the router itself is misconfigured in some manner, or been hacked, like DNS hijacking. This is going back a few years too, so hopefully you don't have one of these that got whacked - http://www.ozzu.com/hardware/verizon-fios-actiontec-router-vulnerabilities-t100925.html

Is the WPA2 password on their modem/router set by Verizon, or yourself? If they set the password, logon or reset the device and change it to your own password. And I agree on the double router, having two NAT can be an issue with speeds, but I would take advantage of havine the ability of two separate subnets instead of bridging them, just for sake of separating two wireless lans but if its not needed, disable wireless on the second or first device, preferably on the first device in line and also disable WIPS on both wireless devices, as well as uPnP.

Yes, I do admin access and Verizon is refusing to help with any of my security concerns. Mine thank God is not an old Actiontec but, it just got a Firmware change mysteriously. Here is it's current revision E model running F firmware. Here some of the recent settings I captured. The best guys is that the Nintendo Wii,Playstation3 and my Roku Box are setup as Wi-Fi hot spots. How do I know? I have an Indian friend who came over and he told me that this how no matter how many times you clean your laptops or computers. The virus just will come back because they will always get out and connect to some else's router. Then I was told by the Verzon Rep. he can do nothing for me but, change my password. When I have WPA 2 protocol in place. Then I turned off UPNP. I am still amazed at what is going in here. Here are some captured settings on how a Revision E router just turned into a Revision F . I all of a sudden have WIRELESS N NOT G! WTF!

mware Version: 20.19.8

Model Name: MI424WR-GEN2

Hardware Version: F

Serial Number: CSJF0291202590

Physical Connection Type: Coax

Broadband Connection Type: DHCP

Broadband Connection Status: Connected

Broadband IP Address: 173.77.161.176

Subnet Mask: 255.255.255.0

Broadband Mac Address: 00:26:62:70:14:C7

Default Gateway: 173.77.161.1

DNS Server: 68.237.161.12

71.250.0.12

ame Network (Home/Office) Ethernet Broadband Connection (Ethernet) Coax Broadband Connection (Coax) Wireless Access Point WAN PPPoE WAN PPPoE 2

Status Connected Connected Disabled Connected Connected Connected Disabled Disabled

Network Network (Home/Office) Network (Home/Office) Broadband Connection Network (Home/Office) Broadband Connection Network (Home/Office) Broadband Connection Broadband Connection

Underlying Device Ethernet

Wireless Access Point

Coax

Coax Stats Broadband Connection (Ethernet) Broadband Connection (Coax)

Connection Type Bridge Hardware Ethernet Switch Ethernet Coax Coax Wireless 802.11n Access Point PPPoE PPPoE

MAC Address 00:26:62:70:14:c3 00:26:62:70:14:c4 00:26:62:70:14:c6 00:26:62:70:14:c5 00:26:62:70:14:c7 00:26:62:70:14:c8

IP Address 192.168.1.1 173.77.161.176

Subnet Mask 255.255.255.0 255.255.255.0

Default Gateway 173.77.161.1

DNS Server 68.237.161.12

71.250.0.12

IP Address Distribution DHCP Server Disabled Disabled Disabled Disabled Disabled

Service Name

User Name verizonfios verizonfios

Received Packets 1753 1474 93 798 186

Sent Packets 1638 2645 609 833 249

Received Bytes 348951 295699 47356 210918 39654

Sent Bytes 1139895 1287337 134352 626824 70356

Receive Errors 0 0 0 0 0

Receive Drops 0 0 0 0 0

Time Span 0:06:25 0:06:25 0:06:25 0:06:25 0:02:25

Channel 1150 MHz 1000 MHz

[Rich]

This software aasks permissions to install The F Secure Black light ??

Which means after installing the Win7 did u joined the computer to domain or workgroup ??

if yes ur system might get a new policy, that prevent u to install the apllication !

and apart from that will u able to install any other softwares ?

Is ur ""admin"" name is the network computer user account name ? i doubt

Log in as User Name "ADMINISTRATOR" password must be blank press Enter ...and then install and Do a Full scan ..! Kill the Rottkit ,..

Dishuum ..!!!! Dishuum..!!!!

How did I miss your reply I am sorry. I tried this and it did not work. I appreciate it anyway.

[Rich]

Thanks Guys. Yeah, it's their connection not the Router. I have to Thank Them for a Router OverNight. Except their service still sucks. That Supervisor Ken his ass never called me back. You guys were better Tech Support than Verizon. Live Free Or Die From A Shitty Ass ISP!

I have officially even contacted via e-mail a Mr. Miko Hypponen who has his e-mail address online. He runs F-Secure and I have tried all his products. I got Intego's Virus barrier and it was with that I saw something truly interesting. Intego's Virus barrier and Firewall shows you which ports and apps are open for noobs like me in an easy GUI. I caught mail opening on it's own,Firefox opening on it's own. They all would run in the background open up port 443 and when I would block that port with program another one would program would open trying again. Mr. Hypponen said there is no concrete help he can give me from there. He suggests that I take it to a local computer shop and try for their help. I am please asking if any of you guys know of a reputable place online that can do this because locally I know of no one that can handle something like this. Thank you once again in advance.

[digip]

If you think a machine has been compromised, don't waste time trying to get someone to fix it. You would be better off wiping it and reinstalling fresh. More than likely, thats all a local shop would do, and they would charge you for it when you could do it yourself. What you should do though, is MITM the traffic and see where the data is truly going. Look up the IP addresses of the places you think FireFox and your Email is connecting to.

You could even just run Wireshark locally on the machine you think is infected. Just run it while no other programs are open and let it run for a while. If it is something nefarious happening, and you have no other internet programs running, you should start to see some traffic. I imagine most of it will just be ARP and SMB stuff, but if you see anything going to the outside internet, log all of it and upload somewhere so that we can take a look at the pcap file to see if it truly is malicious, or just normal traffic.

[Rich]

If you think a machine has been compromised, don't waste time trying to get someone to fix it. You would be better off wiping it and reinstalling fresh. More than likely, thats all a local shop would do, and they would charge you for it when you could do it yourself. What you should do though, is MITM the traffic and see where the data is truly going. Look up the IP addresses of the places you think FireFox and your Email is connecting to.

You could even just run Wireshark locally on the machine you think is infected. Just run it while no other programs are open and let it run for a while. If it is something nefarious happening, and you have no other internet programs running, you should start to see some traffic. I imagine most of it will just be ARP and SMB stuff, but if you see anything going to the outside internet, log all of it and upload somewhere so that we can take a look at the pcap file to see if it truly is malicious, or just normal traffic.

Thanks here is a plain text capture I saw some encrypted requests. I tried to get this so much cleaner. I am sorry this is like this. I wish I knew how to make this so much easier to read. Thanks so very much Guys once again. http://dl.dropbox.com/u/78931026/Plain%20Text%20Capture

[digip]

114mb pcap..lol. Good stuff. However, nto sure how you created, but I can't open it in wireshark or networkminer.

From the looks of it, almost everything in there is you on google or microsoft(update probably). I can only get so far down in the file though and it craps out on me. 114MB is bit large for a text doc, but if it was in a normal pcap format, wireshark shouldn't have any issue opening it. Did you by chance use tcpdump to create this? Seems like its truncating the data, and just showing small portion of it.

edit:

I see 1712 entries for "169.254.1.165" and 1350 for the broadcast "169.254.1.255" which makes it seem like you have DHCP issues, or you are disconnecting and reconnecting to get on/off the router(like starting or stopping the NIC). 169.254.x.x is an APIPA address, which means its internal only and can't reach the internet. Your machine will usually assign itself an address in this range when it can't reach a DHCP server to get a valid lease.

By the way, when I mentioned this before, I meant let it run, without visiting sites, or doing anything, so any traffic generated by something malicious on the system, would be easier to see. Right now I'm filtering you visiting msdn blogs, google and the live.com, etc

I didn't see anything malicious looking in it. Roku seems to be doing SSDP stuff though, and generally its best to disable this on the router, as you can gain info form the via the interet with specially crafted packets. In general, disable uPnP and SSDP.

Edited May 11, 2012 by digip

[Rich]

114mb pcap..lol. Good stuff. However, nto sure how you created, but I can't open it in wireshark or networkminer.

From the looks of it, almost everything in there is you on google or microsoft(update probably). I can only get so far down in the file though and it craps out on me. 114MB is bit large for a text doc, but if it was in a normal pcap format, wireshark shouldn't have any issue opening it. Did you by chance use tcpdump to create this? Seems like its truncating the data, and just showing small portion of it.

edit:

I see 1712 entries for "169.254.1.165" and 1350 for the broadcast "169.254.1.255" which makes it seem like you have DHCP issues, or you are disconnecting and reconnecting to get on/off the router(like starting or stopping the NIC). 169.254.x.x is an APIPA address, which means its internal only and can't reach the internet. Your machine will usually assign itself an address in this range when it can't reach a DHCP server to get a valid lease.

By the way, when I mentioned this before, I meant let it run, without visiting sites, or doing anything, so any traffic generated by something malicious on the system, would be easier to see. Right now I'm filtering you visiting msdn blogs, google and the live.com, etc

I didn't see anything malicious looking in it. Roku seems to be doing SSDP stuff though, and generally its best to disable this on the router, as you can gain info form the via the interet with specially crafted packets. In general, disable uPnP and SSDP.

Thanks so much DigiP. I really appreciate this. I am going to see what else completely no apps shows up.

[Rich]

Thanks so much DigiP. I really appreciate this. I am going to see what else completely no apps shows up.

Finally I found the latest version of Rootkit Hunter and it picked up remote logging enabled. I locked down the Actiontec router as best as that model allows. UPNP was turned off and then I disabled remote login for diagnostics or pings. Then Rootkit hunter picked up this. There are no Viruses detectable via Intego or this either. This also warns of hidden files but, how do I get to them and get rid of them? Do any of you guys know what type of Virus is this that it is able to go through both the Mac's firewall and Intego when I set it to no internet traffic at all? I am going to proceed as planned with the Wireshark captures. The UPNP is turned off and the other wireless traffic should be no apps running. Thanks so much for helping me Digip especially. This is turning into Sherlock Holmes Vs Moriarity on the MTIM attacks or something. This is like something out of a movie. Here is the link to the Mac screen selection. https://www.dropbox.com/sh/ji7hm4ijktw9hmm/WNCn3_KtrU/RemLoggingAllowed.tiff

[Rich]

Finally I found the latest version of Rootkit Hunter and it picked up remote logging enabled. I locked down the Actiontec router as best as that model allows. UPNP was turned off and then I disabled remote login for diagnostics or pings. Then Rootkit hunter picked up this. There are no Viruses detectable via Intego or this either. This also warns of hidden files but, how do I get to them and get rid of them? Do any of you guys know what type of Virus is this that it is able to go through both the Mac's firewall and Intego when I set it to no internet traffic at all? I am going to proceed as planned with the Wireshark captures. The UPNP is turned off and the other wireless traffic should be no apps running. Thanks so much for helping me Digip especially. This is turning into Sherlock Holmes Vs Moriarity on the MTIM attacks or something. This is like something out of a movie. Here is the link to the Mac screen selection. https://www.dropbox.com/sh/ji7hm4ijktw9hmm/WNCn3_KtrU/RemLoggingAllowed.tiff

Here are some more Caps. I hope this shows some way to get rid of these issues. http://dl.dropbox.com/u/78931026/QWE

http://dl.dropbox.com/u/78931026/QWE

[digip]

I'm not seeing anything malicious in there.

17.151.16.12 is time.apple.com, and is your MAC doing a time of day check via NTP (network time protocol) and syncing its clock. Nothing malicious there.

17.172.232.96 is also apple, and probably checking for system updates, or an apple app checking for updates, such as quicktime, etc.

No.     Time        Source                Destination           Protocol Length Info
    118 297.741943  192.168.1.1           192.168.1.6           DNS      104    Standard query response A 128.121.22.133 A 38.127.167.7

107 Matches for 128.121.22.133 == United States Englewood Ntt America Inc

77 Matches for 38.127.167.7 == PSInet

Looks like your machine was trying to reach something and did a DNS lookup on those two addresses. Not sure why if you said you weren't running any apps(soem things will just run int he background to update like above), but both those IP's go back to https://lastpass.com/

199.16.83.72 is VeriSign, most likely the certificate that went with your lookup for LastPass website. Some entry made a request to the lastpass site directly over https, so that is more or less where that came from probably, but could also be from apple software updates.

66.11.227.35 is actually Hak5, so you were online at some point during the capture it would seem.

23.67.250.98 is akamai, most likely an advertisement, or software update. They do lots of high level storage and statistics for differnet companies, everyone from advertisers to firewall and software companies, like ZoneAlarm, etc.

74.125.226.232 more google stuff.

I haven't fished through the entire file, but its looking more and more, like you don't have anything malicious in there. Looks like normal traffic from your workstations. If you seem to have network issues a lot, try setting a static, or DHCP reserved address for your ROKU box, and see if that helps alleviate anything. Also, set your DHCP lease time to a higher interval on the router if possible. I don't own the equipment you are using, so I don't know all of the available options but I would say if all else fails, reset the device to default settings, and then begin to lock it down, disabling remote administration, disabling uPnP and SSDP, and then tweaking your DHCP settings. Might even be misconfiguration on the desktop systems themselves, but whatever firewall software you are using that says its seeing attempts to go outbound, more than likely they are normal things, like Apple NTP and both apple and windows software update checks.

If really paranoid, hard code OpenDNS into the routers and on each OS, ensure you aren't getting DNS hijakced and monitor this a bit more, dig into the captures and learn whats really going on. The ROKU might be eating up your bandwidth or causing issues with the network. Ensure each IP you see on the logs, like when you see an ARP, is related to each of your home network devices MAC addresses, and if any MAC address seems unknown to any of your devices, hunt that one down, or block it on the router. You can also whitelist only your known devices via MAC address filtering if your router has this option. Helps keep wifi leaches off the router(so long as they aren't cloning your other wifi devices MAC addresses, which can be spoofed).

For speed tests, unplug or disable your Roku for a while and from each machine go to http://www.speakeasy.net/speedtest/ and click on locations cosest to you. Do this a few times on each machine. Then, plug in the Roku, watch some movies or TV, and try running the tests again, see what happens to the bandwidth. If they all seem relatively the same while the Roku is in use, then I'd say its not an issue. Also run these tests with wifi disabled and enabled, and using different connection scenarios, see if the wifi side is slower or rest of network is slower when wifi is enabled. You could be getting DoS'ed by someone trying to do a Reaver attack for WPS pin.

Edited May 12, 2012 by digip

[Rich]

Thanks very,very much. You have given me so many protocols to implement to fix my problem. I really appreciate it.

[bobbyb1980]

Excellent explanation digip.

[Rich]

I am also having a friend come in and take a look at my Neighbor's captures as well. I had him run Wireshark as well. He was able to run his uninterrupted though. The file is an insane 980 something megs almost a gig. That is being as obsessed as I am with this he was my best option. He knows a lot about computers too. He is nowhere near you though DigiP. I am just glad that he was willing to help me. He did it because it was that one day the Roku connected to his wireless network. He wants to know what's going on too now. He's a cop too so hopefully if he asks around he can find someone in law enforcement to check his stuff out. My main concern was I did want him to think it was me at all. He has photos of his kids and things so he's kind of upset. He really wants to know for sure. Thanks again DigiP.

[bobbyb1980]

Have you verified the integrity of your DNS server?

[Rich]

Oh I have washed my hands as of this as of now. I have given him both my laptop and Mac Mini to see about the Rootkit hidden malicious files. The remote login and detected system changes. Etc. I will just let him take it from here on it. I can honestly live without those two computers anyway. When I get them back and if I get them back this will finally get a resolution to all of this if not carry on.