# unsecured network

## trikmik

I have a few questions regarding network security;

A few months ago, my Gentoo box was horribly pwned, ever since i looked back on it, i might know now what happened, however i am not sure.

that is why i am looking for some feedback on this.

i suspect 3 possible attackers, 1. church/cult group i left 2. healthcare facility where i am under therapy 3. unknown troll.

one day, i was playing online game on my Gentoo system called Aion. all of a sudden someone took over control and moved my character in Aion while i was not touching my keyboard.

Straight after i looked in ifconfig, and noticed a different IP address.

I took the box offline, removed the hard disk, and booted Gentoo live DVD, then i plugged in the network cable (hard drive was still unplugged).

Then i started typing a message saying "I know you hacked me, could you at least show me how you did it?"

wire-shark was open already, and my mouse moved towards a red colored "arp" string in wire-shark.

then i did "arp -a" and noticed there where 2 arp interfaces.

i did "arp -s" to make the correct interface/mac static, and network connectivity stopped working.

then i did "arp -s" to make the new/unknown interface/mac static, the network connectivity worked again.

i rebooted into Gentoo install on the /dev/sda and noticed a strange boot up logo i never seen before, the logo disappeared within less then a second.

my /var/log files were all missing, so i did not bother to do investigation, i knew something was wrong.

next day i called my internet service provider, and they said, they saw 2 IP addresses coming from my motherboard, and suggested flashing the bios.

i then destroyed the motherboard physically and bought a new motherboard.

Questions:

- if the network i am on, is controlled remotely by attacker, and thus can intercept all network traffic including login credentials to the system, what should i do beside avoiding that network?

could i bypass this by only connecting the network cable after i logged into X,

or could the login credentials still be intercepted even though when not typing the password?

- about the arp poisoning, when i check my arp table now, i only see my own interface and mac address, so clearly something went wrong there: is setting static arp enough to prevent arp poisoning?

- about dns poisoning how could i prevent that: is setting dns in /etc/resolv.conf then make read only enough to prevent dns poisoning?

- could the attacker acces any folders on my gentoo install because we are in the same network?

- how can i make sure the attacker will not launch another bootkit into the uefi?

i searched the internet on how to connect to unsecured network, and all i can find is things like, vpn, ssl, https, however i am concerned about re-connecting to that same network with my new box.

- what can i do to prevent another exploit when i connect to a network that might be controlled by some malicious person?

----------

## eccerr0r

While this story is possible, I find this story hard to believe and the only way that it truly can be possible is if suspect #1 was the culprit and had physical access to the machine at some point.  Or if there's a bug in the *@$(#%&ing Management Engine that Intel provides, hopefully you disabled it if you have a machine with this.

If you reinstalled, the idea is that you control what you have access to.  A fresh install has no network access except possibly by sshd but you have to enable that as well.

Choose good passwords.  This will prevent remote access.

Do not contact other hosts unless they can prove who they are - this is what certificate systems was designed for, though you still have to ultimately trust someone if you want network access.  Check certificates carefully over more than one network.  This implies the use of SSL.

ARP poisoning is somewhat of a myth.  While it is possible, this is not done frequently.  Careful use of SSL should uncover ARP trickery as the remote host can't lie about their identity even if they lie about their MAC (You must carefully check the presented certificate against what you expect it to be).

Who is your network provider, I would be very wary of them if you don't trust them.  This is why I hate ISPs that do transparent proxy caching to save network bandwidth, this is something they must disclose up front.  SSL will prohibit proxy caching.

----------

## krinn

I more suspect reason #2, the reason itself or an effect of the pills to heal it.

Everyone should stop thinking someone hacking and getting access to a computer has the ultimate goal to do little shit with it (playing with someone's browser or moving an online char left or right), if someone wants your computer it's for its datas value, or its power value (using your cpu, your bandwidth, space or identity for something). In many countries it's against the law.

It's known that online chars are sometimes pwn, but in game, for the value of the char money (but it's also known some people use same password for everything, and having an online game password pwn meaning having every passwords own too).

You even have in game ability to own and control a character by two persons (that's for their game master in order to fix something).

But having two persons using at the same time the same account is not really something they would enjoy themselves (it would be cool that i could use an account with 10 chars, pay myself the account and play with my other friends using 9 other chars from that account freely, but for an unknown reason, game owner prefer that 10 persons do that by paying 10 accounts fee).

Having 2 arp interfaces in your arp list is something nearly 99% users would have ; many users have a box (that is a router), and the router have an IP and a mac address (note that switch doesn't, but router acting as switch have ; if you want the general rule, if the device can be configure thru some web interface, it must have an IP address to be contact, and so, a MAC address to be contact), it's an active interface in the network and have its own entry in arp.

It's even worst with providers boxes, as they generally have more than one IP and MAC, to handle more features than a router (TV mode...).

A network card + a router gives a minimum of 2 arp entries.

It's also well know that it's not because you ask help from isp or any provider that the person that would gave you help is helpful (not because she doesn't want, but because she is not competent at all) ; whatever she said about 2 IP coming from your box is strange, your box should only have 1 coming out of it because it have 1 wan interface only (yeah it could have more than one), but basically isp doesn't grant user with a kick ass device when they could provide a cheap one doing the work, even with more than 1 wan interface, each IP are grant by the isp and they should really ask more money because of the feature, and the two IPs should still be within the range of IP the isp is using. Something your isp would be really scared of if it happen illegally.

If that answer was about multi IPs using the wan interface, with masquerading, it's normal. What would be less normal is that an isp is using packet filtering to inspect each packet going out of your box to see who are those IPs or Mac, that is private life and have no usage for your isp (even law force them to keep log of packets, it doesn't grant them any rights to look at their content, it's for judge and legal authority eyes). But i suppose that part really depend on your country's laws.

So having an isp able to tell you that packet getting out of your box contains different IP/mac is well, for me, scary, even if you are querying the information, they shouldn't be able to provide it to you.

But when it comes to privacy, i admit Europe looks like a strange safe heaven compare to so-called other educated or advance countries.

And that part should gave you the real answer about the level of competence of the helping person "suggested flashing the bios. " ; because that answer is as good as a car seller telling you "yes, we see you are out of fuel, you should clean your windows".

And your reaction to destroying your m/b also enforce #2 case (the pills or the reason you are under therapy).

----------

## NeddySeagoon

trikmik,

I'm not even sure your box was hacked.

Games have a reputation for not being secure.

That you booted the LiveCD, which has completely different software to your own install and the odd behavior continued, reinforces the non hack view of the world.

We have had a small number of cases reported here of neighbours using wireless keyboards and mouse sets that have the same security codes, so interfered with one another. That's more likely than an attack and its common to both installs.

Your ISP front line support does not have a clue. They follow a script, then they are lost.

Probably after 'did you try rebooting?'

----------

## chiefbag

 *NeddySeagoon wrote:*   

> Your ISP front line support does not have a clue. They follow a script, then they are lost.
> 
> Probably after 'did you try rebooting?'

 

 :Laughing:   :Laughing:   :Laughing: 

 *Quote:*   

> BOFH Excuse #65:
> 
> system needs to be rebooted

 

----------

## trikmik

So I can safely reconnect to that same network, without the chance that the sys administrator will "spy" on my PC?

----------

## NeddySeagoon

trikmik,

That's a different question.

Someone with physical access to your PC could have fitted a keylogger that phones home once its on the network.

This is noting to do with the network itself though.

If you set up a firewall that blocks both incoming and outgoing traffic, then allow only things you need, any other outgoing connections will be blocked and logged. 

You can also tunnel everything to a VPN providoer so that your ISP cannot spy on you.

That only changes who you need to trust, since the VPN provider decrypts all your traffic and forwards it.

Then there is tor ...

----------

## trikmik

i need to be totally honest, at some point i removed the hard disk and did write some android malware, and played with metasploit and a trojan called fat rat.

that was with kali linux live dvd under root, but the hard disk was removed, however it might somehow infected the uefi, while browsing firefox under root. 

maybe that was not such a smart move and i might got infected myself.

however, i suffer from schizophrenia which makes me very paranoid when it comes to internet security and i don't trust my own home network anymore.

i thought about the government listening on my home network, and even maybe the health care facility or even the cult/church, to be honest i do not know.

maybe i should take a step back and just accept, that if, maybe if, my network has a man in the middle, who sniffs my login credentials and uses those to login and embed root/boot kits, i might just have to accept that against government i can not defend myself.

----------

## NeddySeagoon

trikmik,

Its very difficult to sniff login credentials.  Unless you use telnet, they should never leave the local machine.

Even there, they are not stored in clear text.

When you run passwd, the text you enter is is stored as a hash value with a salt.

When you use the password, the process is repeated and the hash values are compared.

Finding hash collisions, given the hash is difficult.  That is what is required to crack your password.

ssh can be made even more difficult by using keys rather than passwords.

----------

