Is this a wifi theft hack?

verndewd

Distinguished
Mar 27, 2009
40
1
18,595
PORT STATE SERVICE VERSION
23/tcp open telnet Broadcom BCM963268 ADSL router telnetd
80/tcp open tcpwrapped
443/tcp open tcpwrapped
5431/tcp open upnp Belkin/Linksys wireless router UPnP (UPnP 1.0; BRCM400 1.0)
8085/tcp open tcpwrapped
Service Info: OS: Linux 2.4; Devices: broadband router, router; CPE: cpe:/h:broadcom:bcm963268, cpe:/o:linux:linux_kernel:2.4

former state, literally minutes before. Case 2 I dont have any Linksys, ANYthing.

Not shown: 65529 closed ports
PORT STATE SERVICE
23/tcp open telnet
80/tcp open http
443/tcp open https
1990/tcp open stun-p1
5431/tcp open park-agent
8085/tcp open unknown

Your input is greatly appreciated, it looks to me like wireless signal theft. wireshark , router and zenmap files available as well.,, Maybe
 

verndewd

Distinguished
Mar 27, 2009
40
1
18,595
But wait there is more my router logs kept insisting there were intrusion attempts:::01/01/2019 02:42:34 AM Firewall Intrusion -> IN=ppp0.1 OUT= SRC=176.119.4.73 DST=65.129.63.97 PROTO=TCP SPT=44575 DPT=8344
01/01/2019 02:42:33 AM Firewall Intrusion -> IN=br0 OUT=ppp0.1 SRC=192.168.0.5 DST=47.254.79.165 PROTO=UDP SPT=29593 DPT=32100
01/01/2019 02:42:33 AM Firewall Intrusion -> IN=br0 OUT=ppp0.1 SRC=192.168.0.5 DST=47.93.34.139 PROTO=UDP SPT=29593 DPT=32100
01/01/2019 02:42:33 AM Firewall Intrusion -> IN=br0 OUT=ppp0.1 SRC=192.168.0.5 DST=47.91.222.210 PROTO=UDP SPT=29593 DPT=32100
01/01/2019 02:42:33 AM Firewall Intrusion -> IN=br0 OUT=ppp0.1 SRC=192.168.0.6 DST=108.177.98.188 PROTO=TCP SPT=48746 DPT=5228
01/01/2019 02:42:28 AM Firewall Intrusion -> IN=br0 OUT=ppp0.1 SRC=192.168.0.4 DST=205.171.3.25 PROTO=ICMP
01/01/2019 02:42:28 AM Firewall Intrusion -> IN=br0 OUT=ppp0.1 SRC=192.168.0.4 DST=205.171.3.25 PROTO=ICMP
01/01/2019 02:42:22 AM Firewall Intrusion -> IN=ppp0.1 OUT=

Not only that but i detected an android device with a cyanogen rom os which i later found was a hackers friend
 

verndewd

Distinguished
Mar 27, 2009
40
1
18,595

i found a certified security guy on another forum, let me see what he says.. and fyi its a century link router , i cant change diddly and neither can tech support
 

verndewd

Distinguished
Mar 27, 2009
40
1
18,595
I scanned the bloody hell out of everything. all I found was a linksys belkin port series on my technicolor router, i deduce that, its either a broadcom chip associated with those brands or this alleged hacker is invisible. I used zenmap extensively, But i did find an interesting randomized mac presence on my fingbox, since it does the same thing i really do doubt it would read itself but it could during an attack, But more than that I have no idea. I did get some fishy details from wire shark and through an android scanner i picked up hidden mac addresses and bridges.
 

verndewd

Distinguished
Mar 27, 2009
40
1
18,595
i found some really interesting info from linux admins on detecting a ddos etc and thats what it was they were using servers in turkey and poland i have one tcp dump log that enumerates everything. Long story short i contacted those server admins and downloaded murus, no more fans going crazy. also found a hidden user accountg and really tons more but yeah i fixed it
 

verndewd

Distinguished
Mar 27, 2009
40
1
18,595
the certified sec guy found nothing btw. Anyone suffering with extreme fan heat issues should run sudo tcpdump -n -p --S in terminal.
-n, reveals only ip addresses
-p takes it out of promiscuous mode which creates vulnerabilities
-S, Iirc forces absolute addresses not relative addresses
What you look for is an insane amount of calls to your machine. in my case it was thousands every couple minutes from the same IP. Using who is you can id the site and net range You can create a host deny file in terminal using sudo pico host.deny Just do the reading first and you can alter that file with sudo nano host. deny, But, you cant make it work without a host. allow file.
And then there is Murus:
Its 35 for the suite and it IS sweet. with its port blocking adaptive filter and brute force blocking settings , its by far the best firewall ive ever used, learning curve ? med high to high depending on your experience.Ii forget where i got it but there is also a bash script that can turn your machine into an IDS IPS, though bash is still beyond my grasp.
 
Last edited: