I think I'm being hacked...

[sc302 Veteran]

3.x.x.x isn't on your network. It isn't part of your network. So what if it is using your iPhone MAC address. MAC addresses can be spoofed and can be put on any LAN or wlan nic on any computer or router or other device. I wouldn't be concerned at all about that tbh.   Give me something more tangible than an ip that isn't part of your network in any way or a Mac that can and will be spoofed communicating with another internet ip.

 

Not even sure why you router is coming up with an address it doesn't or shouldn't know about anyway communicating with comcast ips.  That concerns me more than the other bs. 

[Unobscured Vision]

38 minutes ago, TraumaJunkie said:

I'm not sure what your idea is, but I do have cat5 cable available, I can hook in to the gateway if needed.

You'll need a PC or a Laptop too. Not sure if you have one handy .. there are a few things I would ask you to try on your end. Concerning the PC or Laptop, I'd like it running a Linux Distro off a USB Drive. Windows, for these purposes, isn't going to last long if @sc302's assertions are correct.

 

If you've got both, boot the hardware up with the USB Drive Distro. What I'd ask you to do next is:

 

- Open a Terminal and type:

ping [3.x.x.x] (Substitute the .x for the real IP Address numbers you're seeing, and don't put in the brackets. It should look like "whois 3.12.13.14" or something like that.

This will test if it's an actual IP Address. Chances are good that it's legit, but noise; so we'll determine which next. If it times out or nothing valid is shown, then it's not legit.

 

- Next, type:

whois [3.x.x.x] (without the brackets, making sure you subsitute the x for the right numbers in the IP Address you're seeing)

This will tell us who it belongs to. Check the output after it's done it's thing. If you aren't getting a valid response, or it times out, then it isn't legit and can be ignored. If you do get a valid response, note the name that it registers. Write it down, even.

 

Now you can close the Terminal.

 

So by now, we're to the point that we need to determine whether your Router is getting hammered or not. There's a way to find out -- open the Distro's Web Browser (typically Firefox) and navigate to:

 

http://map.norsecorp.com/#/

 

Zoom in, as close as you can, on your location. Watch it for a few. If you don't get "the missiles" then you can reasonably expect to be fine. One more check. Open a new tab, close Norse's tab, then go here:

https://cybermap.kaspersky.com/

 

Enjoy the show and be glad you aren't any of these people. Scroll around, look at the pretties.  

 

[+BudMan MVC]

why are you hiding the mac??  But  you leave your global IPv6??

 

Your router should not be seeing that for sure.. Your phone should not have a 3.x address if on your wifi..  And in that ping log to be honest it shows talking to a china IP from the way I read it..  Can you post up log again showing that traffic this time with pic.. Your post ran the source dest together.

 

What makes no sense is that your router would do anything with a 3 address why would it forward traffic on?  Is it? Why would it even see it?  But your saying when you look on the phone it shows 192.168 address?  What phone do you have??  ios or android?  Use the hurricane electric app for phones it will shows you the IPs on the phone, like I posted from mine..

 

Why are you hiding the mac?  Atleast show the first 3 like I showed on mine, etc. 

 

Grap this and post up the IPs it shows for your phone.. Does it list the 3.x address?  What interface does it say its on?

http://networktools.he.net/

 

What router do you have can you actually sniff on it?

[sc302 Veteran]

11 hours ago, Unobscured Vision said:

You'll need a PC or a Laptop too. Not sure if you have one handy .. there are a few things I would ask you to try on your end. Concerning the PC or Laptop, I'd like it running a Linux Distro off a USB Drive. Windows, for these purposes, isn't going to last long if @sc302's assertions are correct.

 

If you've got both, boot the hardware up with the USB Drive Distro. What I'd ask you to do next is:

 

- Open a Terminal and type:

ping [3.x.x.x] (Substitute the .x for the real IP Address numbers you're seeing, and don't put in the brackets. It should look like "whois 3.12.13.14" or something like that.

 

 

All that confirms is if you can communicate with it using icmp echo.  does nothing to confirm if it is a real ip if it doesn't answer.  Many routers have icmp turned off so I wouldn't be overly concerned with it answering or not. 

 

Utilizing a website called http://www.dnsstuff.com/ could help determine who actually owns the 3.x.x.x address and if it links to anything.

 

Putting a sniffer on the network would be beneficial provided that the router supports port mirroring. If not, running a sniffer like wireshark will be absolutely useless. 

 

Best way to find out if your router is getting hammered or not would be able to enable logging on the interfaces, unfortunately soho routers do not support this as they are for home users who really don't care or would know what they are looking at if they did care. 

 

All his pos router is doing is saying hey look at me, I am doing something to help protect you.  It isn't really providing any useful information that I can see.  If anything, it is producing garbage that makes no sense.

[Unobscured Vision]

True, true. Basic analysis that any user can do from home, really.

[sc302 Veteran]

also here is a little trick for you.  cmd prompt

 

ping -a 8.8.8.8

 

you will find that it resolves the ip to a name, if there is a reverse zone record for it.
 

Quote

Pinging google-public-dns-a.google.com [8.8.8.8] with 32 bytes of data:

 

 

[Unobscured Vision]

I wasn't aware of that, nice going ... I'll have to remember that.  

[TraumaJunkie]

I attached a snap shot of the type of logs I'm seeing.  Both of our phones are iPhone 6, latest software update, never been jailbroke.  I got the HE.NET app on my phone, and while my Netgear gateway showed the 3.0.1.128 address on the attached devices list, the HE.NET app still showed my local lan IP for the phone.  The router/modem model is a Netgear 3000-100NAS.  I made a linux boot USB to try out Unobscured's idea, but then I saw I the replies and I'm not sure if that's going to provide any more info? I'm still willing to give it a shot.

 

Edit: So I went ahead and tried out Obscured's recommendation, just to see. The ping returned unreachable, the whois returned no associated address, and according to the links he provided, I am not seeing any missles directed at or near my location. 

Edited September 10, 2016 by TraumaJunkie

[Unobscured Vision]

Okay. I'll leave it to better minds than my own to figure this one out.

[sc302 Veteran]

well you have two choices. Believe what I have said and stop looking into it or get a better device that you can actually troubleshoot with and provide you real information. What you have there won't do squat for you if you really want to know what is going on. 

[+BudMan MVC]

NetRange:       68.152.0.0 - 68.159.255.255
CIDR:           68.152.0.0/13
NetName:        BELLSNET-BLK14
NetHandle:      NET-68-152-0-0-1
Parent:         NET68 (NET-68-0-0-0-0)
NetType:        Direct Allocation
OriginAS:       AS6389
Organization:   BellSouth.net Inc. (BELL)

 

inetnum:        149.251.0.0 - 149.251.255.255
netname:        EDF-NET03
descr:          Electricite de France

 

Well why would your iphone try talking to these IPs is nuts..  From a 3. address??

 

Hard reset it easy.

https://support.apple.com/en-us/ht201274

 

Your router should not be passing this info on that is for sure.. Since it should not nat that 3 address.  Since its not its 192.168 network.

 

But then again your router is so stupid its saying that answers to your dns are port scans...  WTF??

 

What I would do if this is an iphone is take it to an apple store with your logs and proof that its your phone using that 3.x address and say WTF!!

[sc302 Veteran]

19 minutes ago, BudMan said:

NetRange:       68.152.0.0 - 68.159.255.255
CIDR:           68.152.0.0/13
NetName:        BELLSNET-BLK14
NetHandle:      NET-68-152-0-0-1
Parent:         NET68 (NET-68-0-0-0-0)
NetType:        Direct Allocation
OriginAS:       AS6389
Organization:   BellSouth.net Inc. (BELL)

 

inetnum:        149.251.0.0 - 149.251.255.255
netname:        EDF-NET03
descr:          Electricite de France

 

Well why would your iphone try talking to these IPs is nuts..  From a 3. address??

 

Hard reset it easy.

https://support.apple.com/en-us/ht201274

 

Your router should not be passing this info on that is for sure.. Since it should not nat that 3 address.  Since its not its 192.168 network.

 

But then again your router is so stupid its saying that answers to your dns are port scans...  WTF??

 

What I would do if this is an iphone is take it to an apple store with your logs and proof that its your phone using that 3.x address and say WTF!!

I think it is the router, not the phone.  And you know the geniuses at the Apple Store aren't real geniuses. Hell, those guys wouldn't hire one of Apple's senior engineers after he retired...real smart, pure genius. 

 

http://iphone.appleinsider.com/articles/16/09/05/genius-bar-doesnt-hire-retired-apple-engineer-fires-up-age-discrimination-debate

 

[+BudMan MVC]

Sure it could be the router.. Not convinced his iphone is actually that IP..

 

The logs on that router doesn't even say what interface it saw the traffic its reporting.  Sure its just not random noise from the internet side??   Prob some broadcast noise or p2p traffic that the router is saying is ping, etc.

 

install the app I linked too and report the IPs on your phone, does it show that 3 address?  In the log of your router where it showed that mac - how did you figure out that was the mac of your iphone??

[TraumaJunkie]

So I've attached a few things. The first is a snap shot of some "SYN flood" activity that it detected yesterday. Useful? I don't know. I also attached two snaps of the HE.NET interface information that my phone gave, while the router showed it having the 3.x.x.x address. The last is how I identified that the MAC address shown on my router's attached device's list matched my phones. It's from the iPhone general settings/about. 

 

Just my two cents, this far, and I still remain lost, trust me.. I agree it's most like a router problem considering that either of our iphones can seemingly pick up this random address, and it never seems to be any distinction between which phone.  

 

Also, I'm definitely willing to look at a new gateway, I'm pretty sure I'm still within my time to return this one to the store. I've seen some decent prices on amazon for higher quality equipment.. If that is the solution, any recommendations on hardware?

[sc302 Veteran]

The netgear nighthawk line of routers are good. They are in the high end though. 

[+BudMan MVC]

So let me get this right you sent 1 packet to a website and your router is calling it a syn flood?

 

Where are you seeing this 3 address?  Your phone does not show this..  So your saying your router showing the FULL Mac of that 3.x address matches up to your wifi mac there?

 

That syn flood attack is google.com...

;; QUESTION SECTION:
;34.0.217.172.in-addr.arpa.     IN      PTR

;; ANSWER SECTION:
34.0.217.172.in-addr.arpa. 86400 IN     PTR     lga15s43-in-f34.1e100.net.
34.0.217.172.in-addr.arpa. 86400 IN     PTR     lga15s43-in-f2.1e100.net.

 

Those last 2 are some crap site

https://www.w55c.net/

 

tracking something and one those other ones is scanscout which is another crappy company.  But this are typical website you might see..  Sure freaking isn't a syn flood...   Sure looks like to me your device at 192.168.0.11 tried to go to some websites.. port 80 which is http and 443 which is https..

 

What exact device do you have??  Its "firewall" if we are going to call it that seems to be just grabbing random packets that your devices send in using the internet.  Ie freaking google and calling it syn flood.. From 1 packet??  100 in a ms ok, 1000 in a second ok maybe..   But 1 packet does not a syn flood..   What that packet was was a syn,ack to your syn would be my bet..   What is the exact make and model of your modem/gateway??  What firmware is it running, I want to lookup the manual on its so called "firewall"

 

Some of those IPs are crap browsing stuff that tracks..  But yeah your typical user will go to such nonsense all the time depending on what websites they have up and are viewing.. Without seeing all your we traffic would be no way to tell if that is just normal where you went.. Or some crap on our phone/device going to crazy places doing stuff because its infected..

 

 

 

[sc302 Veteran]

Can we just go with the router sucks and move on?  It is just flagging stuff for the sake of flagging stuff, to make it look like it is doing something.  So users can go look, it is protecting me because all of this nonsense in the logs.  Logs that make no sense pulling ips out of thin air and marking attacks that aren't happening. 

 

Either relate it to Internet noise or relate it to a crappy logging in the router. One way or the other, it really doesn't matter all that much. Replace the router or get a real firewall that you can do some logging with on the interfaces. Or just live with it and understand that you can never rely on the logs, they aren't any better than the LEDs on the front of the box blinking telling you that something is plugged in and passing traffic. 

[Hum]

On 9/8/2016 at 8:55 PM, warwagon said:

I think the term to describe what you are seeing is called "Internet Background radiation"

Otherwise known as Windows 10 telemetry

[The Evil Overlord]

2 hours ago, sc302 said:

The netgear nighthawk line of routers are good. They are in the high end though. 

I'll throw in a vote for the NightHawk range, there's always better ones, (but then there are always going to be better ones than someone's personal recommendation)

[+BudMan MVC]

To be honest if you are concerned to the point your looking at such logs.  As suggested I would get something that allows you true insight to what is going on.  Not just some scare tactic log as sc302 and I stated earlier see user I am doing stuff... Your too stupid to know what it is so I will throw the word attack in there and let you think I am protecting you

 

Something that for starters lets you do a simple sniff of the actual traffic.. If its going to log attacks that is supposed block vs just blocking none stateful traffic like a IPS, then it should log the actual packet and provide you with details of the CVE that this traffic is matching.  Say something like snort or suricata

 

To be honest I would just turn that "firewall" off and just let it nat your traffic... If anything its prob stopping legit traffic like answers to your dns

 

As to it showing your phone as some 3.x address..  You 100% that full mac of was your phone??  Are you still seeing this traffic?  Did you hard reset your iphone?  Did you take it too the apple store and talk to them about what its doing?

[+John Teacake MVC]

The Apple Store HAHAHAHA!! Yeah that's a good idea... Show their tech's this thread. Thanks BudMan for the first laugh of the day hehe 

 

Edit: I do lurk on threads like this but its always the same people with the same good advice and the OP really does get bogged down or confused and usually stop's replying.... I'll show you what a REAL SYN Flood looks like ha!

[+BudMan MVC]

He is a apple user, he should take his apple product to the apple store and tell them its doing ping of death attacks against a IP in china from a 3.0.1.128 address   See here is my logs!!

 

It just makes no sense that your phone would use such an address, even if was compromised in some way.  You can not just make up addresses behind a nat and expect that nat router to let you out..  While sure you could flood traffic from any source you want via whatever address you want on the public internet, if the device has to NAT it its not going to if the source is not from its own local network.  So what sort of attack vector would that be for the code writers?  When 90% + of the wifi networks out there your going to be behind a NAT, etc.

[TraumaJunkie]

It's a Netgear C3000-100NAS firmware v2.02.08, and I'm positive the 3.0 address matched the MAC of my phone.  

 

I really don't know guys, I can definitely understand that this sounds like total bunk. Just a bad case of ###### router.  I mean, neither phone acts like it's infected whatsoever.  I mean quite frankly, I'm more than happy to chalk this up to nonsense and just leave it alone until I can get a better gateway, even just for security purposes in general.  I just can't help but think about ignoring this as internet noise and then finding my identity stolen or some such nonsense.  I know that's being sensational, and I hope that's all it is.  I have some background in networking, certainly not enough to have any idea what (if anything at all) is going on here, but enough to know it doesn't make a damn bit of sense. Like I said though, not enough to know if it's just a bunch of crap or something legitimate. But I am definitely hearing you, give it up, ignore it, or get some better equipment that I can investigate with.  As it is, there's nothing more I can look into, and only continue to drive myself crazy thinking my network is compromised.   Thanks again everyone for your help. I'm still open to any suggestions that can be tried with my current equipment, even just to answer any lingering questions.  The nearest Apple store is about an hour away, if I find myself that way, I might stop in just to see the dumbfounded look on their face.  I haven't hard reset our phones yet, because I have a hard time believing that both phones are infected with something only randomly activates on one or the other phone and never at the same time. So it makes me not want to go through the process of setting the phones up again, only to see it had nothing to do with phones. But if it really eats away at me enough, I may just try it. If I do, I will certainly let you guys know. 

 

I don't know. Keep digging or give up.

 

 

[sc302 Veteran]

You admit that you don't know enough to determine the difference between useful information and useless. 

 

I will put it into terms you may understand. 

 

A pink polka dotted flying elephant is being logged on your router in guise of a device using 3.x.x.x. If you can't understand that reference, this cannot happen even in the most worst case "I have been hacked and nsa has deleted my identity off the face of the earth" scenario.   This is determined as garbage. Any logs relating to this ip or device should be ignored and will be considered garbage in this thread. 

 

The question becomes, why is your router logging garbage?  Bad firmware code?  That is a call to your router manufacturer, not Apple. 

[+BudMan MVC]

If your 100% sure your phone is sending traffic from an IP 3.0.1.128 then yes I would look into that since it makes no sense at all.  Maybe its your router not understanding an IPv6 address and showing it as that?  I really don't know know.

 

But a 3rd party app on your phone that shows you all kinds of addresses for every interface on the thing does not show that 3.x address.  So without some actual sniff of the traffic to see not sure what to tell you about the ping of death logs.  So your saying you have 2 phones??  And if you turn on phone 1 it nows shows mac address of your 2nd phone vs your 1st phone as this 3.1.0.128 address?

 

Do you have a smart switch?  that you can do a port span on?

 

this is the device you have??

https://www.amazon.com/Netgear-Wi-Fi-DOCSIS-Router-C3000/dp/B00IF0JAIU

 

Yeah your not going to be able to put 3rd party firmware on that.. Now if you had a smart switch and AP..  We could get to the bottom of this once and for all.  Your talking less then $100 of equipment for sure..  You would turn off wifi on your c3000, then connect like this

 

 

You would span the port going to your c3000 from your smart switch to a port your PC running wireshark is connected too.  Now you would see ALL traffic going to your C3000 gateway.  So you would be able to see this stuff that its calling pings of death.  You would be able to open up in wireshark and see exactly what is going on and from what mac address.

 

A $40 smart switch, and $20 wifi router will work to do this testing.  You just need something that allows you to span a port and something to give your phones wifi where you can sniff in the middle.  Do you have a switch or just this C3000 thing?  Do you have an old wifi router you could use?  Any wifi router can be used as just an AP.  You connect it to your network via 1 of its LAN ports, you disable its dhcp server give it an IP on your network so you can access its gui and setup your wifi as you want and there you go AP..  And now you will be able to sniff any and all traffic going to the internet or trying to too, etc.

 

A PC with 2 nics and a old wifi route would work too.. So you could get a ###### wifi route for $20 and a nic for $10 and we can test this out.