# I think my network got hacked



## zergpc208 (Jan 15, 2006)

My wireless router was set up to secure it is WPA.Well it was secure for a long time I check the setting and it shows it is secure .But now checking the setting it shows it is not secure !!

Also the network name got change too!! Did I get hacked or did it go back to the factory setting?

Like who changed this?


----------



## etaf (Oct 2, 2003)

post a xirrus screen shot - 
whats the make and model of the router

*------------------------------------------------------------------------*
* {run Xirrus Wi-Fi Inspector} Download and install*
If you cannot access the internet with this PC, then you will need to copy the program across to the faulty PC

http://www.xirrus.com/library/wifitools.php
Direct link to the program is here http://www.xirrus.com/library/wifi_download_redirect.php
Then run and install the program 
if you get an error - You need NET Framework installed for the WiFi Inspector to function.

Run the program

post a screen shot of the program running - if there are a lot of networks showing can you click on "networks" top lefthand area - so we can see all the network information, and also post which network "Adapter Name" (1st column) is yours on the list

To post a screen shot of the active window, hold the Alt key and press the PrtScn key. Open the Windows PAINT application and Paste the screen shot. You can then use PAINT to trim to suit, and save it as a JPG format file. 
To upload it to the forum, open the full reply window and use the Manage Attachments button to upload it here.
*------------------------------------------------------------------------*


----------



## zergpc208 (Jan 15, 2006)

Also what is strange is in Network and sharing center it seems to be stuck in mode of going from public to private network and back and forth .Over and over and will not stay at public or private network .

It is also stuck saying identifying network than shows multiple network for less than a second ( not enough to read it to fast ) than back to identifying network .It stuck doing this over and over.


----------



## etaf (Oct 2, 2003)

are there any other PC working OK

Sounds like a fault on the PC - when did this happen ?


----------



## zergpc208 (Jan 15, 2006)

I don't think WPA can be hacked like WEP .I have been having problems with going on the internet and had to shut down the modem and router than back on to fix it ( so I can go on the internet) so it may have gone back to the factory setting or the wireless router is going bad.

But now it is not secure people may be using my routure or probing it .

It should not be showing multiple network with the same name .I'm the only one in the area with that name so it should not be showing multiple network with the same name.Also it stuck saying identifying network than shows multiple network for less than a second with the same name than back to identifying network and doing this over and over .

And stuck going from public to private network than back over and over.

Could this be that my computer is set to automatically connect to any non preferred network? So when I turn the computer on it will automatically connect to any network even if I turn the router off.

It seems to be stuck in loop here.

I think the ISP had problems and that is why I could not go on the internet .But when you right click on icon in the system tray and click on connect to a network there is 6 networks on the street and 2 networks that are not secure with me being one of them.


----------



## etaf (Oct 2, 2003)

By Default Linksys routers use the following SSID 


> Wireless devices have a default wireless network name or Service Set Identifier (SSID) set by the factory. This is the name of your wireless network, and can be up to 32 characters in length. Linksys wireless products use *linksys* as the default wireless network name.


The manual does not say if they set a default Wireless security

I would log into the router and change the SSID, reset the WPA - use WPA2 if the adapters on your home network will support WPA2 
also change the default username and password on the router login

post an xirrus screen shot - and lets see what channels are being used , so we can minimise interference


----------



## zergpc208 (Jan 15, 2006)

In Network and sharing center I tried to change it from public to private but it goes back by it self.

I will have to get back to you on the other info.

My routures firmware got change to sveasoft how did this happen?

Did I go to a bad web site that change my firmware ?

http://www.sveasoft.com/


----------



## etaf (Oct 2, 2003)

> My routures firmware got change to sveasoft how did this happen?


No idea 
who has access to the router ?
and why would someone put firmware on the PC that needs to be purchased !!!!

not making any sense to me


----------



## zergpc208 (Jan 15, 2006)

I must of gone to bad web site or hacker did that to bypass the security.My Kaspersky did not pick any thing up.

Has for sveasoft they must of got it from a illegal site or using that to hack.Or I must have gone to bad web site that had malware.

There is lots of wireless networks in my area.

Also the router may have done it by it self.



> Your router has a firmware chip on it similar to your computer's BIOS. It is called firmware because it is a combination of software and hardware and can be updated regularly to improve functionality or fix problens with security or other issues. It is very important to make sure you keep up to date with these upgrades-espceially if there is a problem that could affect the security of your LAN. Upgrading is usually done in a couple of ways. The router's manufacturer with either ask you to visit their website and download the firmware onto your computer or the router will go out on the Internet itself and get the upgrade. Some routers will even have an option to automatically check and upgrade its firmware on a scheduled basis.


http://www.pctechbytes.com/networking/how-to-update-your-routers-firmware


----------



## TerryNet (Mar 23, 2005)

WPA is secure with a strong passphrase. A passphrase that can be guessed or that uses dictionary words can be broken w/o much effort.

Maybe you're network has been compromised or maybe the router has gone haywire. Why not reset it to factory default settings and see if you can login and configure it? If you can't login because of the new firmware you may as well buy a new router unless this one is under warranty.

By the way, any site that claims "It is called firmware because it is a combination of software and hardware" should be viewed with more than the usual caution. Firmware is software with the addresses "firmed up" the way your OS's loader does for software when it loads it into RAM. Nobody has yet been able to download hardware over the internet.


----------



## dvk01 (Dec 14, 2002)

If you are trying to connect to the internet with Vista or Windows 7. it has to be public network 
As soon as windows detects a connection it will automatically set to public 
you trying to set it to private is the problem 

a private connection means within your private network not connecting to the internet at all


----------



## TerryNet (Mar 23, 2005)

> a private connection means within your private network not connecting to the internet at all


Not quite.  A Private (or Home or Work) network can, and usually does, include a LAN with internet access through a router or server. As you can see from the attachment I am posting from a Windows 7 whose network is Home and has internet access.


----------



## zergpc208 (Jan 15, 2006)

TerryNet said:


> WPA is secure with a strong passphrase. A passphrase that can be guessed or that uses dictionary words can be broken w/o much effort.
> 
> Maybe you're network has been compromised or maybe the router has gone haywire. Why not reset it to factory default settings and see if you can login and configure it? If you can't login because of the new firmware you may as well buy a new router unless this one is under warranty.
> 
> By the way, any site that claims "It is called firmware because it is a combination of software and hardware" should be viewed with more than the usual caution. Firmware is software with the addresses "firmed up" the way your OS's loader does for software when it loads it into RAM. Nobody has yet been able to download hardware over the internet.


Is it possible I gone to a bad web site and it installed that firmware ? Or did a hacker installed that firmware to get around the security?

I was reading some where that some routers can be set to automatically install new firmware .But sveasoft is not linksys firmware .

Why did Kaspersky not tell me about new firmware being installed .


----------



## TerryNet (Mar 23, 2005)

> Is it possible I gone to a bad web site and it installed that firmware ? Or did a hacker installed that firmware to get around the security?


All I can say is that I've never heard of that being done; I'm having trouble imaging why anybody would do that (to be able to do that they already got "around the security"); but under the right conditions I think that it is possible.



> I was reading some where that some routers can be set to automatically install new firmware .


If you come across that again please give us a link. It seems like a stupid feature to me. A firmware update is a "brain transplant." Not something I would want done automatically w/o my knowing about it, approving it, and approving when it was done.



> Why did Kaspersky not tell me about new firmware being installed .


Why would you expect it to? If it is something running on the router it was probably shut down before the update. If it is something running on your computer it may not have known about the update because another computer was used or maybe you have some special high end router that can be updated over the internet w/o the intervention of a LAN computer.


----------



## zergpc208 (Jan 15, 2006)

> All I can say is that I've never heard of that being done; I'm having trouble imaging why anybody would do that (to be able to do that they already got "around the security"); but under the right conditions I think that it is possible.


So you saying they would have to open a browser window put the IP address of the router and user name and passward to get into the routers setting before they can install the firmware .That does not make sense why not just change the setting to lock me out of it ? I can still go on the internet.

The setting was secure it is WPA and I think it had MAC filtering for my network card only. I don't know how they would even connect than open a browser window put the IP address of the router and user name and passward .*You have to connect first *before you can even open a browser window to put the IP address of the router and user name and passward .

The only thing I can see is I gone to bad web site and it ran the install.

At firtst I thought it got rest to the factory setting but sveasoft is not linksys firmware.

Talisman
Firmware Version: Talisman/Basic V1.2.9a
Routers name SVEASOFT
password admin
user name admin
Linksys WRT54G/GS/GL, BCM5352E Ethernet
13:02:25 up 2:56, load average: 0.13, 0.06, 0.01
Automatic Configuration - DHCP

Connection Type: Automatic Configuration - DHCP 
IP Address: 173.32.124.16 
Subnet Mask: 255.255.254.0 
Default Gateway: 173.32.124.1 
DNS 1: 64.71.255.198

Mode: AP 
Network: Mixed 
SSID: sveasoft 
DHCP Server: Enabled 
Channel: 6 
Wide Channel: None 
Channel Width: 20 MHz Standard 
TX Power: 50 mW (17.0 dBm) 
Rate: 54 mbps 
Encryption: Disabled

After checking the routers settings it does look like a new firmware got installed.

And I do not see a setting where I can into WEP or WPA .


----------



## zergpc208 (Jan 15, 2006)

Here are some screan shots


----------



## zergpc208 (Jan 15, 2006)

Some more pictures.


----------



## TerryNet (Mar 23, 2005)

The 3rd screen shot attached to post # 17 shows the Security Mode is Disabled. Are there not other options there, at least including WEP, and hopefully WPA?


----------



## zergpc208 (Jan 15, 2006)

TerryNet said:


> The 3rd screen shot attached to post # 17 shows the Security Mode is Disabled. Are there not other options there, at least including WEP, and hopefully WPA?


Yes WPA personale ,WPA enterprise ,WPA 2,personale ,WP2 enterprise , RADIUIS ,WEP.

What is this Port forward


----------



## lunarlander (Sep 22, 2007)

I would NOT trust the firmware that some hacker has put onto your router. Either you put the original firmware back on, or you discard the router. The firmware that the hacker installed is probably hacked to suite his needs. So I wouldn't even bother setting it on WPA2. Just consider what if the router is set to forward all connections to his server. And you wouldn't even see a setting for that on screen, because underneath it all, it is HIS code.


----------



## zergpc208 (Jan 15, 2006)

lunarlander said:


> I would NOT trust the firmware that some hacker has put onto your router. Either you put the original firmware back on, or you discard the router. The firmware that the hacker installed is probably hacked to suite his needs. So I wouldn't even bother setting it on WPA2. Just consider what if the router is set to forward all connections to his server. And you wouldn't even see a setting for that on screen, because underneath it all, it is HIS code.


Looking at the firmware does it look okay or questionable? Should I set it to secure or take it to a computer store to put the old firmware back.Or just get a new router?

Also in routers log

*incoming log*

Source IP ------------------------ Destination Port Number 
10.241.124.1 ----------------------- bootpc

*Outgoing log*

Nothing yet.

What does this mean?

Note I tried to reset the router in the router setting by clicking on Factory Defaults and well no change.


----------



## lunarlander (Sep 22, 2007)

I would think it is not possible to say if it is good or bad just looking at the screen. Cause you don't know what is underneath. I would get the original firmware back on it.


----------



## TerryNet (Mar 23, 2005)

I agree with lunarlander, and wish I had advised that in my first post. If you can't install the latest Linksys firmware and it is not under warranty cut your losses and get a new router.


----------



## zergpc208 (Jan 15, 2006)

Okay so I should put the latest Linksys firmware?? If so how would I go about doing that?

Also what is this?

in routers log

*incoming log*

Source IP ------------------------ Destination Port Number 
10.241.124.1 ----------------------- bootpc

*Outgoing log*

nothing here yet..

And
http://attachments.techguy.org/attachments/184589d1293230939/11a.jpg

Do you think I'm still being hacked?


----------



## TerryNet (Mar 23, 2005)

> Okay so I should put the latest Linksys firmware?? If so how would I go about doing that?


Assuming there is an "update firmware" operation (probably in the System or Administration or Tools section) you download the Linksys firmware to a computer and then click on "update firmware."


----------



## zergpc208 (Jan 15, 2006)

> Assuming there is an "update firmware" operation (probably in the System or Administration or Tools section)


Where in control panel?


----------



## antimoth (Aug 8, 2009)

etaf said:


> No idea
> who has access to the router ?
> and why would someone put firmware on the PC that needs to be purchased !!!!
> 
> not making any sense to me


I just googled SVEASOFT and surmise it is a legit company, but their source code got stolen, so hacked versions of their firmware are floating around, and who knows what's in it. How did it get there? Maybe a backdoor has already been hacked into the OP's original PC, and whoever did it took the extra step of hacking the router too. After all, who ever goes to the router admin page after setup?



zergpc208 said:


> Do you still think I'm being hacked


No question in my mind. Trust nothing til you get it all cleaned up or reloaded.

Here's a legit Linksys update page. You get the firmware from the Linksys support site.


----------



## calvin-c (May 17, 2006)

This is probably just my paranoia, but if the firmware is hacked then wouldn't any Update option it offered be suspect? I'd replace the router, myself.


----------



## zergpc208 (Jan 15, 2006)

Well with my little knowledge of networking I would say hacking is unlikely for two reason .One WPA and Mac filltering would not allow a connection to the router that alone uploading new firmware.And number 2 from the hackers point of view why put new firmware why not change the routers setting and change the user name and password that I cannot get into the router setting.And why change the network name.

More likely the router was set to automatically update the firmware or I gone to a bad web site that had malware.So if the hacker put new firmware that means well 3 security breaches !! One WPA,two Mac filltering and three the routers login user and password to get into routers settings.

But from my little knowledge of networking port forwarding to a IP address of 192.168.1.0 looks like routers IP address.

http://attachments.techguy.org/attachments/184589d1293230939/11a.jpg

And

incoming log

Source IP ------------------------ Destination Port Number 
10.241.124.1 ----------------------- bootpc

Looks like hacking to me .

I don't know what the problem is here the malware team here and anyone with networking medium to advanced knowledge would have no problem to tell me more less what is going on here.

I think the only solution is put proper firmware back or get new router.

This http://attachments.techguy.org/attachments/184589d1293230939/11a.jpg

And

incoming log

Source IP ------------------------ Destination Port Number 
10.241.124.1 ----------------------- bootpc

Does not sit well with me .


----------



## Snagglegaster (Sep 12, 2006)

zergpc208, it is definitely possible to have a router infected with malware. You might want to read some of the articles from this search page, particularly the Security Fix story and this thread on the Wilders Security forum. These also explain why it's desirable for crooks to infect or hack router firmware, so I'm not going to recap all the info in this post.

Antimoth, if you've googled sveasoft, I'd say that rather than drawing a conclusion that they are a legitimate company, you should have serious concerns about the product. If you haven't already done it, take a look at their homepage. Hey! No inflated or misleading claims here! Well, except maybe for that claim to increase power by 1000%, and perhaps everything else on the page. Finally, if you do a Whois search on sveasoft.com, , you'll find that the domain is registered through Domains By Proxy; which is a service used to hide domain ownership. For an individual, this might reflect some legitimate privacy concerns, but for a business, it just reeks of fraud and deception. Also, sveasoft doesn't provide any contact information on their site other than an email contact form. Hint: most legitimate business have a phone number, P.O. Box, and street address.

So, zergpc208, your router is almost certainly compromised by malware, and if you are unable to install current firmware for it, you should toss it. You should also assume that all of your passwords, etc. are compromised and change them immediately. And it goes without saying that you should scan your computer thoroughly. Never, ever, assume that your AV software is likely to be more than around 50-75% effective at blocking infections. That leaves a huge window of exposure that you can only close by frequent scans with multiple antimalware products, and massive paranoia online.


----------



## antimoth (Aug 8, 2009)

Snagglegaster said:


> Antimoth, if you've googled sveasoft, I'd say that rather than drawing a conclusion that they are a legitimate company, you should have serious concerns about the product. If you haven't already done it, take a look at their homepage.


When I googled sveasoft and found a homepage existed, I was afraid to go there. You know, unknown website, drive by download, etc. I drew my conclusion looking at a blog. LOL, probably just as risky.

Yes, I agree the OP's system is wholly compromised. If he had a dictionary based WPA password, and lived in an apartment with nasty neighbors down the hall, they say those passwords can be cracked in a week or two of automated hacking. But that's less likely than having a backdoor trojan running on one of his PC's. You need to have PC access on the network to reload a router. I'd be reloading all the PC's and 
reloading or replacing the router.


----------



## Snagglegaster (Sep 12, 2006)

antimoth said:


> When I googled sveasoft and found a homepage existed, I was afraid to go there. You know, unknown website, drive by download, etc. I drew my conclusion looking at a blog. LOL, probably just as risky.
> 
> Yes, I agree the OP's system is wholly compromised. If he had a dictionary based WPA password, and lived in an apartment with nasty neighbors down the hall, they say those passwords can be cracked in a week or two of automated hacking. But that's less likely than having a backdoor trojan running on one of his PC's. You need to have PC access on the network to reload a router. I'd be reloading all the PC's and
> reloading or replacing the router.


I'd pretty much agree with you, there. It's certainly better than being the next lead article in a blog about cybertheft.


----------



## Irukku (Dec 27, 2010)

_*Change your WPA password. If possible, switch to WPA2 security.*_


----------



## zergpc208 (Jan 15, 2006)

> Yes, I agree the OP's system is wholly compromised. If he had a dictionary based WPA password, and lived in an apartment with nasty neighbors down the hall, they say those passwords can be cracked in a week or two of automated hacking. But that's less likely than having a backdoor trojan running on one of his PC's. You need to have PC access on the network to reload a router. I'd be reloading all the PC's and
> reloading or replacing the router


.

Well kaspersky did not pick any thing up and the computer does not seem to be running slow .Also kaspersky is updated so there should be no problem here.

I really think I should get new router than try to put the proper firmware back has is not 100% sure there may be bad code hiding in there some where .One of 3 things may be happen ,I gone to bad web site ,some one hacked the router or it updated to the latest firmware.

I read some where that linksys routers do use sveasoft.


----------



## lunarlander (Sep 22, 2007)

Hi zergpc208,

Go try and download the eicar test virus to see if Kaspersky is active. 
http://www.eicar.org/anti_virus_test_file.htm

Do it on all your PCs.


----------



## Snagglegaster (Sep 12, 2006)

zergpc208 said:


> .
> 
> Well kaspersky did not pick any thing up and the computer does not seem to be running slow .Also kaspersky is updated so there should be no problem here.
> 
> ...


*No *router uses sveasoft firmware when it ships from the factory. So, while the major concern is still that your router may have been compromised, which means banking information, etc. may not be secure, the fact that you aren't sure where you acquired Talisman makes it likely that other malware is present on your computer. Kaspersky is very effective, but you still need to run some programs that are more focused on detecting generic malware. Malwarebytes Antimalware, Spybot Search & Destroy are still my tools of choice, but I will also recommend SuperAntiSpyware. Yes, I've dissed it many times on this forum, but my most recent experiences with the program have been very positive. And no, I don't like the taste of crow.

Anyway, whenever you have a reason to suspect that your computer has been seriously compromised, you should adopt a "worst case scenario" attitude . That means you should make evey reasonable effort to insure your system is currently uninfected, while still assuming that *All *your online passwords nedd to be reset, and any credit card transactions , etc. should be double checked.


----------



## zergpc208 (Jan 15, 2006)

Just update do to security not to take chance here I got new router.

To change the router firmware from what I understand .

1 hack the WPA
2. spoof the mack filtering 
3. Hack the user name and passward to log in the router
4. Than update the firmware .

Is the only way I can see the hacker could of done it ( in order ) or I gone to bad web site.

Do to security not to take chance I got new router.


----------



## pspuria81 (Oct 28, 2010)

reflash the firmware with OEM linksys FW or go to DD-wrt and get free FW and install it, setup all the security settings and back up the settings in a file somewhere on your computer so it doesnt happen again, as for some one else installing firmware, your computer will not know what your router is doing nor will it kno if another computer is connected to it, that requires monitoring with a network sniffer

cheers!!!


----------

