TechSpot

Myriad of issues... am I being attacked?

By Simon_nyc
Aug 20, 2012
Post New Reply
  1. My laptop was infected with viruses, what I can only assume were created for my machine. I frequented and still do, chat full of sociopaths who are trolls with computer skills. I ran every malware, antivirus, rootkit, mbr scanner detection software out there. None of them detect any viruses.

    Meanwhile my laptop is experiencing every imaginable problem out there like; Blue screen of death, external HDD with family photos lost first sector rendering all of the HDD useless unless formatted, fingerprint scanner for authentication on haywire, speakers crackling, at one time cd bay would open and close on its own (I figured out how they did this trick), Brand new USB stick I used to ran Ubuntu from burned out after 1 hour, laptop battery reading that it can't hold charge, keyboard keys would stick, laggy mouse control, our ROKU began overheating and stopped connecting to the network, two LCD tv's connected to computers with HDMI cable for online video content viewing begun overheating and I can go on and on.

    The trolls bragged in the open forum that they can see my network, and how many machines I have connected. Ohh yes, my routers were attacked with Ddos and UDP TCP floods, two linksys(s) burned out. I'm on the third one in three years. I change my IP address periodically. I installed Peer block and this helps like no firewall ever did. VPN hides my system details. I can see by the Trolls's reaction that they can't attack me as they used to before and are very upset, but my machine is still on the haywire. At one time I had 3 or 4 laptops connected to home network, and all 4 would misbehave. Further, we have 2 Ipads and 1 ipod and these 3 machines stopped remembering network passwords, all three at the same time.

    I reset all 3 to the factory defaults including reset network, but it did not help. In the past 3 years, my family's 2 blackberries at one time connected to the network begun overheating even when disconnected from the network and then would lock up and burn the sim cards to a crisp.

    Hmm what else,,,, now we're on android phones (not rooted), the phones started overheating also. I reset the phones to factory defaults and the battery problems went away. If anyone has an idea what can be done, please don't be shy.

    Off topic, the people who did this are all computer scientists in eastern Europe with no jobs eager to spite any one from the USA just because, envy is a wicked character flaw. Advises such as, throw everything out, get new gear and stay away from chat rooms will be ignored, with all due respect of course:)
     
  2. jobeard

    jobeard TS Ambassador Posts: 13,426   +317

    hmm; truly bad news. Here's my approach.

    while you can, download tools like MSRT, Sypbot S&D, Spywareblaster and install each of them.
    disconnect from the internet (ie pull the cable from the system or the router).

    Cleanup the system by running the above tools.

    BTW: What version of windows are you running and which firewall?
    What antivirus program are you using?

    STOP running day-2-day on the ADMIN account;
    create a new account and give it ADMIN privs​
    change your existing account to LUA/UAC (thus you keep your files).​

    reconnect to your router and access its address and login
    change the admin password​
    download and update the router firmware​
    (need to reset the admin pwd again).​



     
  3. Simon_nyc

    Simon_nyc TS Rookie Topic Starter

    Hi J.O. Beard,

    Thank you so much for replying. I'm running Windows 7 64bit Premium

    I have been using restricted (super restrictred) standard account. I have turned off (off hand I don't remember all) many services that were suggested when hardening Windows 7, like UDP, P2P etc. Router has Tomato firmware with hardened script to thwart Ddos and UDP TCP floods, and firewall is set at maximum security.

    here is the script on my router in addition to firewall provided by Tomato.

    iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
    iptables -A INPUT -f -j DROP
    iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
    iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
    iptables -A INPUT -p tcp 013tcp-flags ALL FIN,PSH,URG -j DROP
    -A INPUT -m conntrack 013ctstate INVALID -j DROP
    -A INPUT -m conntrack 013ctstate ESTABLISHED,RELATED -j ACCEPT

    # 3702TCPUDPWeb Services Dynamic Discovery (WS-Discovery), used by various components of Windows

    iptables -A INPUT -p tcp --dport 3702 -j DROP
    iptables -A INPUT -p udp --dport 3702 -j DROP

    #Prevent null scan with iptables :
    iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP



    # Log attacks
    iptables -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -m limit --limit 3/m --limit-burst 5 -j LOG --log-prefix "Firewall> XMAS scan "

    iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -m limit --limit 3/m --limit-burst 5 -j LOG --log-prefix "Firewall> XMAS-PSH scan "

    iptables -A INPUT -p tcp --tcp-flags ALL ALL -m limit --limit 3/m --limit-burst 5 -j LOG --log-prefix "Firewall> XMAS-ALL scan "

    # Drop and blacklist for 60 seconds IP of attacker

    iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -m recent --name blacklist_60 --set -m comment --comment "Drop/Blacklist Xmas/PSH scan" -j DROP # Xmas-PSH scan

    iptables -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -m recent --name blacklist_60 --set -m comment --comment "Drop/Blacklist Xmas scan" -j DROP # Against nmap -sX (Xmas tree scan)

    iptables -A INPUT -p tcp --tcp-flags ALL ALL -m recent --name blacklist_60 --set -m comment --comment "Drop/Blacklist Xmas/All scan" -j DROP # Xmas All scan



    #FIN-scan

    #Log attack

    iptables -A INPUT -p tcp --tcp-flags ALL FIN -m limit --limit 3/m --limit-burst 5 -j LOG --log-prefix "Firewall> FIN scan "

    # Drop and blacklist for 60 seconds IP of attacker

    iptables -A INPUT -p tcp --tcp-flags ALL FIN -m recent --name blacklist_60 --set -m comment --comment "Drop/Blacklist FIN scan" -j DROP


    #ACK-scan

    iptables -A INPUT -p tcp ! --syn -m state --state NEW -m comment --comment "Drop TCP connection not starting by SYN" -j DROP


    # TCP-connect scan

    # log probable sS and full connect tcp scan

    iptables -A INPUT -p tcp -m multiport --dports 23,79 --tcp-flags ALL SYN -m limit --limit 3/m --limit-burst 5 -j LOG --log-prefix "Firewall>SYN scan trap:"

    # blacklist for three minuts

    iptables -A INPUT -p tcp -m multiport --dports 23,79 --tcp-flags ALL SYN -m recent --name blacklist_180 --set -j DROP



    #UDP-scan

    iptables -A INPUT -p udp -m limit --limit 6/h --limit-burst 1 -m length --length 0:28 -j LOG --log-prefix "Firewall>0 length udp "

    iptables -A INPUT -p udp -m length --length 0:28 -m comment --comment "Drop UDP packet with no content" -j DROP



    # ICMP-flood

    # Create chain dedicated to ICMP flood

    iptables -N thyl-icmp-flood

    # Jump to that chain when ICMP detected

    iptables -A INPUT -p icmp -j thyl-icmp-flood

    # Get out of chain if packet rate for the same IP is below 4 per second with a burst of 8 per second

    iptables -A thyl-icmp-flood -m limit --limit 4/s --limit-burst 8 -m comment --comment "Limit ICMP rate" -j RETURN

    # Log as flood when rate is higher

    iptables -A thyl-icmp-flood -m limit --limit 6/h --limit-burst 1 -j LOG --log-prefix "Firewall>Probable icmp flood "

    # Blacklist IP for 3 minutes

    iptables -A thyl-icmp-flood -m recent --name blacklist_180 --set -m comment --comment "Blacklist source IP" -j DROP



    # UDP-flood
    # Create chain for UDP flood
    #

    iptables -N thyl-udp-flood

    #
    # Jump to chain if UDP
    #

    iptables -A INPUT -p udp -j thyl-udp-flood

    #
    # Limit UDP rate to 10/sec with burst at 20 (sometimes it is not enough, if you know a better average rate, let me know!)
    #

    iptables -A thyl-udp-flood -m limit --limit 10/s --limit-burst 20 -m comment --comment "Limit UDP rate" -j RETURN

    #
    # Log
    #

    iptables -A thyl-udp-flood -m limit --limit 6/h --limit-burst 1 -j LOG --log-prefix "Firewall>Probable udp flood "

    #
    # 3 minutes ban for flooders
    #

    iptables -A thyl-udp-flood -m recent --name blacklist_180 --set -m comment --comment "Blacklist source IP" -j DROP

    #SYN-flood
    # Create syn-flood chain

    iptables -N thyl-syn-flood

    # Jump into syn-flood chain when a syn packet is detected

    iptables -A INPUT -p tcp --syn -j thyl-syn-flood

    # Limit packet rate to 2 per second with a 6 per second burst

    iptables -A thyl-syn-flood -m limit --limit 2/s --limit-burst 6 -m comment --comment "Limit TCP SYN rate" -j RETURN

    # Log flooders

    iptables -A thyl-syn-flood -m limit --limit 6/h --limit-burst 1 -j LOG --log prefix "Firewall>Probable syn flood "

    # Ban flooders for 3 minutes

    iptables -A thyl-syn-flood -m recent --name blacklist_180 --set -m comment --comment "Blacklist source IP" -j DROP
    meanwhile I'm going to run antimalware programs you suggested.
    I am running zonealarm, malwarebytes, regularly clean my machine with CCleaner and Temp cleaner-TFC.
    Once again, thank you for getting involved and trying to help.
     
  4. jobeard

    jobeard TS Ambassador Posts: 13,426   +317

    MY! Your IPTABLES is just great, but be careful with multiple firewalls (aka zonealarm + windows).
    The iptables is controlling the STATE of the connections and you can use Zonealarm OR Windows
    to control port-based access.

    With the layered security approach you have taken, my opinion is:

    • The network security is just fine
    • but the application / NTFS security is always a risk

    Thus, any application which is Run As Admin will be risky and still allow a security breach,
    any application that can elevate its privileges will too.

    Remember, when you click on a link in your browser, it's as if you are saying
    "do it to me" (more accurately, SEND it to me), and you have no idea what that payload contains.

    For this reason, I like A/V products that implement WebLink scanning (eg: Avast) and periodically I see
    and get a big grin when it trips off and reports "Access Denied, Harmful Content".
     
  5. Simon_nyc

    Simon_nyc TS Rookie Topic Starter

    Hi J.O. Beard,

    I ran security sweeps that you suggested.
    Microsoft Malicious Software Removal Tool found 0 threats

    Spybot Search and Destroy would not install in both regular and safe modes (F8 at start).
    I might have blocked some services preventing installation, or a malware is preventing installation.
    In any case, the error states "could not be installed"

    I like Avast also, however I am using zonealarm now. Prior I was using Comodo firewall and antivirus because it shows which services are running, how many TCP/UDP connections including IP addresses in its simplest form. At any given time CA would show UDP connections from my local IP to my Gateway connecting one port after another in ascending order using higher numbered ports, off hand 45556, 45557 .... etc etc

    I tried getting into network analyzer like wireshark, to analyze packets, see what is connected to my machine/network, however wireshark made me feel like I have IQ of a 1st grader.

    I do have my router hardened, including http:// unchecked, and only https:// access allowed. Further I read online that linksys routers have a flaw such as backdoor which hackers use to manipulate the router itself. Granted this article doesn't talk about my router, I have linksys wrt54g-tm (timoblie) with maximum memory for this grade router, but the flaw is systemic to all linksys/Cisco older products.
    http://www.coresecurity.com/content/vulnerability-report-for-linksys-devices
    reads :
    Title: Remotely exploitable Buffer overflows and
    Authentication bypassing bugs on Linksys BEFW11S4
    Wireless router and other devices.
    Remotely Exploitable: Yes


    I am seriously thinking of holding off on major reinstall of OS for now, and do an upgrade to windows 8 in a month and a half. I really like the idea of windows 8 "reset and refresh".

    One last thought, would this approach help my machine(s)
    http://www.techspot.com/community/t...on-and-now-it-restarts-after-1-minute.184216/
     
  6. jobeard

    jobeard TS Ambassador Posts: 13,426   +317

    definitely disable remote admin AND set the MTU to 1492 to disable packet fragmenting.

    can't determine precisely what you are asking / recommending on this one...
     
  7. Simon_nyc

    Simon_nyc TS Rookie Topic Starter

    Hi again,

    I was away for a weekend.

    Thank you for suggestion.


    I followed your advice. Setting MTU 1472 yielded no pocket loss.
    MTU on my laptop was set at 1500 and produced "100% loss" during ping test.
    For howto MTU testing and settingI used this site - http://www.richard-slater.co.uk/archives/2009/10/23/change-your-mtu-under-vista-or-windows-7/

    Off topic, would you know how to force adobe flash player through proxy or VPN, or do you know of any online tools how to check online if flash player is ti bypassing my VPN and proxy settings thus revealing my real IP, location, browser info and computer info? My research leads me to believe that flash player is by design bypassing user enacted network settings and is using default network connection. I am trying to conceal my real IP, browser and computer information when using flash player in peer group environment, by utilizing proxy or VPN.
     
  8. jobeard

    jobeard TS Ambassador Posts: 13,426   +317

    EXCELLENT !! If you read thru it all, you now understand :)

    I believe the default network connection for the browser is the current connection.
    For the sequence

    1. establish VPN
    2. run browser within that vpn

    then every connection created by the browser will also ride the vpn connection and not access
    your non-vpn network.

    you should be able to at least show the effect of the vpn by
    1. running http://www.whatismyip.com/ before creating the vpn
    2. then create the VPN & launch your browser
    3. and rerun http://www.whatismyip.com/
    imo, the trick is getting the browser started within the vpn and not your normal ISP connection
     
  9. Simon_nyc

    Simon_nyc TS Rookie Topic Starter

    Good morning,

    Thank you once again for assistance.

    My laptop started locking up. I uninstalled Google Chrome and the problem gone away. I cleaned registry and other nuisances left behind with CCleaner.

    I attempted to reinstall Google Chrome and an error message appears that my firewall blocked Google Chrome installation because it was attempting to connect to an IP belonging to Verizon Wireless. Screenshot is attached
     

    Attached Files:



Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.