Router Credential hackers Keylogger

smoses · Jul 11, 2023, 3:28 PM

I have blackhat router credential hackers with a keylogger that IS capturing our passwords. With a form and malware attached with date and times. To fully get rid of this hacker, do I just block that ip address and use an IDS? Or what else do I need to block? It's an advanced persistent threat with malicious files/ folders on the pc constantly seeking to make connections. Websites and specifics are appreciated.

SteveITS · Aug 5, 2023, 6:08 PM

@smoses You can block the infected PC from connecting to the Internet with pfSense but can't block that PC from connecting to other PCs on your network. You could just disconnect it. I would not assume that's the only infected PC though if it's truly an APT attacker.

johnpoz · Jul 11, 2023, 6:47 PM

@smoses how is this different then the thread you already started ask exactly the same thing

https://forum.netgate.com/topic/180617/new-user-compromised-pc-apt-keylogger?_=1689100761289

rcoleman-netgate · Jul 11, 2023, 7:46 PM

@johnpoz Combo of that and should be in the IDS/IPS channel.

smoses · Aug 5, 2023, 6:03 PM

@johnpoz If you don't receive the correct answer, asking again in another environment sometimes helps. Not giving up, being ignored, and left with unanswered questions. I won't argue if that's what youre looking for. I was asking As in exact specifics.

smoses · Aug 5, 2023, 6:08 PM

This post is deleted!

SteveITS · Aug 5, 2023, 7:49 PM

@smoses I’m not sure what you’re looking for in this forum. You could set rules on LAN to only allow outbound connections to desired IPs. It would take a lot of management. Many big sites change IPs. It sounds more like you need a specialist to investigate the PC(s). And/or image or remove the hard drive and reinstall from scratch. It is possible to infect a BIOS or drive firmware.

RobbieTT · Aug 5, 2023, 9:55 PM

@smoses said in Router Credential hackers Keylogger:

@SteveITS I thought I posted this already but I've reset it numerous times and nothing changes. There's malware and non-genuine windows files and folders installed and Posts are generated on our network as they are our network credential hackers with iot devices now. I believe they are my SSN and phone hackers which are black hat camera accessing hackers. I printed a few pictures at a library and my library account was hacked, the librarian pointed it out to me and the pictures printed in halves and fulls with literal stacks of malware / gibberish. Large stacks of paper of gibb / malware and my pictures and network traffic on usb drives turned them into "rubber duckies".

Can you proof-read your posts please before sending as some of your sentences are impossible to understand. Did you really mean to type "SSN and phone hackers which are black hat camera accessing hackers" oh and... and the rubber duckies??

Apologies if you have just had a stroke, aneurism, TBI or simply have a gun held to your head by someone with a black hat and a rubber fetish.

️

michmoor · Aug 5, 2023, 10:07 PM

@smoses Sounds like you have an infected/compromised PCs on the LAN. Firewall cant help much with that. Take those devices off the network and start investigating.

johnpoz · Aug 5, 2023, 11:03 PM

@RobbieTT said in Router Credential hackers Keylogger:

and the rubber duckies??

I think I mentioned this on one of his other multiple threads saying he has been "hacked" - he has been watching too much Mr Robot.. There was an episode using a rubber ducky..

Pfsense can't do anything about users plugging in compromised usb sticks ;)

smoses · Aug 7, 2023, 12:12 AM

@johnpoz I haven't had any of those brain or stroke conditions. I DO happen to take my physical safety and identity seriously. My hacked phones with the front and back cameras accessed (it makes perfect sense, and I haven't been in GA or other states and it's a MITM at minimum) - when I've had to use them and take pictures of stalking, those pictures and network traffic on the infected pc, turn my usb drives into rubber duckies as it's the only things I have on them. I know the pc is infected and the bios / registry is included. I've "wiped" and reinstalled Microsoft on it at minimum 5 times in various different ways. Ingenuine Windows files are now on it. I'd love to remove the pc and "be done with it" however I was hoping maybe one of you have had to deal with something similar. I CAN do the compromised pc articles but the actual instructions aren't listed and I CAN do the IDS / IPS but I hoped someone may have some pointers and an article or video or two that helped them.
The stalking that's occurring is to let me know that that form IS still there and what we do and watch IS included. A keylogger is included. I wanted verification as I've been scammed out of alot of money by a bad forensics company. I have a IT degree and background. All my networking pc compromised books are out of sight. I've given my recommendation to the owner who's being a stubborn mule. It's massive and the cops are involved and stalked me themselves. Stuff has been in my yard and on the roads to our house with very recent spray painted graphitti. The constant well IF it is this, then.... or criticizing whatever at the moment, isn't helpful. I haven't been fond of forums previously and when my healthcare is telling me and federal crimes since passwords are included and verifying for me (for the stubborn mule), I just want to fix it. Video, article, specifics. I've been to the FBI because of the stalking and ridiculousness and what they told me is correct. The local gov has verified it also. - While inappropriate comments have been made here in response. I have noticed the SRC similarities that IS in our form. This is flat out unhelpful. Guys enjoying blowing their own heads big and not helping people that have actual crimes happening.

smoses · Aug 7, 2023, 12:02 AM

@RobbieTT Your post is gross and has sexual content in it. I don't appreciate it. I wish there was a thumbs down icon. It makes sense. When you get a cell phone activated, it uses your SSN. They're instantly hacked. There is no mistake. I make perfect sense. The pictures because I've had to use them, are infected and turn my formatted brand new USB's into rubber duckies. I was asking about the router hackers which are also black hat. Google it. The "rubber fetish" is your own sick pleasure and unnecessary. I'm being stalked while you're sexually gratifying your own perverted sense. I'm serious and I have pictures of it. If I had money to burn, I'd happily pay but pfsense recommends their forums. I thought I would give it a try.
To those who answered without pervert comments, THANK YOU.

michmoor · Aug 7, 2023, 12:03 AM

@smoses The best advice anyone here can give and the one i gave above is to take your infected devices off the network. Unplug them. reformat the hard drive if you must.
Firewalls arent magic boxes that can solve all cyber security problems. They absolutely help but at the end of the day the best defense is you. You know you have problematic devices on the network. You need to take them offline until you can solve the problem.

rcoleman-netgate · Aug 7, 2023, 12:05 AM

This post is deleted!

smoses · Aug 7, 2023, 12:07 AM

@michmoor I was reviewing the compromised pc article and videos on how to "lock down" the compromised pc. I'd junk it personally. You buy a firewall to make sure you're traffic is clean. I need to create rules and or use a IDS. That's what I was asking about.

michmoor · Aug 7, 2023, 12:10 AM

@smoses said in Router Credential hackers Keylogger:

You buy a firewall to make sure you're traffic is clean

No. As i said a firewall isnt a magic box. You think that it is part of the problem here.
Again, you have a compromised host(s). You don't want to fix it. You want to put an IPS solution around it which doesn't make a lot of sense.
If you dont want to at least fix the problem but address the fact that your host is infected than im not sure what more any one here in the forums can do. I wish you the best of luck but my advice, to state it again, take the computer off the network. Run virus/malware scans. Best solution is to reformat.

rcoleman-netgate · Aug 7, 2023, 12:12 AM

@michmoor Agreed. The solution is isolate the infected host and treat.

Don't burn the entire city to the ground because one resident has a case of measles.

smoses · Aug 7, 2023, 12:14 AM

@rcoleman-netgate Yep. that follows you also I believe. The comment doesn't state that. It states "rubber fetish". Gun to your head.

rcoleman-netgate · Aug 7, 2023, 12:14 AM

@smoses said in Router Credential hackers Keylogger:

Your post is gross and has sexual content in it

A rubber duckie is a hacking tool.

As for their other comment... while it might be a little bit extreme/excessive it is not intended in the manner you are interpreting it.

I suggest you ignore any user whose answers you do not like and simply not engage with them.

smoses · Aug 7, 2023, 12:17 AM

@rcoleman-netgate I acknowledged that and posted looking for specifics. Video, articles, etc. I don't need help diagnosing it, just fixing it. If it can. Blocking everything except normal traffic. Egress filtering, whatever.