I'm pretty sure my network has been hacked. Need suggestions

Bird222

[H]ard|Gawd
Joined
Dec 1, 2000
Messages
1,287
I won't go into detail of how I know but at this point I'm pretty sure. First question, I've got a separate partition that I have files on, if I delete the windows partition and reinstall windows and scan the 'data' partition should I be safe? Or do I need to reformat everything? Second question, I've been using gotomypc for work. Do I need to notify IT? Third question, do I need to worry about my android phone having something installed on it? TIA for any help.
 
I won't go into detail of how I know but at this point I'm pretty sure. First question, I've got a separate partition that I have files on, if I delete the windows partition and reinstall windows and scan the 'data' partition should I be safe? Or do I need to reformat everything? Second question, I've been using gotomypc for work. Do I need to notify IT? Third question, do I need to worry about my android phone having something installed on it? TIA for any help.


Well don't go into detail but tell us why you're pretty sure?
 
Without knowing what happened it's hard to advise, but with the lack of information question EVERYTHING, complete format, notify IT and wipe the Android Phone (even though this isn't 100%).
 
if you suspect you’ve been compromised in any way that affects your company, then yes you should absolutely notify them.
 
Ok. I'll try to make this as concise as I can.
Network setup: Asus RT-AC68U running FreshTomato 2020.2 (main router) and Asus RT-N66U running FreshTomato (older version don't remember) setup as a Wireless Ethernet Bridge. Network printer


I have a desktop computer (not the main computer I use) that's connected to the N66U by ethernet. I installed a VM on this computer to exclusively use to work from home with Gotomypc. The first thing I noticed (in retrospect) was the Windows firewall popped up blocking some connection when I started VMware. I had already allowed it when I had installed it some time ago, but I didn't really think anything of it so I just hit allow and got the VM going. For some reason, I couldn't print. I discovered that the VM was on a different subnet than my normal subnet which is why it couldn't talk to the printer. Ok installed Wireshark on VM and renewed the IP. Wireshark showed that it was getting an IP from 'Netgear R6210 0f:97:99' (entire MAC is bc:a5:11:0f:97:99) at 192.168.1.1 (again not my subnet). I look at the 'device list' on the main router and I do see a connection that I can't identify (C0:38:96:**:**:**). So I plug my laptop (my main computer) directly into the main router and go to 192.168.1.1 in the browser. The login box that pops says Netgear. WTF! I took that router out of service and replaced it with another 68U and updated both firmwares with FreshTomato 2020.3 (latest)

So I go to a friend's house and get him to make me a Kaspersky boot flash drive. I scan both computers nothing was found. Then I tried to scan the VM but I couldn't get it to boot off the drive. So I downloaded the iso again myself any tried to get Rufus to write it again but it would fail to write. WTF. It did say something about needing to download two files for it to create the boot disk but that seem to go ok but when it started to write that iso it would fail. However, I did try to burn a different iso and it finished no problem. So now I'm wondering if something is on my system that is looking for the Kaspersky iso and blocking it. But like I said earlier, I already did a scan on this computer (in fairness I didn't update the boot disk because I was scared to connect to the network) and nothing was found. Also discovered late last night that my Tivo small box couldn't communicate with the main box. You guessed it, main box is on a different (wrong) subnet from the mini so it must have gotten an IP from the Netgear router too. I was really hoping there some crazy beta firmware corruption that caused this but it's really looking like I have been compromised. So there's the story.

EDIT. That unidentified C0:38:96 mac is back. Device list says it's on the wired network. The lease has been up for an hour. Maybe that is the Tivo box. I have have wireless turned off but I'm not sure if it was before the lease though.
 
Last edited:
Device list says it's on the wired network.
that means its physically connected. its probably your tivo. look on the label and see if the macs match. look for anything else you may have connected too, like a blueray or console.
 
I think I have finally solved the mystery. I'm pretty sure that C0:38:96 is not my Tivo. I had converted my network to totally wired AND I had disconnected the WAN cable. But guess what? I was able to access the internet on one of my computers. WTF!! Ok on to the explanation, the Tivo box somehow is wired to my network (via ethernet cable) and connected to somebody else's network through the coax cable. When one of my computers asks for an IP address its a crap shoot as to which router responds first. Sometimes it would be that other person's network. This also explains the mysterious MAC address. It just happened to get an address from my network. Hopefully the cable company will come out today and fix this. It looks like nothing malicious was done, but I still got to decide if I want to wipe stuff since my computers were exposed to an unknown network.
 
I think I have finally solved the mystery. I'm pretty sure that C0:38:96 is not my Tivo. I had converted my network to totally wired AND I had disconnected the WAN cable. But guess what? I was able to access the internet on one of my computers. WTF!! Ok on to the explanation, the Tivo box somehow is wired to my network (via ethernet cable) and connected to somebody else's network through the coax cable. When one of my computers asks for an IP address its a crap shoot as to which router responds first. Sometimes it would be that other person's network. This also explains the mysterious MAC address. It just happened to get an address from my network. Hopefully the cable company will come out today and fix this. It looks like nothing malicious was done, but I still got to decide if I want to wipe stuff since my computers were exposed to an unknown network.
Heh, you should not connect your devices to the cable without a NAT or a firewall. You're getting spammed by a thousand worms as we speak most likely. I remember when I got my first cable modem after moving to a new apartment and I built a new computer. I started installing Windows with the ethernet plugged in and I had 3 infections before the installation was finished... When I later plugged in wireshark I saw that the cable network was trying to infect the computer on average 100 times a second. Huge amount of infected windows boxes.
 
Heh, you should not connect your devices to the cable without a NAT or a firewall. You're getting spammed by a thousand worms as we speak most likely. I remember when I got my first cable modem after moving to a new apartment and I built a new computer. I started installing Windows with the ethernet plugged in and I had 3 infections before the installation was finished... When I later plugged in wireshark I saw that the cable network was trying to infect the computer on average 100 times a second. Huge amount of infected windows boxes.

You just can’t help yourself, can you?

He didn’t say anything about connecting to cable without a firewall. His TiVo box is connected to cable for programming, and that is somehow possibly bridging the his network to someone else’s. How that’s happening is a mystery to me unless the boxes have built in MoCa bridges.
 
You just can’t help yourself, can you?

He didn’t say anything about connecting to cable without a firewall. His TiVo box is connected to cable for programming, and that is somehow possibly bridging the his network to someone else’s. How that’s happening is a mystery to me unless the boxes have built in MoCa bridges.
I have seen Moca setup in the Tivo box. What exactly is that? If they can't somehow get this box behind my router I'm going to have to cancel service. I can't have this thing have an unfettered internet connection and be connected to my network.
 
I have seen Moca setup in the Tivo box. What exactly is that? If they can't somehow get this box behind my router I'm going to have to cancel service. I can't have this thing have an unfettered internet connection and be connected to my network.
It’s networking over coax. See if you can disable MoCa it n the TiVo settings. Ideally there should be a filter that blocks communications between your cable network and your neighbors.
 
Pretty bizzare that MoCA would be working across multiple tenants. Are you in a single family home or an apartment?

If this is your own dedicated internet connection, I truly cannot explain how MoCA would be talking back over the WAN and bridging your LAN's. Honestly, i'm thinking something else is at play but we can only do so much from here.
 
Pretty bizzare that MoCA would be working across multiple tenants. Are you in a single family home or an apartment?

If this is your own dedicated internet connection, I truly cannot explain how MoCA would be talking back over the WAN and bridging your LAN's. Honestly, i'm thinking something else is at play but we can only do so much from here.

Most MoCa setups use a MoCa bridge to feed internet access through your home’s CATV coax to downstream boxes so you don’t have to run Ethernet cables to them. So someone having a MoCa bridge somewhere else in a CATV network that isn’t properly isolating customers with PoE fitlers could create a connection to your network if you’re also using MoCa bridges.
 
It’s networking over coax. See if you can disable MoCa it n the TiVo settings. Ideally there should be a filter that blocks communications between your cable network and your neighbors.
I haven't looked recently but there is a Moca setup and an ethernet setup available.
 
Pretty bizzare that MoCA would be working across multiple tenants. Are you in a single family home or an apartment?

If this is your own dedicated internet connection, I truly cannot explain how MoCA would be talking back over the WAN and bridging your LAN's. Honestly, i'm thinking something else is at play but we can only do so much from here.
It's connecting both of our LANs together. Sometimes my device gets an IP from their router and thus access to the internet. Sometimes they get an IP from my router. I'm in an apartment.
 
BTW I checked the public IP address when I was connected to the other network. It is one digit different from mine.
 
Most MoCa setups use a MoCa bridge to feed internet access through your home’s CATV coax to downstream boxes so you don’t have to run Ethernet cables to them. So someone having a MoCa bridge somewhere else in a CATV network that isn’t properly isolating customers with PoE fitlers could create a connection to your network if you’re also using MoCa bridges.

Yeah, i'm quite experienced with MoCA as it was used heavily on early FiOS installs for all the cable boxes to talk to the router.

OP, how do you get internet? Do you have your own modem? I see your in an apartment so this explains a little bit but absolutely not all of it.
 
You just can’t help yourself, can you?

He didn’t say anything about connecting to cable without a firewall. His TiVo box is connected to cable for programming, and that is somehow possibly bridging the his network to someone else’s. How that’s happening is a mystery to me unless the boxes have built in MoCa bridges.
You just can't help yourself, can you?

His TiVo cannot be NATed or Firewalled if it connects to some other router in the same cable network. So at least one of his devices is connecting unprotected and if his other devices see the TiVo, probability is that they're all directly connected.
 
Yeah, i'm quite experienced with MoCA as it was used heavily on early FiOS installs for all the cable boxes to talk to the router.

OP, how do you get internet? Do you have your own modem? I see your in an apartment so this explains a little bit but absolutely not all of it.
There is just a rj45 jack in the wall. I plug my WAN cable from my router into it.
 

So is your TiVo box connected over wired ethernet to your personal LAN?

Essentially i'm trying to find the bridge. If your TiVo is getting an ethernet signal over MoCA from your neighbor, sure it might assign itself an LAN IP from their network. I'm just trying to understand how its then bridging into your LAN, physically.
 
So is your TiVo box connected over wired ethernet to your personal LAN?

Essentially i'm trying to find the bridge. If your TiVo is getting an ethernet signal over MoCA from your neighbor, sure it might assign itself an LAN IP from their network. I'm just trying to understand how its then bridging into your LAN, physically.
Yes. Ethernet to my LAN and the coax connection in the wall must link to the neighbor's network somewhere.
 
Yes. Ethernet to my LAN and the coax connection in the wall must link to the neighbor's network somewhere.

Ok, that would explain it then. Might as well disable the MoCA interface in the TiVo settings, problem solved.
 
Back
Top