Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Follow up on rootkit infection question


  • Please log in to reply
14 replies to this topic

#1 van_alles

van_alles

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:03:39 AM

Posted 28 April 2016 - 08:23 AM

Hi All,

 

I'm afraid I have a rootkit on a laptop. See discussion here. As the virus and rootkit guys can't find anything the suspect a network problem. Hence this post.

 

The initial problem was and still is: a repeating 'login faild from <IP>' in my router log. The <IP> changes with that of the laptop. We already performed tasks with FRST, roguekiller, minitoolbox, tdsskiller and aswMBR.exe. Furthermore I did a full file (attributes) comparison between offline and online files-list. All details can be found in the post mentioned above.

 

So currently I'm stuck.

 

Anybody any ideas?

 

Kind regards,

Nacho



BC AdBot (Login to Remove)

 


#2 Sneakycyber

Sneakycyber

    Network Engineer


  • BC Advisor
  • 6,135 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ohio
  • Local time:08:39 PM

Posted 28 April 2016 - 01:58 PM

What is the make and model of the router?


Chad Mockensturm 
Network Engineer
Certified CompTia Network +, A +

#3 van_alles

van_alles
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:03:39 AM

Posted 29 April 2016 - 05:53 AM

Hi Chad,

 

It is a Huawei HG8245.

 

Kind regards,

Nacho



#4 Wand3r3r

Wand3r3r

  • Members
  • 2,027 posts
  • OFFLINE
  •  
  • Local time:06:39 PM

Posted 29 April 2016 - 10:12 AM

Surprised no one noticed this in your logs

(PeerBlock, LLC) C:\Program Files\PeerBlock\peerblock.exe

 

peerblock blocks ip addresses.  Remove this software



#5 van_alles

van_alles
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:03:39 AM

Posted 29 April 2016 - 10:19 AM

Hey  Wand3r3r,

 

I installed peerblock after seeing the faild login's on the router, just to take out the possibility that someone installs more bleep on the laptop (yes this is about probability and not about certainty, I know). Futhermore: peerblock does not block anything without giving notice and it didn't block anything noteworthy. Even better: I disabled it during the scans I did. Do you still think I should remove it?

 

Kind regards,

Nacho



#6 van_alles

van_alles
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:03:39 AM

Posted 01 May 2016 - 05:30 AM

All,

 

Dunno if it is a coincidence but yday I could not access my router anymore !@#$%^&*().

 

Nacho



#7 sflatechguy

sflatechguy

  • BC Advisor
  • 2,257 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:39 PM

Posted 01 May 2016 - 11:59 AM

How are you connecting to the router? Are you broadcasting the SSID of your WiFi connection?



#8 Sneakycyber

Sneakycyber

    Network Engineer


  • BC Advisor
  • 6,135 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ohio
  • Local time:08:39 PM

Posted 01 May 2016 - 01:56 PM

Have you tried contacting your ISP to see if there are firmware updates for your device? I have seen a few articles mentioning an exploit for a specific version of the firmware.  What happens if you keep the laptop turned off or disconnected from the network, does the router continue to show failed login attempts? 


Chad Mockensturm 
Network Engineer
Certified CompTia Network +, A +

#9 sflatechguy

sflatechguy

  • BC Advisor
  • 2,257 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:39 PM

Posted 01 May 2016 - 02:01 PM

Good point. That's kinda where I was leaning. It may not be the PC that's rooted. It may be the router. That, or someone has hacked your WiFi password and is using it to log in to your router.



#10 van_alles

van_alles
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:03:39 AM

Posted 02 May 2016 - 05:23 AM

@sflatechguy: yep.

 

@Sneakcyber: thanx. I'm on to it.



#11 van_alles

van_alles
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:03:39 AM

Posted 06 May 2016 - 01:05 PM

Ok, router is resetted. It is a newer model than is pointed out before and should not have the vulnerability indicated. I still get the faild login's, but now from the inside and the outside. Excerpt of todays log:

 

2016-05-03 08:57:29 [Error] (,**********) from ip:188.241.96.3 login faild!
2016-05-03 08:57:37 [Error] (,**********) from ip:188.241.96.3 login faild!
2016-05-03 18:46:07 [Error] (,**********) from ip:192.168.100.8 login faild!
2016-05-03 18:46:07 [Error] (,**********) from ip:192.168.100.8 login faild!
2016-05-03 18:46:07 [Error] (,**********) from ip:192.168.100.8 login faild!
2016-05-05 08:37:15 [Error] (,**********) from ip:192.168.100.8 login faild!
2016-05-05 08:37:15 [Error] (,**********) from ip:192.168.100.8 login faild!
2016-05-05 08:37:15 [Error] (,**********) from ip:192.168.100.8 login faild!
2016-05-05 23:55:32 [Error] (,**********) from ip:194.28.112.50 login faild!
2016-05-05 23:55:33 [Error] (,**********) from ip:194.28.112.50 login faild!
2016-05-05 23:55:34 [Error] (,**********) from ip:194.28.112.50 login faild!

 

.8 is the laptop I suspected.

 

Any thoughts?

Nacho



#12 van_alles

van_alles
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:03:39 AM

Posted 06 May 2016 - 01:08 PM

@Sneakycyber 's post of 1-5: if the laptop is not connected there are no faild login's. If I change the IP-address, the faild login's come from the new IP-address.



#13 van_alles

van_alles
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:03:39 AM

Posted 09 May 2016 - 10:41 AM

To decide if the router or a laptop is compromised I installed a machine with linux & wireshark. Now I can see what is going on on the network. However, I don't see http traffic to the router itself. I can't find any hints how to capture this traffic.

 

Anybody?



#14 sflatechguy

sflatechguy

  • BC Advisor
  • 2,257 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:39 PM

Posted 09 May 2016 - 11:11 AM

You'll need to put the NIC on your machine in promiscuous mode. Depending on the version of Linux you are using, you may need to edit the configuration file for your Ethernet NIC.



#15 van_alles

van_alles
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:03:39 AM

Posted 09 May 2016 - 02:07 PM

I know. I tried both ethernet (sudo ifconfig eth0 promisc) and wifi (sudo iw phy phy0 interface add mon0 type monitor). Nothing ...






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users