Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible hacker intrusion


  • Please log in to reply
17 replies to this topic

#1 progan01

progan01

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Local time:03:18 PM

Posted 13 July 2016 - 03:08 PM

I've got an unusual problem.

 

From time to time over the last three days, my internet connection is dropped. Not suddenly, as I first thought, but gradually. The Windows 10 Network Troubleshooter would tell me various things, from 'your modem is experiencing connectivity issues' to 'a cable is disconnected' to 'Your DNS server seems to be unavailable.'

 

My ISP, Comcast, has been unhelpful. They're sending a technician to check my cabling. But it's obvious the problem is coming in over the wire.

 

I used to unplug my modem and my router/firewall and sometimes reboot the entire system to get connectivity back, with mixed results. Eventually, through trial and error, I found that I could reboot the modem from its interface, and this would solve the problem.

 

Within the last day, however, I found that my router/firewall can show the DNS servers disappearing from my configuration. The window that shows the IPv4 address for my DNS servers would simply show zeroes. Sometimes refreshing the configuration helped. Other times, not. Sometimes I could not log in because my local domain was not available. This problem also sometimes resolved by refreshing the window, and sometimes not. It happened again as I was composing this message, in fact.

 

And then today, I couldn't get to the router/firewall at all. Instead I received this message from Firefox 47.0.1:

 

XML Parsing Error: unexpected parser state Location: jar:file:///C:/Program%20Files%20(x86)/Mozilla%20Firefox/browser/omni.ja!/chrome/browser/content/browser/aboutNetError.xhtml Line Number 436, Column 58:
        <div id="ed_netInterrupt">&netInterrupt.longDesc;</div>
---------------------------------------------------------^

 

I closed and relaunched Firefox and got back into both router and modem without a sign of trouble. But every fifteen minutes or so elements on a page won't load, and I have to go to the router interface, refresh the configuration, and test it. Sometimes this clears up the problem; sometimes not, and I have to retry connection to the router until it lets me in.

 

I am not sure what's happening. My equipment and software, including network adapter, all appear to be functional. MBAM and Adw Cleaner show no malware, and avast! shows no virus. It looks for all the world to me as if whatever is causing my browser -- and router, and firewall, and modem -- to fail is coming from outside.

 

One thing more. I use the Google tool Namebench to find me the fastest DNS servers in my vicinity. Yesterday I ran it, and it found the DNS server at 68.87.77.130 to be an astonishing 124.7% faster than my then-current primary DNS connection. Namebench reported this server's name as Comcast Michigan Opt-Out US. I have had problems before with DNS service not being available, and have used Namebench to find me better DNS servers, but this discovery gives me pause. I've never seen this address or this name before. Could Comcast be the origin of my problems? Are they sending privileged traffic to my modem, router and browser that is causing them to fail?

 

I'm not internet guru enough to solve this one. But solve it I must; I'm being interrupted constantly which disrupts my work -- and if my ISP is responsible, I need to know how to present this problem to them or to regulators to address. Anybody know more than I do about what's going on? I need every input you can provide. This is driving me nuts.


Edited by Queen-Evie, 13 July 2016 - 03:39 PM.
moved from Web Browsing/Email and Other Internet Applications to Networking


BC AdBot (Login to Remove)

 


#2 DeimosChaos

DeimosChaos

  • BC Advisor
  • 1,420 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United States, Delaware
  • Local time:03:18 PM

Posted 13 July 2016 - 03:23 PM

You description sounds kind like of like a failing modem, or failing router (maybe both). Try disconnecting your router from the modem and directly hooking up to via your PC. Run it that way for a bit and see if you get the same problems. If you run via wireless most of the time, then plug straight into the router (while it is plugged into the modem) and run it that way. Could be that the wireless is going on the modem. If the IP config setting seem to be glitching in the modem I am kind of leaning towards a bad modem honestly. If it is ISP rented have them send you an updated unit.


OS - Ubuntu 14.04/16.04 & Windows 10
Custom Desktop PC / Lenovo Y580 / Sager NP8258 / Dell XPS 13 (9350)
_____________________________________________________
Bachelor of Science in Computing Security from Drexel University
Security +


#3 progan01

progan01
  • Topic Starter

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Local time:03:18 PM

Posted 13 July 2016 - 03:37 PM

Thanks, DeimosChaos (cool name!), I think I'll buzz the manufacturer and see how their warranty works. It's a purchased modem -- I don't like paying for a new modem every year for the same piece of hardware -- but it's only two years old. I may need to invest in an industrial modem here, if such is made.



#4 Trikein

Trikein

  • Members
  • 1,321 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Rhode Island, US
  • Local time:02:18 PM

Posted 13 July 2016 - 03:59 PM

When you can't reach the router, can you reach the 192.168.100.1 of the modem? Also, what model modem and router do you have? Overall, nothing you described sounds like any kind of hacker. 



#5 progan01

progan01
  • Topic Starter

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Local time:03:18 PM

Posted 13 July 2016 - 11:34 PM

No, actually, Trikein, both would go out, and both would come back at the same time. I've been experimenting further, and replaced my modem. That cleared up the problem.... for about an hour. I've since had two more failures, also at least an hour apart, so it looks as if my router/firewall is failing. I think it may be possible that both were on their way out, and each may have contributed to the failure of the other. At this point, I have some time to monitor the firewall's behavior, because I need to do a little more research on what my local network requires. Apparently the load is greater than I thought.



#6 Trikein

Trikein

  • Members
  • 1,321 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Rhode Island, US
  • Local time:02:18 PM

Posted 14 July 2016 - 12:15 AM

Did you want help troubleshooting the router? If so, could you post any logs of any strange firewall behavior? Also, what model modem and router do you have? 



#7 progan01

progan01
  • Topic Starter

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Local time:03:18 PM

Posted 14 July 2016 - 09:33 PM

Actually, Trikein, I would appreciate help troubleshooting the router. I don't have logs available right now; I've taken it out of circuit for the nonce. It's a Netgear FVS318G. Unfortunately it does not have a diagnostics wizard; it can do diagnostics of connections but not its own workings.

 

I can tell you, however, that the network configuration screen, when I start to lose connectivity, shows the DNS server addresses, primary and secondary, as all zeroes. This condition persists until either the router itself becomes unavailable (no response to browser queries of its interface) or service is restored, as mysteriously as it terminated. A quick search of any tools to help diagnose the unit was fruitless. In about twelve hours, however, my long-term test of connectivity will conclude and I can slap that sucker back on there and see what logs it has to offer. Will that do?



#8 Trikein

Trikein

  • Members
  • 1,321 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Rhode Island, US
  • Local time:02:18 PM

Posted 14 July 2016 - 10:04 PM

Hard to say exactly what the all 0's for DNS means. It could be the router is trying to renew the IP and DHCP is not providing a DNS. Or it could bet the router releases the DNS IP's if it detects it can't reach them. Eitherway, the logs should be helpful. As per 6-26 of manual

1. Select Monitoring from the main menu and then Firewall Logs & E-mail from the submenu. The Firewall Logs & E-mail screen displays.

2. Click the View Log option arrow in the upper right-hand section of the screen. The Logs screen displays.

 

Look for any DHCP failures or dropped packets. Also, would you consider trying out a 3rd party DNS(IE Google DNS) to see if that helps? You can set it up as a static DNS just one that one machine so you don't have to change your network. 



#9 progan01

progan01
  • Topic Starter

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Local time:03:18 PM

Posted 20 July 2016 - 08:07 PM

Haven't been able to get to my logs as yet. I have a new problem -- what appears to be a new virtual machine installed on my computer since I took the FVS318G offline. I can't find any trace of it except the recurring registry keys:

 

HKCR\VirtualBoxAsw.SessionAsw

HKCR\VirtualBoxAsw.SessionAsw.1

HKCR\VirtualBoxAsw.VirtualBoxAsw

HKCR\VirtualBoxAsw.VirtualBoxAsw.1

HKCR\VirtualBoxAsw.VirtualBoxClientAsw

HKCR\VirtualBoxAsw.VirtualBoxClientAsw.1

 

 

Eliminating the keys doesn't eliminate the problem; they come back instantly after removal, source unknown.

I can't find if this is a Windows 10 process or if it indeed is coming from outside. I can't find any space allocated to it on my disks and all scans have been negative. Why am I seeing this with my hardware firewall out of the picture? What's going on? I may put the old router in just to see if the thing recurs. I'm not a big shop, and pretty much all my anticybercrime efforts are in prevention. If I've got an intrusion it's a very big deal here and needs to be eliminated soonest. So that's my new top priority. I'll get to the logs as soon as I may.

 

However, I can tell you that I've steadily been using a number of third-party DNS servers, with no observed change in behavior. Though my Namebench results keep coming back with more and more evidence of DNS tampering, spoofing and address hijacking. Somebody's already in DNS monkeying with it, and I suspect the party(ies) are malevolent but not necessarily corporate. This activity may not be related to my loss of connection. But I will continue to monitor.



#10 progan01

progan01
  • Topic Starter

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Local time:03:18 PM

Posted 01 August 2016 - 01:33 PM

Well, phooey.

 

Putting the old FVS318G back in service revealed that powering-off erases all logs. There was nothing to send.

 

However, leaving it on, in a new location, revealed something new when it finally repeated its 'DNS 0' trick more than two hours later: The old physical location for the router was in the path of an exhaust fan from my PC. For something over two years the temperature of the unit was being marginally increased. Too, dust collected on its insides, thanks to the fan. I suspect that the result was a subtle damage that manifests when the unit overheats. Which it did despite being out of the exhaust path. I decided the best and fastest solution was to get a new router/firewall and put it in a new physical location away from the exhaust fan and other extraneous heat. So far, so good.

 

Still can't find who put a VirtualBox app on my machine, where it is, or what it's doing. I suspect it may be buried with another application's files, but I still can't find the partition associated nor any traffic not accounted for. I don't know if this is a part of legitimate software or what, so it remains a security concern. Anybody have any insight? Sing out -- I could use the help. Trikein, is this is your wheelhouse?



#11 Justinstl

Justinstl

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:18 PM

Posted 22 May 2017 - 10:37 AM

Hi  i have the same problem with those  same virtualbox files  showing in my registry....  These files are the files that are keeping my internet from loading webpages .  when i  do registry scan  with ccleaner it finds those same files    when i delete them   then my internet works normally   until they come back. Did you find a solution for this problem???

Attached Files

  • Attached File  vbox.JPG   17.42KB   0 downloads


#12 Justinstl

Justinstl

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:18 PM

Posted 22 May 2017 - 10:48 AM

Im thinking these virtualbox  files are part of Avast antivirus   .... i dont know .

Either way they are keeping me from loading the internet



#13 Guest_Aaron_Warrior_*

Guest_Aaron_Warrior_*

  • Guests
  • OFFLINE
  •  

Posted 24 May 2017 - 09:42 PM

I just skimmed the thread.

 

If the problem, 100% of the time only happens when you are connected wireless, consider that you have a wireless connection on a channel/frequency that is in conflict with a neighbor.  Year ago I spent several days chasing an intermittant wireless connection and at the end of a very long process I realized that my client's next-door neighbor had a wireless router/modem that was operating at the very same channel/frequency as my client, so they were "fighting".  Changing the channel of the wireless router solved the problem.



#14 smax013

smax013

  • BC Advisor
  • 2,329 posts
  • OFFLINE
  •  
  • Gender:Not Telling

Posted 24 May 2017 - 09:45 PM

Hi  i have the same problem with those  same virtualbox files  showing in my registry....  These files are the files that are keeping my internet from loading webpages .  when i  do registry scan  with ccleaner it finds those same files    when i delete them   then my internet works normally   until they come back. Did you find a solution for this problem???


You really should create you own thread for your issue. While it might seem like you have the same problem, that may not be the case. Many problems that seem similar or the same end up not being similar or the same.

#15 progan01

progan01
  • Topic Starter

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Local time:02:18 PM

Posted 24 May 2017 - 10:09 PM

Actually, Aaron, I found I did not have this problem with avast!'s use of VirtualBox to store infection and intrusion data after I migrated to Windows 10. I suspect it's no longer tagged as a PUP or something else. Sounds like you are on Windows 7 as I once was. If you can't migrate to 10, the problem is ignorable -- the alerts will keep coming up but they're meaningless. Incidentally, you'd better disable SMB v.1.0 from Control Panel if you want to keep WannaCry from sneaking in on your wire.

 

Da capo to my original problem: Earlier this year I lost all connectivity; my network adapter went west and I now have to use a card to reach the net. Since replacement I've not had any problems. I don't know to what degree my prior problems were caused by the failing network adapter that was not caught by my hardware tools. This remains an inexact science, and it pays to keep looking and prodding; the cause may not be obvious first time around.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users