Did my network just get hacked?

Question

Something very strange just happened. A long story short, I went on to my computer and it told me that access was blocked to this PC. So I tried to go to 192.168.1.1, but it didn't work on my blocked PC. So I get on my tablet, go to 192.168.1.1 and go to attached devices, and to my surprise I see 21 random devices from random IP addresses that are not mine. So the next I thought of was to block all of the random devices. But right before I'm about block these random devices, my tablet gets blocked from the network. So I unplug the Ethernet cable that connects my router to my modem, just in case I was getting hacked so that couldn't connect to my network. Then I hop on my last tablet that's not blocked, go to 192.168.1.1 and set access control to automatically block any new devices, unblock my other tablet and PC and then connect my Ethernet cable back to my router. So now I'm wondering what the heck just happened, so i go on the my router logs and I get this:

[LAN access from remote] from 88.180.30.194:60240 to 192.168.1.9:63457, Saturday, November 28, 2015 10:45:21
[admin login] from source 192.168.1.9, Saturday, November 28, 2015 10:45:21
[LAN access from remote] from 88.180.30.194:54493 to 192.168.1.9:63457, Saturday, November 28, 2015 10:45:21
[LAN access from remote] from 105.101.68.216:51919 to 192.168.1.9:63457, Saturday, November 28, 2015 10:45:20
[LAN access from remote] from 88.180.30.194:54490 to 192.168.1.9:63457, Saturday, November 28, 2015 10:45:19
[LAN access from remote] from 105.101.68.216:48389 to 192.168.1.9:63457, Saturday, November 28, 2015 10:45:18
[LAN access from remote] from 41.79.46.35:11736 to 192.168.1.9:63457, Saturday, November 28, 2015 10:42:49
[DoS Attack: SYN/ACK Scan] from source: 46.101.249.112, port 80, Saturday, November 28, 2015 10:40:51
[LAN access from remote] from 90.204.246.68:26596 to 192.168.1.9:63457, Saturday, November 28, 2015 10:40:15
[Time synchronized with NTP server] Saturday, November 28, 2015 10:36:51
[LAN access from remote] from 87.88.222.142:55756 to 192.168.1.9:63457, Saturday, November 28, 2015 10:36:38
[LAN access from remote] from 87.88.222.142:35939 to 192.168.1.9:63457, Saturday, November 28, 2015 10:36:38
[LAN access from remote] from 111.221.77.154:40024 to 192.168.1.9:63457, Saturday, November 28, 2015 10:31:06
[admin login] from source 192.168.1.9, Saturday, November 28, 2015 10:23:53
[DoS Attack: Land Attack] from source: 255.255.255.255, port 67, Saturday, November 28, 2015 10:23:44
[Access Control] Device ANDROID-EFB7EA92D8391DF6 with MAC address 00:09:4C:3B: the network, Saturday, November 28, 2015 10:23:25
[LAN access from remote] from 78.14.179.231:61108 to 192.168.1.9:63457, Saturday, November 28, 2015 10:21:19
[LAN access from remote] from 78.14.179.231:62967 to 192.168.1.9:63457, Saturday, November 28, 2015 10:21:19
[UPnP set event: add_nat_rule] from source 192.168.1.9, Saturday, November 28, 2015 10:21:15
[Internet connected] IP address: (my IP address , Saturday, November 28, 2015 10:21:05
[Internet disconnected] Saturday, November 28, 2015 10:20:25
[DHCP IP: 192.168.1.6] to MAC address 14:99:e2:1c:a0:19, Saturday, November 28, 2015 10:20:22
[DHCP IP: 192.168.1.6] to MAC address 14:99:e2:1c:a0:19, Saturday, November 28, 2015 10:20:21
[Access Control] Device SETHS-APPLE-TV with MAC address 14:99:E2:1C:A0:19 is a the network, Saturday, November 28, 2015 10:20:20
[Access Control] Device ANDROID-EFB7EA92D8391DF6 with MAC address 00:09:4C:3B: the network, Saturday, November 28, 2015 10:20:19
[DHCP IP: 192.168.1.2] to MAC address 14:2d:27:bb:7d:93, Saturday, November 28, 2015 10:20:06
[Access Control] Device MAIN-PC with MAC address F8:0F:41:CD:AC:0B is allowed  the network, Saturday, November 28, 2015 10:20:01
[DHCP IP: 192.168.1.5] to MAC address 38:0f:4a:4f:60:90, Saturday, November 28, 2015 10:19:24
[Access Control] Device COMPUTER with MAC address 38:0F:4A:4F:60:90 is allowed the network, Saturday, November 28, 2015 10:19:23
[DHCP IP: 192.168.1.5] to MAC address 38:0f:4a:4f:60:90, Saturday, November 28, 2015 10:19:23
[admin login] from source 192.168.1.7, Saturday, November 28, 2015 10:19:22
[Access Control] Device ANDROID-EFB7EA92D8391DF6 with MAC address 00:09:4C:3B: the network, Saturday, November 28, 2015 10:19:11
[Access Control] Device CHROMECAST with MAC address 6C:AD:F8:7B:46:4A is allow the network, Saturday, November 28, 2015 10:19:10
[DHCP IP: 192.168.1.8] to MAC address 70:73:cb:78:69:c6, Saturday, November 28, 2015 10:19:09
[Access Control] Device GABRIELLES-IPOD with MAC address 70:73:CB:78:69:C6 is  the network, Saturday, November 28, 2015 10:19:09
[DHCP IP: 192.168.1.4] to MAC address 00:09:4c:3b:40:54, Saturday, November 28, 2015 10:19:08
[DHCP IP: 192.168.1.3] to MAC address 6c:ad:f8:7b:46:4a, Saturday, November 28, 2015 10:19:08
[DHCP IP: 192.168.1.7] to MAC address 24:24:0e:52:8b:41, Saturday, November 28, 2015 10:19:02
[Access Control] Device GABRIELLE with MAC address 24:24:0E:52:8B:41 is allowe the network, Saturday, November 28, 2015 10:19:02
[DHCP IP: 192.168.1.2] to MAC address 14:2d:27:bb:7d:93, Saturday, November 28, 2015 10:18:53
[DHCP IP: 192.168.1.2] to MAC address 14:2d:27:bb:7d:93, Saturday, November 28, 2015 10:17:22
[Access Control] Device Unknown with MAC address 14:2D:27:BB:7D:93 is allowed  the network, Saturday, November 28, 2015 10:16:33
[Access Control] Device MAIN-PC with MAC address F8:0F:41:CD:AC:0B is blocked  the network, Saturday, November 28, 2015 10:16:10
[DHCP IP: 192.168.1.2] to MAC address 14:2d:27:bb:7d:93, Saturday, November 28, 2015 10:15:42
[DHCP IP: 192.168.1.9] to MAC address f8:0f:41:cd:ac:0b, Saturday, November 28, 2015 10:15:37
[Initialized, firmware version: V1.0.0.58] Saturday, November 28, 2015 10:15:29

here's one of the unknown IP addresses i found in the log https://db-ip.com/88.180.30.194 and an unknown mac address 00:09:4C:3B:40:54 and i linked the mac address to this website http://coweaver.tradekorea.com/

If anyone could tell me what happened that would be awesome :)

Answer 1

Yes, most likely it was hacked.

The tell-tale sign is the range of ports used: all OSes use low ports ( < about 10,000) to listen for incoming connections, and high ports (the remaining ones, but especially those above 30,000) for outgoing connections. Instead, your log displays connections between pairs of high ports, which means no conventional access to your pc was used, no telnet, no ssh, no http, and so on. Instead, the use of pairs of high ports is typical of a classic hacker tool duo, netcat and meterpreter.

In particular, it is abundantly clear the hacker left a backdoor on pc 192.168.1.9 listening on port 63457, but he also did some port forwarding to allow connections to this port on this pc to go thru your router. So the hacker violated both this pc and your router. There is further proof of this in these two lines,

[LAN access from remote] from 88.180.30.194:60240 to 192.168.1.9:63457, Saturday, November 28, 2015 10:45:21
[admin login] from source 192.168.1.9, Saturday, November 28, 2015 10:45:21

Look at the time stamps: within a sec, the hacker logs into pc 192.168.1.9, and then from that gains admin access to your router.

Mitigation steps

1. You are in a tight spot, because you have a powerful enemy lurking right outside your door. You should remain disconnected until you have taken sufficient measures to erect against him a powerful barrier. The risk here is that, since he knows he has been discovered, he will proceed to hack all of your machines, including the line printer (yes, it can be done), and you will never get rid of him. All this while you surely have a fifth column in your LAN, pc 192.168.1.9. We will take it one step at a time.

2. Buy another router, of a different brand, possibly one with an easily configurable firewall. I use the Buffalo routers with pre-installed DD-WRT, a powerful OS.

3. Disconnect the pc identified by 192.168.1.9, and keep it turned off.

4. Replace the old router but do not connect the new one to the Internet yet.

5. Configure it from within your LAN with any other pc.

6. In particular, (these instructions for a DD-WRT router will give you an idea of what to do even in the non-DD-WRT router), go to the Services tab, and disable telnet access and VNC repeater, and enable syslogd.

7. Go to the Administration tab, and disable all buttons under Remote Access. Still in the Administration tab, change the password to something formidable, something like I_want_T0_k33p_all_Hacck3rs_0ut! (the spelling error is deliberate). Those who are technically savvy should enable passwordless login (in Services-> Services, Secure Shell), then, under Administration-> Management, Web Access, they should disable http and enable https only, so as to prevent passing clear-text passwords; the details on how to connect to a DD-WRT router via https can be found here, it requires the ssh connection we just enabled .

8. Now go to Administration -> Commands, and type the following into the Commands area:

     iptables  -A INPUT -s 88.180.30.194 -j DROP
     iptables  -A OUTPUT -d 88.180.30.194 -j DROP
     iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
     iptables -I INPUT -i $WAN_IFACE -DROP
   

   Here $WAN_IFACE is the name of the NIC connected to your ISP, in my system it would be vlan2, but you would better check for your system. The first two rules shut out completely one of the IP addresses from which came the illegal connections to your pc 192.168.1.9. You may wish to add other similar rules to shut out also 105.101.68.216 and so on.The third rule allows input which is a continuation of connections started by you, i.e. presumably legal connections. The fourth rule shuts out everything else.

   Hit Save firewall, and you are done.

9. Now leave the router on but disconnected from the Internet for about a day, and see whether any pc other than 192.168.1.9 tries to contact strange IP addresses. Legitimate companies, like Microsoft or Apple, Akamai or Sony, do not count, but consumer accounts in Algeria, Burundi, France, Germany, Singapore, UK (the apparent sources of the connections in the log above) do. If there are such attempts, take the originating pc offline, turn it off, and subject it to the treatment of Step 11.

10. Now you may connect the new router to the Internet.

11. Now take your (turned off!) pc 192.168.1.9 and bring it elsewhere, i.e. not at your home. Turn it on, and either run all anti-virus tests available to mankind, or, better still, re-install the operating system.

12. Check the system log of your brand new router daily, for some time, to make sure there are no more connections of the above sort: there is always the possibility that the hacker infiltrated other systems in your home. As soon as you see traces of this, repeat the steps above for the hacked pc, and when the infected pc is off-line, change the router password.

13. You may toss the old router, or, better still, decide that it is a fun project installing DD-WRT on it. You may find out here whether that is possible. If it is , then it is some fun, and you would also get a shining new, safe, powerful router, from the pile of garbage it is instead today.

14. At some point in the future, you ought to learn to configure the firewall, iptables, properly, and how to setup passwordless ssh connection to the router, which would allow you to disable password login completely (see here for a brief description of how to do it). But these things can wait.

You should be happy: your hacker, despite having penetrated your router, was absent-minded enough to leave the system log in place, which ultimately led to his detection. You might not be so lucky next time.