[art0ne]

Hello fellow travelers. In my pursuit for help I will try to make as few tech savvy people as possible pull their hair out. I have been hacked by the same guy, for 5 years.

This is through multiple different routers. At first I had your standard come with ISP router. and a iMac. It got hacked , to the point where he could control my mouse etc.
I later changed to the pretty cheap Ubuntu only wired router ( you know which one I think). Could not properly set it up as I am not an expert. I later tried to bring in the hardthings , Netgate. I ran suricata, snort and several other things. Yet somehow he got through , he also has hacked my different phones. I am now running a dd wrt. Which so far has worked best although hes still here, my iMac is in the shop so im runnning my laptop . The way I usualy see it is by having like 5 of my computers in netstat, and he uses ec2 (amazon) servers to connect to me.
Basically I wish that someone of you could find it in your hearts to help me perhaps some sort of money exchange could happen too.
I want the meanest firewall set up that can be conjoured up through the dark arts. My firewall as it sits right now is

iptables -I FORWARD -m state --state NEW -j DROP
iptables -I FORWARD -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -i $IFACE -s $IPADDR -j DROP
# Refuse packets claiming to be from a Class A private network.
iptables -A INPUT -i $IFACE -s $CLASS_A -j DROP
# Refuse packets claiming to be from a Class B private network.
iptables -A INPUT -i $IFACE -s $CLASS_B -j DROP
# Refuse packets claiming to be from a Class C private network.
iptables -A INPUT -i $IFACE -s $CLASS_C -j DROP
# Refuse Class D multicast addresses. Multicast is illegal as a source address.
iptables -A INPUT -i $IFACE -s $CLASS_D_MULTICAST -j DROP
# Refuse Class E reserved IP addresses.
iptables -A INPUT -i $IFACE -s $CLASS_E_RESERVED_NET -j DROP
# Refuse packets claiming to be to the loopback interface.
# Refusing packets claiming to be to the loopback interface protects against
# source quench, whereby a machine can be told to slow itself down by an icmp source
# quench to the loopback.
iptables -A INPUT -i $IFACE -d $LOOPBACK -j DROP
# Refuse broadcast address packets.
iptables -A INPUT -i $IFACE -d $BROADCAST -j DROP
iptables -A INPUT -i $IFACE -p udp -j LOG --log-prefix "IPTABLES UDP-IN: " iptables -A INPUT -i $IFACE -p udp -j DROP iptables -A OUTPUT -o $IFACE -p udp -j LOG --log-prefix "IPTABLES UDP-OUT: " iptables -A OUTPUT -o $IFACE -p udp -j DROP # Any icmp not already allowed is logged and then dropped. iptables -A INPUT -i $IFACE -p icmp -j LOG --log-prefix "IPTABLES ICMP-IN: " iptables -A INPUT -i $IFACE -p icmp -j DROP iptables -A OUTPUT -o $IFACE -p icmp -j LOG --log-prefix "IPTABLES ICMP-OUT: " iptables -A OUTPUT -o $IFACE -p icmp -j DROP # Any tcp not already allowed is logged and then dropped. iptables -A INPUT -i $IFACE -p tcp -j LOG --log-prefix "IPTABLES TCP-IN: " iptables -A INPUT -i $IFACE -p tcp -j DROP iptables -A OUTPUT -o $IFACE -p tcp -j LOG --log-prefix "IPTABLES TCP-OUT: " iptables -A OUTPUT -o $IFACE -p tcp -j DROP # Anything else not already allowed is logged and then dropped. # It will be dropped by the default policy anyway ........ but let's be paranoid. iptables -A INPUT -i $IFACE -j LOG --log-prefix "IPTABLES PROTOCOL-X-IN: " iptables -A INPUT -i $IFACE -j DROP iptables -A OUTPUT -o $IFACE -j LOG --log-prefix "IPTABLES PROTOCOL-X-OUT: " iptables -A OUTPUT -o $IFACE -j DROP
iptables -A INPUT -i $IFACE -p udp -j LOG --log-prefix "IPTABLES UDP-IN: "
iptables -A INPUT -i $IFACE -p udp -j DROP
iptables -A OUTPUT -o $IFACE -p udp -j LOG --log-prefix "IPTABLES UDP-OUT: "
iptables -A OUTPUT -o $IFACE -p udp -j DROP
# Any icmp not already allowed is logged and then dropped.
iptables -A INPUT -i $IFACE -p icmp -j LOG --log-prefix "IPTABLES ICMP-IN: "
iptables -A INPUT -i $IFACE -p icmp -j DROP
iptables -A OUTPUT -o $IFACE -p icmp -j LOG --log-prefix "IPTABLES ICMP-OUT: "
iptables -A OUTPUT -o $IFACE -p icmp -j DROP
# Any tcp not already allowed is logged and then dropped.
iptables -A INPUT -i $IFACE -p tcp -j LOG --log-prefix "IPTABLES TCP-IN: "
iptables -A INPUT -i $IFACE -p tcp -j DROP
iptables -A OUTPUT -o $IFACE -p tcp -j LOG --log-prefix "IPTABLES TCP-OUT: "
iptables -A OUTPUT -o $IFACE -p tcp -j DROP
# Anything else not already allowed is logged and then dropped.
# It will be dropped by the default policy anyway ........ but let's be paranoid.
iptables -A INPUT -i $IFACE -j LOG --log-prefix "IPTABLES PROTOCOL-X-IN: "
iptables -A INPUT -i $IFACE -j DROP
iptables -A OUTPUT -o $IFACE -j LOG --log-prefix "IPTABLES PROTOCOL-X-OUT: "
iptables -A OUTPUT -o $IFACE -j DROP
iptables -N syn-flood
iptables -A INPUT -i $IFACE -p tcp --syn -j syn-flood
iptables -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN
iptables -A syn-flood -j DROP
iptables -t mangle -I PREROUTING -m conntrack --ctstate INVALID -j DROP
iptables -t mangle -I PREROUTING -p tcp ! --syn -m conntrack --ctstate NEW -j DROP

iptables -t mangle -I PREROUTING -p tcp -m conntrack --ctstate NEW -m tcpmss ! --mss 536:65535 -j DROP
iptables -I INPUT -f -j DROP
iptables -I INPUT -p tcp --tcp-flags ALL ALL -j DROP
iptables -I INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -I INPUT -s `nvram get lan_ipaddr`/`nvram get lan_netmask` -d `nvram get wan_ipaddr` -j DROP
iptables -I FORWARD -f -j DROP
iptables -I FORWARD -p tcp --dport 25 -j DROP
iptables -I FORWARD -p udp --dport 25 -j DROP
iptables -I FORWARD -p tcp -o `get_wanface` --dport 25 -j REJECT
iptables -I FORWARD -p tcp --dport 137 -j DROP
iptables -I FORWARD -p udp --dport 137 -j DROP
iptables -I FORWARD -p udp --dport 138 -j DROP
iptables -I FORWARD -p tcp --dport 139 -j DROP
iptables -I FORWARD -p udp --dport 139 -j DROP
iptables -I FORWARD -p tcp --dport 445 -j DROP
iptables -I FORWARD -p udp --dport 445 -j DROP
iptables -I FORWARD -p tcp --dport 31337 -j DROP
iptables -I FORWARD -p udp --dport 31337 -j DROP
iptables -I FORWARD -p tcp --tcp-flags ALL ALL -j DROP
iptables -I FORWARD -p tcp --tcp-flags ALL NONE -j DROP
iptables -A FORWARD -m recent --name portscan --rcheck --seconds 8640 -j DROP

## Make sure NEW tcp connections are SYN packets
iptables -A INPUT -i $IFACE -p tcp ! --syn -m state --state NEW -j DROP

## FRAGMENTS
# I have to say that fragments scare me more than anything.
# Sending lots of non-first fragments was what allowed Jolt2 to effectively "drown"
# Firewall-1. Fragments can be overlapped, and the subsequent interpretation of such
# fragments is very OS-dependent (see this paper for details).
# I am not going to trust any fragments.
# Log fragments just to see if we get any, and deny them too.
iptables -A INPUT -i $IFACE -f -j LOG --log-prefix "IPTABLES FRAGMENTS: "
iptables -A INPUT -i $IFACE -f -j DROP
iptables -I INPUT -p udp --dport 68 -j ACCEPT
IPTABLES -P INPUT DROP
IPTABLES -P FORWARD DROP

SPOOF_IPS="Martian addresses go here"

#Force SYN packets check
IPTABLES -I INPUT -p tcp ! --syn -m state --state NEW -j DROP

#Force Fragments packets check
IPTABLES -I INPUT -f -j DROP

#XMAS packets
IPTABLES -I INPUT -p tcp --tcp-flags ALL ALL -j DROP

#Drop all NULL packets
IPTABLES -I INPUT -p tcp --tcp-flags ALL NONE -j DROP

#Drop bogon and martian addresses
for ip in $SPOOF_IPS
do
IPTABLES -I INPUT -i vlan2 -s $ip -j DROP
IPTABLES -I FORWARD -i vlan2 -s $ip -j DROP
done

# Default Deny
IPTABLES -I INPUT -i vlan2 -m state --state NEW -j logdrop
IPTABLES -I FORWARD -i vlan2 -m state --state NEW -j logdrop
#stop portscan
iptables -A INPUT -m recent --name portscan --rcheck --seconds 8640 -j DROP
iptables -A FORWARD -m recent --name portscan --rcheck --seconds 8640 -j DROP
#Synpacket limit
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
iptables -A INPUT -p tcp -m tcp --tcp-flags RST RST -m limit --limit 2/second --limit-burst 2 -j ACCEPT
iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
#idk
iptables -I FORWARD -p tcp --dport 25 -j DROP
iptables -I FORWARD -p udp --dport 25 -j DROP
iptables -I FORWARD -p tcp --dport 139 -j DROP
iptables -I FORWARD -p udp --dport 139 -j DROP
iptables -I FORWARD -p tcp --dport 445 -j DROP
iptables -I FORWARD -p udp --dport 445 -j DROP
iptables -I FORWARD -p tcp --dport 31337 -j DROP
iptables -I FORWARD -p udp --dport 31337 -j DROP


I dont know what half of it does but it seems to keep me and dad pretty safe ( I also use a OPENVPN) .

The Mac Os on dads side is barely useable tho I will try to reinstall it tonight altho I just did so the other day . On it the new little snitch works magic. So does Murus firewall and other ones you can find.

[kernel-panic69]

Is this a DD-WRT question?

[Wildlion]

Your first problem is to ensure that there are no malicious programs on your LAN, which means wipe every OS and reinstall from scratch. Also ensure none of those are doing extra wifi or wps opening. This can also be you have malware already in backups and every time you restore from backup, you reinstall. Update and apply all security Patches!

Also disconnect every device that you do not know exactly what it is (or is not proved to be clean), this would prevent a physical device already on the inside.

Assuming the person has no physical access, then we can start looking at the firewall/router... but most of the time just using NAT is all you need as long as you do not poke your own holes or install malware on your devices.

Most likely it is something that has been or is installed internally already and is making an external connection.

I am not even going to look at your firewall because, I can lready tell with all those lines you have made it more complicated than it needs to be.

And KP is correct... so this is all the advice I am going to give on this matter

[Alozaros]

what, router model/firmware number...??
and those ware the things you should 've start with...!!!

than as the others said, you must know you are not compromised from inside, as well you must know what you are doing...running snort and netfilter iptables rules...than you must be aware whats going on...forgive me, but it seams you just know their names, but not their full functionality...

any useful logs??

[egc]

To add: Good password hygiene, password length at least 12 random characters and no reuse.

No remote administration enabled, use OpenVPN if you need to connect

[art0ne]

Excuse me. Every device has been wiped clean, with USBs made on other peoples computer and during these five years even replaced!. I am also running Eset premium security. My DD WRT is on a Netgear r7000.
Firmware: DD-WRT v3.0-r44715 std (11/03/20)

Devices on this net are one iMac and one MSI laptop.

I have also changed ISP 4 times during this time.
Also passwords is made with generators.

[Alozaros]

[egc]

Being hacked from outside with all the safety measusres is not something easy, a top hacker would not waste his zero day attacks on an "ordinary" civilian.

IF (and that is a big if) you are really hacked I would first consider an inside job or someone getting hold of your wifi password check if you really are using WPA2/AES and not WEP and even WPA2 is hackable.

So if you are really hacked I would look around to your neighbours, a fairly easy attack vector is wifi (WPA2 has its security holes)
At least change wifi passwords often.

[kernel-panic69]

Disable uPnP. And don't install questionable software or browser extensions. Learn how to lock down your client devices. Get rid of ESET; you are just wasitng time, resources, and money.

#ifyourethatparanoidquitusingwirelessnetworking

[art0ne]

I know who it is. It is semi personal. I does happen and yes he has certain things he rents to connect to me. I will insert my banlist. Some of them may be off and clean. But pretty much all of them have been reported.

Oh and he hacked the router and posted "personal" things of me. Trust me fellows its not in my head. Im not gonna dox him though I find it immoral.

Chain nologdrop (2 references)
pkts bytes target prot opt in out source destination
0 0 DROP 0 -- * * 18.184.20.0/24 0.0.0.0/0
0 0 DROP 0 -- * * 70.153.166.113 0.0.0.0/0
0 0 DROP 0 -- * * 216.58.208.0/24 0.0.0.0/0
0 0 DROP 0 -- * * 121.216.71.207 0.0.0.0/0
93 3720 DROP 0 -- * * 60.173.10.27 0.0.0.0/0
0 0 DROP 0 -- * * 67.37.243.129 0.0.0.0/0
0 0 DROP 0 -- * * 68.32.76.216 0.0.0.0/0
0 0 DROP 0 -- * * 41.34.32.12 0.0.0.0/0
0 0 DROP 0 -- * * 221.192.199.49 0.0.0.0/0
0 0 DROP 0 -- * * 60.173.11.56 0.0.0.0/0
0 0 DROP 0 -- * * 190.55.211.215 0.0.0.0/0
0 0 DROP 0 -- * * 81.237.105.93 0.0.0.0/0
0 0 DROP 0 -- * * 178.139.141.50 0.0.0.0/0
0 0 DROP 0 -- * * 193.19.229.186 0.0.0.0/0
0 0 DROP 0 -- * * 12.188.44.112 0.0.0.0/0
0 0 DROP 0 -- * * 74.90.208.217 0.0.0.0/0
0 0 DROP 0 -- * * 143.89.147.72 0.0.0.0/0
0 0 DROP 0 -- * * 90.53.248.212 0.0.0.0/0
0 0 DROP 0 -- * * 114.85.255.249 0.0.0.0/0
0 0 DROP 0 -- * * 46.182.125.167 0.0.0.0/0
0 0 DROP 0 -- * * 116.14.140.67 0.0.0.0/0
0 0 DROP 0 -- * * 96.10.63.106 0.0.0.0/0
0 0 DROP 0 -- * * 69.242.72.99 0.0.0.0/0
0 0 DROP 0 -- * * 116.227.135.229 0.0.0.0/0
0 0 DROP 0 -- * * 98.226.34.162 0.0.0.0/0
0 0 DROP 0 -- * * 70.186.209.75 0.0.0.0/0
0 0 DROP 0 -- * * 212.143.219.99 0.0.0.0/0
0 0 DROP 0 -- * * 4.79.142.206 0.0.0.0/0
0 0 DROP 0 -- * * 75.101.246.130 0.0.0.0/0
0 0 DROP 0 -- * * 188.40.182.219 0.0.0.0/0
0 0 DROP 0 -- * * 66.249.72.90 0.0.0.0/0
0 0 DROP 0 -- * * 69.68.76.253 0.0.0.0/0
0 0 DROP 0 -- * * 172.217.10.238/16 0.0.0.0/0
0 0 DROP 0 -- * * 71.57.94.249 0.0.0.0/0
2 122 DROP 0 -- * * 58.208.0.0/12 0.0.0.0/0
60 3600 DROP 0 -- * * 66.249.64.0/19 0.0.0.0/0
0 0 DROP 0 -- * * 18.184.204.194 0.0.0.0/0
0 0 DROP 0 -- * * 18.184.204.194 0.0.0.0/0
0 0 DROP 0 -- * * 18.196.250.226 0.0.0.0/0
0 0 DROP 0 -- * * 18.185.207.250 0.0.0.0/0
0 0 DROP 0 -- * * 18.64.0.0/10 0.0.0.0/0
0 0 DROP 0 -- * * 18.32.0.0/11 0.0.0.0/0
0 0 DROP 0 -- * * 3.120.77.255/32 0.0.0.0/0
0 0 DROP 0 -- * * 3.120.77.167/32 0.0.0.0/0
0 0 DROP 0 -- * *
143.95.229.0/25 0.0.0.0/0

It looks like a$$ but u can pick out the IPs

[art0ne]

[kernel-panic69]

You're even blocking shieldsup. I'm gonna let someone else decide whether or not to lock or wipe this thread out completely.

1.20.184.18.in-addr.arpa domain name pointer ec2-18-184-20-1.eu-central-1.compute.amazonaws.com.
Host 113.166.153.70.in-addr.arpa. not found: 3(NXDOMAIN)
1.208.58.216.in-addr.arpa domain name pointer lis01s13-in-f1.1e100.net.
1.208.58.216.in-addr.arpa domain name pointer bru07s01-in-f1.1e100.net.
207.71.216.121.in-addr.arpa domain name pointer cpe-121-216-71-207.wb03.wa.asp.telstra.net.
Host 27.10.173.60.in-addr.arpa. not found: 3(NXDOMAIN)
Host 129.243.37.67.in-addr.arpa. not found: 3(NXDOMAIN)
216.76.32.68.in-addr.arpa domain name pointer c-68-32-76-216.hsd1.mi.comcast.net.
12.32.34.41.in-addr.arpa domain name pointer host-41.34.32.12.tedata.net.
49.199.192.221.in-addr.arpa has no PTR record
Host 56.11.173.60.in-addr.arpa. not found: 3(NXDOMAIN)
215.211.55.190.in-addr.arpa domain name pointer cpe-190-55-211-215.telecentro-reversos.com.ar.
93.105.237.81.in-addr.arpa domain name pointer 81-237-105-93-no2480.tbcn.telia.com.
50.141.139.178.in-addr.arpa domain name pointer 178-139-141-50.red-acceso.airtel.net.
186.229.19.193.in-addr.arpa domain name pointer mail.eldigroup.com.
Host 112.44.188.12.in-addr.arpa. not found: 3(NXDOMAIN)
217.208.90.74.in-addr.arpa domain name pointer ool-4a5ad0d9.dyn.optonline.net.
72.147.89.143.in-addr.arpa domain name pointer dy147-072.ust.hk.
Host 212.248.53.90.in-addr.arpa. not found: 3(NXDOMAIN)
Host 249.255.85.114.in-addr.arpa. not found: 3(NXDOMAIN)
Host 167.125.182.46.in-addr.arpa. not found: 3(NXDOMAIN)
67.140.14.116.in-addr.arpa domain name pointer bb116-14-140-67.singnet.com.sg.
106.63.10.96.in-addr.arpa domain name pointer rrcs-96-10-63-106.se.biz.rr.com.
99.72.242.69.in-addr.arpa domain name pointer c-69-242-72-99.hsd1.pa.comcast.net.
Host 229.135.227.116.in-addr.arpa. not found: 3(NXDOMAIN)
162.34.226.98.in-addr.arpa domain name pointer c-98-226-34-162.hsd1.il.comcast.net.
75.209.186.70.in-addr.arpa domain name pointer ip70-186-209-75.hr.hr.cox.net.
99.219.143.212.in-addr.arpa domain name pointer dsl212-143-219-99.bb.netvision.net.il.
206.142.79.4.in-addr.arpa domain name pointer shieldsup.grc.com.
130.246.101.75.in-addr.arpa domain name pointer ec2-75-101-246-130.compute-1.amazonaws.com.
219.182.40.188.in-addr.arpa domain name pointer static.219.182.40.188.clients.your-server.de.
90.72.249.66.in-addr.arpa domain name pointer crawl-66-249-72-90.googlebot.com.
253.76.68.69.in-addr.arpa domain name pointer nc-69-68-76-253.dyn.embarqhsd.net.
238.10.217.172.in-addr.arpa domain name pointer lga25s59-in-f14.1e100.net.
249.94.57.71.in-addr.arpa domain name pointer c-71-57-94-249.hsd1.il.comcast.net.
Host 1.0.208.58.in-addr.arpa. not found: 3(NXDOMAIN)
1.64.249.66.in-addr.arpa domain name pointer crawl-66-249-64-1.googlebot.com.
194.204.184.18.in-addr.arpa domain name pointer ec2-18-184-204-194.eu-central-1.compute.amazonaws.com.
226.250.196.18.in-addr.arpa domain name pointer ec2-18-196-250-226.eu-central-1.compute.amazonaws.com.
250.207.185.18.in-addr.arpa domain name pointer ec2-18-185-207-250.eu-central-1.compute.amazonaws.com.
Host 1.0.64.18.in-addr.arpa not found: 2(SERVFAIL)
Host 1.0.32.18.in-addr.arpa. not found: 3(NXDOMAIN)
255.77.120.3.in-addr.arpa domain name pointer ec2-3-120-77-255.eu-central-1.compute.amazonaws.com.
167.77.120.3.in-addr.arpa domain name pointer ec2-3-120-77-167.eu-central-1.compute.amazonaws.com.
1.229.95.143.in-addr.arpa domain name pointer ip-143-95-229-1.iplocal.

https://www.cvedetails.com/vulnerability-list/vendor_id-8861/Eset.html

https://www.cvedetails.com/vulnerability-list/vendor_id-8861/product_id-15659/Eset-Smart-Security.html

https://www.google.com/search?q=eset+premium+security+vulnerabilities

[Alozaros]

clearly, you self compromised your network and you need to educate about compromised networks, bad apps and ect....as well this thread its noting related to DDWRT...

i would've redirect you to https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=48331

but, if KP69 or others decide, wipe or lock..
no more comments...

[art0ne]

I do appreciate your verdict on that it is me constantly opening up vulnerabilities. In this case it would be different hackers? , I know his methods and its the same one .SO i find your idea to be be without base. I dont know why you would want this locked. Would it not be a fun journey for all of us to figure out, what is going on?. Online I skype , watch netflix and browse newspapers. I dont even torrent anymore. I dont see how I could do this, is it possible that it is a extremely skilled hacker that has targeted me? I think so .

In any case what is the strongest firewall setup youve seen?
And pick apart mine please .

[kernel-panic69]

Nothing to pick apart or discuss. Unless you have proof positive of a network intrusion (which we have yet to see), then all I can see is that you're blocking a bunch of amazon, fellow gamer / p2p or p0rn related hosts over perceived threats that have been publicly disclosed and you're probably using a vulnerable solution to protect your client machines. If you want to prove a hack, set up an IDS solution that is reputable and post the logs. Since you wish to be completely uncooperative, this thread is locked for now until you wish to provide proof positive of a breach.