Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    New user Compromised pc - APT & keylogger

    Scheduled Pinned Locked Moved Firewalling
    39 Posts 8 Posters 2.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • johnpozJ
      johnpoz LAYER 8 Global Moderator @smoses
      last edited by johnpoz

      @smoses I have no idea what you think you have going on.. I really don't buy any of this to be honest.

      What is you want pfsense to do? Block some ports, block the internet? Out of the box no ports are allowed in. If you don't want the pc to go somewhere (IP) or network or Ports.. Then create a rule that blocks those on the lan interface.

      I've been capturing network traffic and I know the majority of what needs to be blocked

      You said you sniffed and know what to block? Ok then block it.. Lets see these pcaps, show us something other than simple paranoia to be honest.

      5-10 minutes before it was hacked with a MITM accessing my webcam.

      Man in the middle accessing your webcam?? Sure Ok ;)

      From reading this thread - seems like someone watching too much mr robot if you ask me.

      If you tell us what you want to block, be more than happy to help you accomplish that. Love to see this pcap showing us what you want to block..

      So you run any antivirus on this machine? What is it infected with? That survives a clean OS install? Do you want some suggestions for anit-virus? Windows Defender doesn't show anything - what about malwarebytes? What software have you run to try and detect what is installed that is keylogging any send the info to them?

      Best practice you should isolate this PC to its own vlan, so it can not talk to any of your other devices. This can be done physically or with a vlan capable switch.

      this would be basic locked down network, where any device on this network couldn't do anything to any of your other networks.

      basicrules.jpg

      Then once you tell use what you want to stop the machine from talking to on the internet, we can show how to do that - the rules would go above the last rule that allows the internet.

      First thing I would do is set that last rule to log - so you can see where the PC is going.. As a start.

      An intelligent man is sometimes forced to be drunk to spend time with his fools
      If you get confused: Listen to the Music Play
      Please don't Chat/PM me for help, unless mod related
      SG-4860 24.11 | Lab VMs 2.8, 24.11

      S 2 Replies Last reply Reply Quote 2
      • johnpozJ johnpoz referenced this topic on
      • S
        smoses @johnpoz
        last edited by smoses

        @johnpoz HP.Laptop_NortonPopUp_Hacker_08.07.2020.jpg
        08.07.2020_MITM  Norton alert Microsoft Edge Webcam access.jpg

        Sorry for the late response. I received the Norton alert within 10-15 minutes and did arp -a and it IS at least one, two MITM's. Sorry it's late.

        1 Reply Last reply Reply Quote 0
        • S
          smoses @johnpoz
          last edited by

          @johnpoz OnePlus_NBC_Colorado.Hackers___stalking_FB.DATA.BREACH__09.2021.jpg
          10.24.2021_OnePlus_DuckDuckGo_Russian words searches.jpg

          POST /login.cgi HTTP/1.1
          Host: 192.168.0.1
          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0
          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8
          Accept-Language: en-US,en;q=0.5
          Accept-Encoding: gzip, deflate
          Content-Type: application/x-www-form-urlencoded
          Content-Length: 61
          Origin: http://192.168.0.1
          DNT: 1
          Connection: keep-alive
          Referer: http://192.168.0.1/
          Upgrade-Insecure-Requests: 1

          admin_username=admin&admin_password=&admin_password=WITH OUR PASSWORD HERE HTTP/1.1 200 Ok
          Server: micro_httpd
          Cache-Control: no-cache
          Date: Thu, 05 Nov 2020 06:41:16 GMT
          Content-Type: text/html; charset=ISO-8859-1
          Set-Cookie: SESSION=; expires=Thu, 01-Jan-1970 00:00:00 GMT; path=/; HttpOnly
          Connection: close

          <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
          <html xmlns="http://www.w3.org/1999/xhtml">
          <head>
          <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
          <meta http-equiv="X-Frame-Options" content="deny" />
          <title>CenturyLink Modem Configuration</title>
          <link href="../_css/basic.css" rel="stylesheet" type="text/css" />
          <SCRIPT LANGUAGE="JavaScript" SRC="../_js/jquery-1.6.4.min.js" TYPE="text/javascript"></SCRIPT>
          <SCRIPT LANGUAGE="JavaScript" SRC="../_js/jquery.popupWindow.js" TYPE="text/javascript"></SCRIPT>

          I also have GA showing in the phone and pc and I haven't been there. My healthcare accounts in an iphone duplicated from 4, then 3, and then changed to show my dads iphone.
          Our email address and router wan mac address is included in the form router credential hackers code. It's lengthy.
          Believe me now?

          S 1 Reply Last reply Reply Quote 0
          • S
            smoses @smoses
            last edited by smoses

            @smoses I DO have the keylogger and the ingenuine files screenshots that matches our network traffic. I DO have a IT degree and background. I'm not known to be wrong. Never had this before. Our devices have been on the network. Some of the network nasty-ness is specific to me with my name included.
            I've tried multiple or all antiviruses, it's been to a pc repair with scans and nothing found. Only in the network traffic indicated from a hostile network. They've had full control. I can update Firefox. That doesn't fix the router hackers, people who can see it and are stalking our house because of it. That's why I posted it several times. I was told a different forum so it went in another forum. Who cares that much about multiple posts really? that's not the problem.

            johnpozJ 1 Reply Last reply Reply Quote 0
            • johnpozJ
              johnpoz LAYER 8 Global Moderator @smoses
              last edited by

              @smoses so mac address of what your router, that is a netgear mac address. 192.168.0.1 - most likely your netgear router. A 169.254 is a APIPA address.. I have zero clue to what that is suppose to show or you want that to show - but it sure and the hell is not a MITM..

              Your browser accessing your webcam? That is your proof - of what??

              OMG - the RU black hats have infected my machine..

              hacked.jpg

              If you have a degree in computer science then show us what is going on - not just more nonsense... Your on your phone and you get some RU lang hits in a search engine? You on a vpn? You your language set wrong?

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.8, 24.11

              R S 3 Replies Last reply Reply Quote 0
              • R
                rcoleman-netgate Netgate @johnpoz
                last edited by

                @johnpoz said in New user Compromised pc - APT & keylogger:

                @smoses so mac address of what your router, that is a netgear mac address. 192.168.0.1 - most likely your netgear router.

                also login.cgi is not a pfSense page.

                Ryan
                Repeat, after me: MESH IS THE DEVIL! MESH IS THE DEVIL!
                Requesting firmware for your Netgate device? https://go.netgate.com
                Switching: Mikrotik, Netgear, Extreme
                Wireless: Aruba, Ubiquiti

                johnpozJ S 2 Replies Last reply Reply Quote 0
                • johnpozJ
                  johnpoz LAYER 8 Global Moderator @rcoleman-netgate
                  last edited by

                  @rcoleman-netgate said in New user Compromised pc - APT & keylogger:

                  also login.cgi is not a pfSense page.

                  Yeah brought that up in one of the other 3 posts with the same nonsense posted about this..

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                  R S 2 Replies Last reply Reply Quote 0
                  • R
                    rcoleman-netgate Netgate @johnpoz
                    last edited by

                    @smoses

                    At this point I want you to do something for me: Take a photo of your router and post it here.

                    In your packet capture I see a number of things that could be in the middle and at aplay.
                    Zyxel
                    ASUS

                    Your base IP range is 192.168.0.0
                    But your computer gets 192.168.1.0

                    You have Netgear (not Netgate) hardware appearing and addresses related to that manufacturer in your posts.

                    Also a drawing of what is plugged in and how -- it doesn't have to perfect lines but it would need to be legible.

                    It seems to me as though you have many different pieces cobbled together and it is possible one of those is your root issue.

                    Ryan
                    Repeat, after me: MESH IS THE DEVIL! MESH IS THE DEVIL!
                    Requesting firmware for your Netgate device? https://go.netgate.com
                    Switching: Mikrotik, Netgear, Extreme
                    Wireless: Aruba, Ubiquiti

                    S 2 Replies Last reply Reply Quote 0
                    • S
                      smoses @rcoleman-netgate
                      last edited by smoses

                      @rcoleman-netgate The double mac address is a mitm of another machine, that I made a windows reimage download usb drive on a "supposedly" clean machine which turned out to be the most infected. The other machine - as soon as I connected it to a different wifi, I received the Norton alert and I did the arp -a, showing duplicate mac addresses. I was not using anything to access my webcam. I used Norton VPN. I tried another VPN, same thing. It didn't make a difference. My cursor was moving also. They ARE MITMS. Back in the original network, there's a ton of CA network traffic and I'm causing data breaches. I'm not stupid. I wouldn't be posting anything on here if it weren't for the stupid derogatory comments which is typical in the IT field. I normally avoid it. I wouldn't post if I "had the language set wrong". They are my SSN hackers using my healthcare. I'm THE data breaches and gov has verified I am supplying tv shows and movies. I went to the FBI and spoke to two cybercrime agents in person, who also told me specific information and it's been correct.
                      My phones have been on our network over and over again. The pictures I'm forced to take of stalking, turned my USB drives into "rubber duckies" and my GOV accounts have been hacked with the librarian telling me and she took a picture.
                      Some credit rather than being talked down like I'm stupid, would be appreciated. Gov verified my searches are included and illegal surveillance of our house. Stores where my prescriptions are filled have told me, doctors have told me, yet - you're telling me it's "nonsense". I make perfect sense. My birth records are included with my entire family and I'm a business ID. My specific hackers and my PII IS a business ID. I CAN post the specific pictures. It'd be great to be asked that before the OH YEAH - SHOW US DUMMY. PROVE IT. YOU seem STUPID. I've also been told to not use this company as they are likely related to my hackers. The Marvel ARM 1U. That's me. Aries & Gemini lake, etc.
                      My healthcare pointed out "demotses" and that specific network traffic.
                      I appreciate the help. The actual help. It IS an AMD that IS the problem. I've used 5-7-8 different brands / manufacturers. The AMD IS the most problematic / infected. My Pentium hasn't been as infected as the AMD. Dell, HP, Asus, etc. I can also post the impostors of me and all the different locations of them also. and companies. I saved my conversations with Microsoft also. The AMD started conversations with Microsoft on it's own. As in the instant message Hub conversations - started on it's own. I sat and watched it. My parents, grandparents are Marvel characters, aunts, uncles, etc. I'd rather not give out my family tree without a lawyer. Other companies knew one, aunt MAY. The Embers MJ's - when it was open - is 15 minutes from me.

                      1 Reply Last reply Reply Quote 0
                      • S
                        smoses @SteveITS
                        last edited by

                        @SteveITS - Thank you Steve. It's one of the names in our network traffic also. Perhaps not coincidentally.

                        1 Reply Last reply Reply Quote 0
                        • S
                          smoses @johnpoz
                          last edited by

                          @johnpoz The 192.168.0.1 was not a netgear router. I was at a coffee shop using wifi. As I said - a pc with a iso windows image that was done on the infected machine - that at that time was supposedly "safe".

                          1 Reply Last reply Reply Quote 0
                          • S
                            smoses @rcoleman-netgate
                            last edited by smoses

                            @rcoleman-netgate no, it's not a pfsense page. Its on the infected machine on the infected network. Non-genuine or malware files on the the BIOS infected AMD machine. Part of the APT. Healthcare has told me our keystrokes are visible with my purchases. As in the encoded form that is in our network traffic, or somewhere else. That mac address was not pfsense, I was using a different and public wifi.

                            1 Reply Last reply Reply Quote 0
                            • S
                              smoses @rcoleman-netgate
                              last edited by smoses

                              @rcoleman-netgate - I'm unable to find the upload image or attach image / file since my last posts. Was the icon disabled or moved or am I blind? Specific names are in our network traffic also.

                              1 Reply Last reply Reply Quote 0
                              • S
                                smoses @johnpoz
                                last edited by

                                @johnpoz LinkedIn CISSP professionals college professors teach duplicate mac's are MITM's. Go argue with them. I've verified it with them and other CISSP professionals including a RAT. Maybe the better question is what is proof to you johnpoz? Are you saying the CISSP's are wrong?

                                JKnottJ JonathanLeeJ 2 Replies Last reply Reply Quote 0
                                • S
                                  smoses @johnpoz
                                  last edited by

                                  @johnpoz There should be a thumbs down button and after enough of them, that person is flagged as unhelpful, sarcastic, demeaning or similar.

                                  johnpozJ 1 Reply Last reply Reply Quote 0
                                  • johnpozJ
                                    johnpoz LAYER 8 Global Moderator @smoses
                                    last edited by johnpoz

                                    @smoses

                                    image.jpg

                                    Yup maybe the Russian's are hiding in your machine - I mean that has to be the only logical answer.. <rolleyes>

                                    BTW - omg, the Russians must be hacking me as well.. There is a duplicate mac on my network with a 169.254 address..

                                    arp.jpg

                                    Oh shit - there is another duplicate

                                    arp1.jpg

                                    Oh my god, must be the china hackers and the germans, maybe candada is in on it too..

                                    arp2.jpg

                                    Maybe I should contact some CISSP college professors to explain it too me...

                                    Or just maybe - its not RU hackers, and its how networking works when you have a device that likes to use APIPA (the link local 169.254 address space) as well as its normal IP.. No couldn't be that must be hackers doing MITM on my camera..

                                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                                    If you get confused: Listen to the Music Play
                                    Please don't Chat/PM me for help, unless mod related
                                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                                    JonathanLeeJ 1 Reply Last reply Reply Quote 1
                                    • JKnottJ
                                      JKnott @smoses
                                      last edited by

                                      @smoses said in New user Compromised pc - APT & keylogger:

                                      LinkedIn CISSP professionals college professors teach duplicate mac's are MITM's. Go argue with them. I've verified it with them and other CISSP professionals including a RAT. Maybe the better question is what is proof to you johnpoz? Are you saying the CISSP's are wrong?

                                      ????

                                      That "MITM" must be on your LAN, if you see any MAC other than the nearest router. MAC addresses are valid on the local LAN only and discarded when a packet passes through a router and a new MAC from the next interface is used.

                                      PfSense running on Qotom mini PC
                                      i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                                      UniFi AC-Lite access point

                                      I haven't lost my mind. It's around here...somewhere...

                                      1 Reply Last reply Reply Quote 0
                                      • JonathanLeeJ
                                        JonathanLee @johnpoz
                                        last edited by

                                        @johnpoz they have an Arp watch package now?? This could tie into the experimental layer 2 Ethernet filtering rules. Cool!!

                                        Make sure to upvote

                                        johnpozJ 1 Reply Last reply Reply Quote 0
                                        • johnpozJ
                                          johnpoz LAYER 8 Global Moderator @JonathanLee
                                          last edited by

                                          @JonathanLee they have had arpwatch for quite sometime - not all that happy with it, it can cause a lot of noise with notifications.. have not been able to figure out a way to not have it put into the db 0.0.0.0..

                                          But I will run it now and then for testing/play..

                                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                                          If you get confused: Listen to the Music Play
                                          Please don't Chat/PM me for help, unless mod related
                                          SG-4860 24.11 | Lab VMs 2.8, 24.11

                                          JonathanLeeJ 1 Reply Last reply Reply Quote 1
                                          • JonathanLeeJ
                                            JonathanLee @johnpoz
                                            last edited by

                                            @johnpoz I wonder if that database can be used to help populate the experimental Ethernet filtering rules some way. That is a pain to enter by hand.

                                            Make sure to upvote

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.