Home Network Accessed
-
I believe someone got into my Windows 11 computer remotely, at least that is where I saw some activity. I'm looking for information on tracking down what happened, if they still have access, and what I should do from this point.
My main concern is if they have installed remote access software and if they now have some type of permanent access to my network. On my LAN I three Windows computers and a TrueNAS server running SCALE.
Is there a specific pfSense (I'm running 25.07_RELEASE) log file I can look at or some setting I should activate? The only port I currently have open is 32400 (Plex server).
Any help would be much appreciated.
-
@TAC57 If someone managed to drop malware on your computer, it will now appear to pfSense as an outbound connection. You could have pfSense log all connections from this computer, but you will find that Windows is chatty and you are not likely to find anything useful.
If you suspect the computer is compromised, the best option is a wipe and reload.
Windows logs and a scan are the best route now. It would also be a really good idea to isolate the system.
-
What have you seen that makes you think there's a problem?
Security breaches like that are almost always because something in the client connected out rather than an unsolicited connections coming in.
-
@stephenw10 I was in my vehicle and got a note from Coinbase of a transaction. I was home within minutes. In getting to my computer there was some Windows update screen displayed. On moving the mouse, the pointer it would move elsewhere like someone else was controlling it. Within seconds I my desktop popped up and everything since has look normal...... except for the withdrawal from my Coinbase account. :-(
-
Yup I would wipe and reload if faced with that.
Is the Plex server isolated from the other LAN clients? Given that that's the only thing open to the internet at all it's worth considering that.
-
@stephenw10 No my TrueNAS server is on 192.168.30.1 with all my other computers.
Can I look at some of the pfSense logs when this happened and maybe find some hints?
What exactly do you mean when you say wipe and reload?
-
I mean format that Windows machine and reinstall it.
It depends what logging you have enabled or what packages you have installed as to whether or not any logs exist. By default outbound connections from clients are not logged.
-
@stephenw10 Do you mean format only the C drive and reinstall windows? Most all of my data is on a D: drive.
-
@stephenw10 If it's any consolation I did run msert.exe and the Trellix Stinger anti virus programs and didn't get any hits.
I don't know what you think of ChatGPT but is suggested I run this in a PowerShell
Get-NetTCPConnection | ForEach-Object { $p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue $remoteHost = try { ([System.Net.Dns]::GetHostEntry($_.RemoteAddress)).HostName } catch { $_.RemoteAddress } [pscustomobject]@{ PID = $_.OwningProcess Process = $p.ProcessName Local = "$($_.LocalAddress):$($_.LocalPort)" Remote = "$($remoteHost):$($_.RemotePort)" State = $_.State Path = $p.Path } } | Sort-Object Process, Remote | Format-Table -AutoWhen I pasted the output back into ChatGPT it reported back...
Overall assessment
All executables are running from legitimate system or Program Files directories.
All remote hosts are normal cloud/CDN providers (Amazon AWS, Google, Akamai, Microsoft).
No suspicious binaries in odd folders (like %TEMP%, Downloads, etc.).
No unexpected listeners — everything you showed is outbound traffic only.
Bottom Line
I don’t see any red flags here.
What you’re looking at is:
Your browser (Firefox) keeping multiple connections alive to websites and CDNs.
ChatGPT app using AWS.
Windows background services (Defender, svchost, OneDrive).
A couple of normal closing sockets (CloseWait).
Nothing malicious, nothing “phone home” from unknown executables. -
As a side note Windows has a number of default shares. You can run "fsmgmt.msc" to see them. They can be deleted using "net share * /delete". Enclosed is a link with further information.
https://www.action1.com/blog/how-to-stop-file-sharing-windows-10/
-
@TAC57 Plex themselves had a data breech awhile ago, there Plex code had some bad malware in, infostealer. Workstations and Public Facing services should be in VLANs regardless.
Look at netstat but bare in mind that it will most likely be noisy, Monitor Wireshare and pfSense together to look at logs, I would recommend wiping the system completely and starting from scratch. Change all passwords, move Public Facing services into there own VLAN with strict firewall rules, TrueNAS should be in a Storage VLAN, Workstations in their own VLAN. Having a flat network with public facing services is the worst thing you can do.
Implement a IDS/IPS something like Snort or Suricata, pfblockerng with Geolocation blocking which are the things I would suggest implementing as well.
Check have i been pwned also.
