I think I'm being hacked...

[TraumaJunkie]

I just wrote out a lengthy, detailed story about what is going on, and then when I went to post, I had apparently been logged out and it said I didn't have permission. So I'm going to try to summarize. I greatly appreciate any help someone can shine on this.

 

I am getting bursts (about 20-30) of pings from an outside address ( 3.0.1.128 ) with a destination of 28.164.4.176.  The source appears to belong to General Electric in Fairfield, CT. The destination appears to belong to the Dept. of Defense Network Information Center in Columbus, OH.  It looks like for some reason, my and my fiance's iPhones (6, up to date on software, no jailbreak) are randomly being assigned that 3.0.1.128 address and that is when the pings come, and we occasionally lose connection. I have a Netgear 3000-100NAS modem/router.  I have exchanged the gateway, to get a new MAC address, to force my ISP to issue a new public IP. The problem continued after this.  The phone that gets the IP seems completely random. I am also being port scanned by Comcast's DNS.  These pings are occasionally knocking us offline, and then it reconnects.  The phone that picks up the address is seemingly random, but never both at the same time.  Then after a few minutes they pick a local address from the DHCP.

 

On our network we have 2 laptops, a xbox one, a roku, and then our two smartphones.  I basically just left out all of the story telling and dealing with customer service, etc.  If there is anymore information I can provide, I will be glad to. I really hope someone can help.

[+BudMan MVC]

dude really...  Your phones are getting a 3.x address..  How exactly do you know this?

 

Comcast dns is port scanning you?  You mean your asking it for dns??  Post up this info you sure your not pinging something?  Really like see what you think your seeing.

[Hum]

isn't Paranoia fun ?

[TraumaJunkie]

So this is from the attached device list during the pings, then after a few minutes, it goes back to local LAN IP.

 

3.0.1.128   [mac address here]   Hannahs-iPhone

 

This is from the logs during the pings, only it shows up about 30-40 times
[DoS attack: Teardrop or derivative] from 3.0.1.128, port 0  Thu Sep 08 11:51:20 2016 153.36.120.230:0   3.0.1.128:0

 

Then these are the port scans:

 

[DoS attack: TCP- or UDP-based Port Scan] from 75.75.75.75, port 53   Thu Sep 08 11:50:48 2016   73.x.x.x:58404   75.75.75.75:53

 

The port scans are hitting the public IP, and run through about 10-15 different ports and then stops.  

[+John Teacake MVC]

OK, Lets give the guy some credit. There is an NSA program that allows you to be ANY IP Address in the world ANYWHERE. It's codename is something Badger. I am sure you can look it up the name if you wanted. Dont ask me how they achive this technically mind you but anyway So in conclusion the NSA are after you...

[TraumaJunkie]

I really don't think this has anything to do with the NSA or DoD, I highly doubt that the whois information is correct on the IPs. It's just the information I could find when looking up the IPs. My real question is why are our phones being given this external IP, then proceeding to ping the ###### out of my gateway and causing me to lose connectivity. Second, is it entirely normal for your ISP to port scan your gateway? More important than why is how to stop it.

[TraumaJunkie]

All right these are the router logs:

 

Quote

[DoS attack: Ping Of Death] from 3.0.1.128, port 01Thu Sep 08 15:54:18 2016153.36.120.230:03.0.1.128:0

[DoS attack: Illegal Fragments] from 3.0.1.128, port 01Thu Sep 08 15:52:35 2016153.36.120.230:03.0.1.128:0

[DoS attack: Ping Of Death] from 3.0.1.128, port 02Thu Sep 08 15:52:35 2016153.36.120.230:03.0.1.128:0

[DoS attack: Illegal Fragments] from 3.0.1.128, port 01Thu Sep 08 15:52:30 2016153.36.120.230:03.0.1.128:0

[DoS attack: Teardrop or derivative] from 3.0.1.128, port 01Thu Sep 08 15:52:30 2016153.36.120.230:03.0.1.128:0

[DoS attack: Ping Of Death] from 3.0.1.128, port 03Thu Sep 08 15:52:30 2016153.36.120.230:03.0.1.128:0

[DoS attack: Illegal Fragments] from 3.0.1.128, port 01Thu Sep 08 15:52:19 2016153.36.120.230:03.0.1.128:0

[DoS attack: Ping Of Death] from 3.0.1.128, port 03Thu Sep 08 15:52:18 2016153.36.120.230:03.0.1.128:0

[DoS attack: Teardrop or derivative] from 3.0.1.128, port 01Thu Sep 08 15:52:18 2016153.36.120.230:03.0.1.128:0

[DoS attack: Ping Of Death] from 3.0.1.128, port 03Thu Sep 08 15:52:16 2016153.36.120.230:03.0.1.128:0

[DoS attack: Teardrop or derivative] from 3.0.1.128, port 01Thu Sep 08 15:52:16 2016153.36.120.230:03.0.1.128:0

[DoS attack: Ping Of Death] from 3.0.1.128, port 03Thu Sep 08 15:52:02 2016153.36.120.230:03.0.1.128:0

[DoS attack: Illegal Fragments] from 3.0.1.128, port 01Thu Sep 08 15:51:57 2016153.36.120.230:03.0.1.128:0

[DoS attack: Teardrop or derivative] from 3.0.1.128, port 01Thu Sep 08 15:51:55 2016153.36.120.230:03.0.1.128:0

[DoS attack: Illegal Fragments] from 3.0.1.128, port 01Thu Sep 08 15:51:55 2016153.36.120.230:03.0.1.128:0

[DoS attack: Teardrop or derivative] from 3.0.1.128, port 03Thu Sep 08 15:51:53 2016153.36.120.230:03.0.1.128:0

[DoS attack: Ping Of Death] from 3.0.1.128, port 04Thu Sep 08 15:51:53 2016153.36.120.230:03.0.1.128:0

[DoS attack: Teardrop or derivative] from 3.0.1.128, port 04Thu Sep 08 15:49:54 2016153.36.120.230:03.0.1.128:0

[DoS attack: Illegal Fragments] from 3.0.1.128, port 01Thu Sep 08 15:49:53 2016153.36.120.230:03.0.1.128:0

[DoS attack: Teardrop or derivative] from 3.0.1.128, port 02Thu Sep 08 15:49:52 2016153.36.120.230:03.0.1.128:0

[DoS attack: Illegal Fragments] from 3.0.1.128, port 01Thu Sep 08 15:49:52 2016153.36.120.230:03.0.1.128:0

[DoS attack: Ping Of Death] from 3.0.1.128, port 01Thu Sep 08 15:49:51 2016153.36.120.230:03.0.1.128:0

[DoS attack: Teardrop or derivative] from 3.0.1.128, port 03Thu Sep 08 15:48:53 2016153.36.120.230:03.0.1.128:0

[DoS attack: Ping Of Death] from 3.0.1.128, port 02Thu Sep 08 15:47:25 2016153.36.120.230:03.0.1.128:0

[DoS attack: Teardrop or derivative] from 3.0.1.128, port 01Thu Sep 08 15:47:23 2016153.36.120.230:03.0.1.128:0

[DoS attack: Ping Of Death] from 3.0.1.128, port 01Thu Sep 08 15:43:48 2016153.36.120.230:03.0.1.128:0

 

That's a snippet of them. This is snippet of the DNS port scan:

Quote

[DoS attack: TCP- or UDP-based Port Scan] from 75.75.75.75, port 53 1Thu Sep 08 15:25:57 2016 73.x.x.x:59093 75.75.75.75:53

[DoS attack: TCP- or UDP-based Port Scan] from 75.75.75.75, port 53 1Thu Sep 08 15:18:52 2016 73.x.x.x:55637 75.75.75.75:53

[DoS attack: TCP- or UDP-based Port Scan] from 75.75.75.75, port 53 1Thu Sep 08 15:11:15 2016 73.x.x.x:64430 75.75.75.75:53

I attached a snap of the network config on my iPhone. And whenever the 3.0 IP appears on my router and in my attached devices list, the IP does not show on my phone in the network config. 

[oldtimefighter]

Yes, you have been hacked but it's not personal. I just need some banking/credit card info and I will be on my way. BTW the porn on your laptops is pretty boring.

[n_K]

22 minutes ago, TraumaJunkie said:

All right these are the router logs:

 

That's a snippet of them. This is snippet of the DNS port scan:

I attached a snap of the network config on my iPhone. And whenever the 3.0 IP appears on my router and in my attached devices list, the IP does not show on my phone in the network config. 

If it doesn't show in the network config then it's not using it. Being honest it just sounds like an ISP misconfiguration, when the line here on one ISP's fails you get a 192.168.x.x IP instead of an external IP with a short lease, maybe that's what's happening but there's a messup in a config somwhere and you're being a 3.x.x.x address instead?

[TraumaJunkie]

So why all of those pings? Even if it's a misdistribution of IP address, why does it then start pinging when it happens.

[sc302 Veteran]

You are seeing internet traffic/junk.  I don't really think there is anything to see here.

 

75.75.75.75, comcast dns servers.

 

73.x.x.x is probably your outside/public IP if I were to guess

 

and 3.x.x.x is spoofing you iphone mac...why or how is really irrelevant...try turning off upnp and see if that continues, like I said probably nothing to see here...just normal every day/second internet chatter.

[TraumaJunkie]

1 hour ago, sc302 said:

You are seeing internet traffic/junk.  I don't really think there is anything to see here.

 

75.75.75.75, comcast dns servers.

 

73.x.x.x is probably your outside/public IP if I were to guess

 

and 3.x.x.x is spoofing you iphone mac...why or how is really irrelevant...try turning off upnp and see if that continues, like I said probably nothing to see here...just normal every day/second internet chatter.

I have upnp off and it hasn't stopped anything.

 

[+Warwagon MVC]

I think the term to describe what you are seeing is called "Internet Background radiation". Remember hearing that if you put an unpatched Windows XP SP1 machine front facing the internet it will be compromised within mins? This is why. It's also why putting even a single computer behind a dumb router is a good idea.

[T3X4S]

Those long buildings look suspicious

[ANON86364]

OP is watching too much Mr. Robot 

[sc302 Veteran]

1 hour ago, TraumaJunkie said:

I have upnp off and it hasn't stopped anything.

 

Never stated it would stop it. Just stop the possible spoofing.

 

what war wagon said is correct. Background internet noise.   If I turned on logging on the outside interface there would be a lot of "attacks" registered. 

[restroom]

Try hosting an FTP server for a day and then look at the logs. You will see multiple attempted hacks from all sorts of random locations and people round the world. It is, as others have said, just general Internet litter, old viruses etc. that are just trying their luck.

[goretsky Supervisor]

Hello,

 

Try the following:

 

1. Download latest firmware for router.
2. Disconnect router from modem.
3. Flash router with firmware and reset it so that it loads default settings.
4. While leaving the router disconnected from the modem (e.g., no Internet connectivity on your LAN), monitor the network for a day or so to see if any more strange lookups occur.
5. Reconnect router to modem, and continue to periodically inspect traffic.

Let's see that tells you.

 

Regards,

 

Aryeh Goretsky

 

[+BudMan MVC]

73.x.x.x:59093 75.75.75.75:53

 

Would of been nice to have the other octet but 73/8 is owned by comcast.. Your ISP I assume. so that is just you doing or trying to do a dns query.  Your stupid "firewall" in your router is logging it as something its not. Why did you hide that IP??  Because its yours.. So you did a query, and then they tried to answer on the source port you asked for dns on, and your stupid routers firewall blocked it??  Or just logged it to try and justify its worth.. .Look user there is traffic, I am going to call it an attack to think you got your money worth.

 

NetRange:       73.0.0.0 - 73.255.255.255
CIDR:           73.0.0.0/8

Organization:   Comcast Cable Communications, LLC (CCCS)

 

Where you seeing your phones mac in these logs?

 

153.36.120.230:03.0.1.128:0

 

Is that suppose to be another IP? 153.36.120.230 ?

 

inetnum:        153.36.0.0 - 153.37.255.255
netname:        UNICOM-JS
descr:          China Unicom Jiangsu province network
descr:          China Unicom

 

I really can not make much out of that log.. Is it 153.36 trying to talk to 3.0.1.128??  Or 3.0.1.128 trying to talk to 153.36??  So your seeing that on your routers wan??  Where are you seeing your phones mac address that you think your phone is using 3.0.1.128?  Is that the IP your phone gets when its just using cell data?  What phone do you have?  What provider 3.x.x.x is owned by GE.. Do you have a GE phone or provider for cell?

 

As stated there is loads and loads and loads of noise on the internet... Here is hits to my firewall from the other day, I submit the logs to dshields

 

For 2016-09-07 you submitted 1435 packets from 450 sources hitting 1 targets.

Port Summary
============

Port  |  Packets  |  Sources  |  Targets  |      Service       |  Name
------+-----------+-----------+-----------+--------------------+-------------
   23 |       769 |       274 |         1 |             telnet |
   22 |        78 |        23 |         1 |                ssh | SSH Remote Login Protocol
 3389 |        38 |        20 |         1 |   ms-term-services | MS Terminal Services
   80 |        93 |        15 |         1 |                www | World Wide Web HTTP
  443 |        84 |         9 |         1 |              https | HTTP protocol over TLS SSL
 2323 |        16 |         9 |         1 |            3d-nfsd | 3d-nfsd
 8080 |        20 |         9 |         1 |           http-alt | HTTP Alternate (see port 80)
 3306 |         7 |         5 |         1 |              mysql | MySQL
 4028 |        21 |         4 |         1 |                    |
 8081 |         6 |         4 |         1 |           blackice | BlackICE ICEcap
 4899 |        11 |         4 |         1 |             radmin | Remote Administrator default port
 1433 |         7 |         4 |         1 |           ms-sql-s | Microsoft-SQL-Server
 3128 |         6 |         4 |         1 |         squid-http | Proxy Server
 3390 |         5 |         4 |         1 |                dsc | Distributed Service Coordinator
 5900 |         6 |         3 |         1 |                vnc | Virtual Network Computer
 6379 |         5 |         3 |         1 |                    |
 7777 |         6 |         3 |         1 |                cbt | cbt
  993 |         5 |         3 |         1 |              imaps | imap4 protocol over TLS SSL
 8123 |         4 |         3 |         1 |                    |
   21 |         8 |         3 |         1 |                ftp | File Transfer [Control]

 

And I don't log the actual noise like UDP, or packets that are just out of state.. I just log syn packets of ports directed to my IP.  Those are all the ports the noise is trying to hit my IP on.. See they really like to see if telnet or ssh it open and then they try and login.  Look at 3rd hit, which is why you shouldn't freaking open up remote desktop to the internet..

 

If your curious to what the noise is.. Lets do a sniff and look at it directly.  But to be honest your firewall saying dos attack is just more noise trying to justify you buying it and that its actually doing something.. Which it freaking isnt to be honest.. Unless the traffic was an answer to your query, or syn packet to port you had forward your router is just going to drop it since your behind a nat.. It most likely doesn't even answer ping from the internet unless you turn that on.  So what is the point of logging the noise and calling it some attack - to scare you, that you need a them as a firewall..  dos attack my freaking ass, if so pretty freaking lame one or you wouldn't be on the internet.. So its some sort of noise, doubt its from your phone  What phone do you have?  You should be able to get what its IP from your provider is..

 

 

 

NetRange:       100.64.0.0 - 100.127.255.255
CIDR:           100.64.0.0/10
NetName:        SHARED-ADDRESS-SPACE-RFCTBD-IANA-RESERVED
Comment:        This block is used as Shared Address Space. Traffic from these addresses does not come from IANA. IANA has simply reserved these numbers in its database and does not
 use or operate them. We are not the source of activity you may see on logs or in e-mail records. Please refer to http://www.iana.org/abuse/

 

Turn off your wifi and go to a whats my IP page on the web.

 

 

What do you know... That is my phone company

 

NetRange:       208.54.0.0 - 208.54.159.255
CIDR:           208.54.128.0/19, 208.54.0.0/17
Organization:   T-Mobile USA, Inc. (TMOBI)

 

Here I did a sniff of a dns query to comcast dns.. See how the source port of my query is 33881, and then when I got an answer traffic dest is 33881, that is because it was answer to my query..  So you seeing traffic to your wan IP to all kinds of different ports from a port of 53, from a dns server is most likely answers to something you asked for.. Just like above I asked for www.neowin.net

 

 

Notice the src mac of the traffic to my wan..  That would be the mac the L2 device connected to my wan..

 

So that is

00:01:5C CADANT INC.

 

Which was bought by ARRIS many years ago and guess what they make, cable modems   Guess what is connected to wan of my router, that is right a cable modem See that dest mac, yeah this the mac of my routers interface, yes it runs as a virtual machine on esxi so I can make its mac whatever I want.. I went with 00:00:01 to make it easy identify which interface is which on the router..

 

Where exactly and in what context are you seeing the mac of your phone?  So you would see that on your LAN sure if your using wifi, but it wouldn't be coming from internet no way.  So you have something sending pings to 3.0.1.128??  And your router is logging a ping of death on your lan???

 

 

[TraumaJunkie]

BudMan, I really appreciate your detailed response. I can definitely get down with the idea that the DNS traffic is entirely normal and just answers to requests I'm making. But to answer your questions, and determine if this is an issue or simply my gateway trumping up a bunch of garbage:

The 3.0.1.128 address does not match my public IP when using cellular data.

Also, 3.0.1.128 is the source of the pings.

I attached where I see my phone with the IP of 3.0.1.128

 

[Blue-Vision]

/me grabs soda and popcorn and sits on the couch, watching the show with a big smile ... @BudMan's got this.

[Blue-Vision]

Hmm, 13 hours huh ...

 

Well then. Guess that counts me as Necroposting  .. oof.

 

Maybe I'll jump in after all.

 

You using a PC on this network? Obviously what I'm about to have you check won't be useable on an iPhone or an XBox. That device on 0.17, is that a Network Switch?

[TraumaJunkie]

It's not, it's a Roku media stick. 

 

Edit: I have two laptops connected, wirelessly. No wired connections.

[Blue-Vision]

Very good, but it won't let you check the problem. Hmm ...

[TraumaJunkie]

I'm not sure what your idea is, but I do have cat5 cable available, I can hook in to the gateway if needed.