Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible Man In The Middle Network Attack in Windows 7 SP1?


  • Please log in to reply
1 reply to this topic

#1 fritzupped

fritzupped

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:28 PM

Posted 16 January 2014 - 09:36 PM

Trouble I think. Windows 7 Ultimate Service Pack 1 (x64) with all recommended and critical updates applied. I regularly run Malwarebytes Pro and Bitdefender 2014 is on 24x7.
 
Please notice the "badguy.ipaddress.in.dot.notation. IP is on another continent in a country famous for bad guy hackers, great beer and starting world wars. The IP address does not reverse to a name. The "route print" command does NOT show this added route.
 
The 169.254.0.0 address is explained here. I have a static IP address though a DCHP server is running on my router/firewall. (DD-WRT v24-sp2).
 
Is my outgoing traffic being redirected to the bad guys IP address and I have a "man in the middle"? How can I remove the added route. I DO NOT have a known good system checkpoint. Is this an attack and should I do a scratch re-install? I am also running NetBalancer.
 
Relevant portion of MiniToolBox.exe's Result.txt follows:
 
# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4
 
reset
set global icmpredirects=enabled sourceroutingbehavior=drop
add route prefix=169.254.0.0/16 interface="iftype0_0" nexthop=badguy.ipaddress.in.dot.notation  metric=1 publish=Yes
add route prefix=169.254.0.0/16 interface="iftype0_0" nexthop=192.168.???.??? metric=1 publish=Yes
add route prefix=0.0.0.0/0 interface="Local Area Connection 2" nexthop=192.168.1.1 publish=Yes
set interface interface="Local Area Connection 2" forwarding=disabled advertise=disabled metric=4 siteprefixlength=0 nud=disabled routerdiscovery=disabled managedaddress=disabled otherstateful=disabled weakhostsend=disabled weakhostreceive=disabled ignoredefaultroutes=disabled advertisedrouterlifetime=0 advertisedefaultroute=disabled currenthoplimit=0 forcearpndwolpattern=disabled enabledirectedmacwolpattern=disabled
add address name="Local Area Connection* 6-QoS Packet Scheduler-0000" address=192.168.108.1 mask=255.255.255.0
add address name="Local Area Connection* 9-QoS Packet Scheduler-0000" address=192.168.23.1 mask=255.255.255.0
add address name="Local Area Connection 2" address=192.168.1.68 mask=255.255.255.0
 
 
popd
# End of IPv4 configuration
 
Thanks for any help.
 
 


BC AdBot (Login to Remove)

 


#2 fritzupped

fritzupped
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:28 PM

Posted 16 January 2014 - 09:52 PM

Not a Man In the Middle Attack but an old VPN that was setup. Please ignore.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users