Joined: 14 May 2013
|Posted: Fri May 17, 2013 5:18 Post subject: Strange network misdirections... was I hacked?
|Here is my home network setup:
Router#1 at subnet#1
I spoke with an experienced hacker "friend" about security questions a month ago, and accidentally revealed that I had called him from my VOIP line (is an actual phone#), and he asked what kind of Box I had. I am not sure if what happened a week later is related...
Wifi - Windows/Linux laptop
DDWRT Router (subnet#2 with DHCP on) Wifi to/from Macbook upstairs
4 wired LANs: WindowsPC1, WindowsPC2, VOIP Box, DDWRT router (into its WAN port)
--VOIP Box and DDWRT were not able to be online. Other computers were surfing fine.
My ISP claimed network upgrades had caused some area routers to flake out, and they replaced mine. However, 2 days later, the SAME problem happened on the new router... the VOIP connection stopped working. I called my ISP, who remoted in to check Router#1, and during the phone call, the VOIP connection problem suddenly resolved. My ISP either accidentally fixed the connection, scared away a hacker, or knocked off a hack VPN.
--Instead of the usual foreign IPs, many U.S. consumer IPs had tried to enter Router#1... Botnet?
--My Macbook's MAC address was on Router#1's device list. I have NEVER input that Wifi key nor tried connecting. (hasn't occurred again after replacing Router#1)
--WindowsPC1 asked me to set network as "Home or Public," as if it was on a new network
I changed passwords offline for the DDWRT and Macbook. Strangest thing: the VOIP Box was on my DDWRT router's LAN list as a connected device (DHCP client)!! Not sure if it was active or old. After rebooting the DDWRT, I haven't seen this again (although granted, anyone can simply push a trashcan button). There have since been Screensharing log errors on my Macbook (sharing should be off!). I have not reflashed DDWRT yet, as I'd like to investigate the murder scene first... how did “cats and dogs mate,” not even just once, but twice?!
--Are the U.S. consumer IPs on firewall evidence of a Botnet?
--For the 2 abnormal misdirections, did 2 routers have to fail (too much of a coincidence) i.e. suggestive of a hack?
--Why/how did my Macbook on subnet#2 show up on Router#1's device list?
--How did the VOIP Box on subnet#1 connect upstream via LAN to WAN of the DDWRT router, which is subnet#2?
--I’m not using VPN, but it appears that VPN passthrough settings are enabled on DDWRT by default... Is there an exploitable vulnerability, with a default password?
--Is it possible to hash (checksum) my installed DDWRT binaries, to see if a “backdoor” has been installed? --How do I get to them; can we SSH/root to them?
--If there was a VPN, would that even show up as a bad hashcheck on the base binaries, or is a VPN simply a configuration?