cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted
Aspiring Contributor
1,089 Views
Message 1 of 35

My network is under attack

This has been going on a while.
About 2 weeks ago someone managed to shut down my pc, corrupt my boot sector, destroy a HDD and scrub my event log.
I managed to recover everything, format the drives to GTP, scrub them then reinstall windows 10. SSD survived and all the other components but my HDD is dead.

Bought a full Norton package, went through all my router settings and tightened everything up.
I suspect this attack is a business rival or a disgruntled customer that I had to drop their job at the start of this covid-19 stuff.

11:28:56, 13 Apr.IN: BLOCK [16] Remote administration (TCP [24.212.15.149]:10375-​>[86.171.64.51]:8080 on ppp3)
11:24:17, 13 Apr.IN: BLOCK [16] Remote administration (TCP [91.226.58.44]:18086-​>[86.171.64.51]:8080 on ppp3)
11:23:50, 13 Apr.IN: BLOCK [16] Remote administration (TCP [185.143.221.85]:55982-​>[86.171.64.51]:443 on ppp3)
11:23:30, 13 Apr.IN: BLOCK [16] Remote administration (TCP [62.173.149.190]:53089-​>[86.171.64.51]:80 on ppp3)
11:20:13, 13 Apr.IN: BLOCK [16] Remote administration (TCP [222.142.140.22]:9056-​>[86.171.64.51]:80 on ppp3)
11:18:52, 13 Apr.IN: BLOCK [16] Remote administration (TCP [200.236.117.48]:3840-​>[86.171.64.51]:80 on ppp3)
11:12:16, 13 Apr.IN: BLOCK [16] Remote administration (TCP [178.54.207.101]:49501-​>[86.171.64.51]:22 on ppp3)
11:10:56, 13 Apr.IN: BLOCK [16] Remote administration (TCP [92.118.37.58]:52233-​>[86.171.64.51]:8443 on ppp3)
11:05:34, 13 Apr.IN: BLOCK [16] Remote administration (TCP [207.180.198.112]:46041-​>[86.171.64.51]:22 on ppp3)
11:04:07, 13 Apr.IN: BLOCK [5] Fragmented packet (IP 185.64.189.112-​>86.171.64.51 fragment_offset=2960)
11:00:49, 13 Apr.IN: BLOCK [16] Remote administration (TCP [89.163.153.41]:39601-​>[86.171.64.51]:22 on ppp3)
10:59:50, 13 Apr.IN: BLOCK [16] Remote administration (TCP [165.227.89.114]:37872-​>[86.171.64.51]:22 on ppp3)
10:58:55, 13 Apr.IN: BLOCK [16] Remote administration (UDP [162.243.133.176]:52388-​>[86.171.64.51]:161 on ppp3)
10:53:44, 13 Apr.IN: BLOCK [16] Remote administration (TCP [216.243.31.2]:55535-​>[86.171.64.51]:80 on ppp3)
10:53:20, 13 Apr.IN: BLOCK [16] Remote administration (TCP [45.125.66.204]:48462-​>[86.171.64.51]:80 on ppp3)
10:52:29, 13 Apr.

IN: BLOCK [16] Remote administration (TCP [62.173.149.190]:53123-​>[86.171.64.51]:443 on ppp3)

 

This is just a current snapshot. The attempts vary between just packets, TCP reset attack and remoate administration. The log changes every time I look at it, stuff is getting scrubbed.

I want to know mainly if I can download my full event log and what can I do?
I have disabled all forms of remote access and everything possible so I am confident they can't damage my pc again. However this is relentless. I have had to limit all my devices to wired connection because if I enable wireless the requests tripple and I become unable to log into the router.

0 Ratings
Reply
34 REPLIES 34
Highlighted
Distinguished Sage
Distinguished Sage
1,081 Views
Message 2 of 35

Re: My network is under attack

from your post are you a business customer?  if so you need to post here as this is residential forum  

https://business.forums.bt.com/



If you like a post, or want to say thanks for a helpful answer, please click on the Ratings 'Thumbs up' on left hand side.
If someone answers your question correctly please let other members know by clicking on ’Mark as Accepted Solution’.
0 Ratings
Reply
Highlighted
Aspiring Contributor
1,072 Views
Message 3 of 35

Re: My network is under attack

No, I am a personal customer. I am a Sole-trader and this is my home network.

0 Ratings
Reply
Highlighted
Distinguished Sage
Distinguished Sage
1,048 Views
Message 4 of 35

Re: My network is under attack


@Chris36 wrote:

No, I am a personal customer. I am a Sole-trader and this is my home network.


If you are trading under a name, then you are a business.

Either way, I suggest you factory reset your BT  hub, which will remove any persistant connections.

I would also suspect that you have open ports on port 80. 443, and 8080, which will make you a target for attacks.

0 Ratings
Reply
Highlighted
Aspiring Contributor
1,041 Views
Message 5 of 35

Re: My network is under attack

I am a landscape gardener?
I use my network to surf facebook and play Battle.net games, there's not a lot of landscaping you can do via a PC...

Can we focus on the problem I'm suffering on my home network please?
I have no idea why this is going on, just a hunch it could be related to my work.
Factory reset doesn't resolve the attack.

12:53:47, 13 Apr.IN: BLOCK [15] Default policy (TCP [80.82.64.73]:52212-​>[109.149.79.51]:1437 on ppp3)
12:53:46, 13 Apr.IN: BLOCK [15] Default policy (TCP [23.195.126.249]:443-​>[109.149.79.51]:44116 on ppp3)
12:53:46, 13 Apr.BLOCKED 1 more packets (because of Default policy)
12:53:45, 13 Apr.IN: BLOCK [15] Default policy (TCP [23.13.216.186]:443-​>[109.149.79.51]:44616 on ppp3)
12:53:45, 13 Apr.BLOCKED 1 more packets (because of Default policy)
12:53:45, 13 Apr.IN: BLOCK [15] Default policy (TCP [2.17.146.85]:443-​>[109.149.79.51]:41380 on ppp3)
12:53:43, 13 Apr.IN: BLOCK [15] Default policy (TCP [2.17.146.85]:443-​>[109.149.79.51]:41406 on ppp3)
12:53:39, 13 Apr.IN: BLOCK [15] Default policy (TCP [23.195.126.249]:443-​>[109.149.79.51]:44116 on ppp3)
12:53:39, 13 Apr.BLOCKED 3 more packets (because of Default policy)
12:53:39, 13 Apr.IN: BLOCK [15] Default policy (TCP [2.17.146.85]:443-​>[109.149.79.51]:41380 on ppp3)
12:53:39, 13 Apr.BLOCKED 1 more packets (because of Default policy)
12:53:36, 13 Apr.BLOCKED 3 more packets (because of Default policy)
12:53:36, 13 Apr.IN: BLOCK [15] Default policy (TCP [2.17.146.85]:443-​>[109.149.79.51]:41384 on ppp3)
12:53:36, 13 Apr.BLOCKED 3 more packets (because of Default policy)
12:53:36, 13 Apr.IN: BLOCK [15] Default policy (TCP [23.195.126.249]:443-​>[109.149.79.51]:44116 on ppp3)
12:53:36, 13 Apr.BLOCKED 10 more packets (because of Default policy)
12:53:36, 13 Apr.IN: BLOCK [15] Default policy (TCP [2.17.146.85]:443-​>[109.149.79.51]:41406 on ppp3)
12:53:36, 13 Apr.BLOCKED 8 more packets (because of Default policy)
12:53:36, 13 Apr.IN: BLOCK [15] Default policy (TCP [23.13.216.186]:443-​>[109.149.79.51]:44616 on ppp3)
12:53:36, 13 Apr.BLOCKED 14 more packets (because of Default policy)
12:53:36, 13 Apr.IN: BLOCK [15] Default policy (TCP [2.17.146.85]:443-​>[109.149.79.51]:41380 on ppp3)
12:53:35, 13 Apr.( 201.890000) WPA2 mode selected
12:53:32, 13 Apr.( 198.570000) WPA2 mode selected
12:53:27, 13 Apr.( 193.200000) CWMP: session completed successfully
12:53:27, 13 Apr.IN: BLOCK [15] Default policy (TCP [135.92.6.73]:443-​>[109.149.79.51]:49508 on ppp3)
12:53:24, 13 Apr.( 190.370000) CWMP: Set Parameter by TR069 Success
12:53:21, 13 Apr.( 187.630000) CWMP: Set Parameter by TR069 Success
12:53:20, 13 Apr.( 186.130000) CWMP: Set Parameter by TR069 failure 9007: Unable to activate 5GHz capability when 2.4GHz is inactive
12:53:18, 13 Apr.( 184.590000) CWMP: HTTP authentication success from https://pbthdm.bt.mo
12:53:13, 13 Apr.BLOCKED 1 more packets (because of Default policy)
12:53:13, 13 Apr.IN: BLOCK [15] Default policy (TCP [185.119.173.53]:443-​>[109.149.79.51]:60453 on ppp3)
12:53:12, 13 Apr.( 179.040000) CWMP: Server URL: https://pbthdm.bt.mo; Connecting as user: ACS username
12:53:12, 13 Apr.( 179.040000) CWMP: Session start now. Event code(s): '0 BOOTSTRAP'
12:53:12, 13 Apr.( 178.600000) CWMP: session completed successfully
12:53:09, 13 Apr.IN: BLOCK [15] Default policy (TCP [89.248.160.178]:50982-​>[109.149.79.51]:18209 on ppp3)
12:53:08, 13 Apr.( 175.010000) CWMP: Initializing transaction for event code 0 BOOTSTRAP
12:53:08, 13 Apr.( 174.840000) CWMP: Set Parameter by TR069 Success
12:53:07, 13 Apr.( 173.160000) CWMP: HTTP authentication success from https://pbthdmw.bt.mo
12:53:03, 13 Apr.( 169.190000) CWMP: Server URL: https://pbthdmw.bt.mo; Connecting as user: Default username
12:53:03, 13 Apr.( 169.190000) CWMP: Session start now. Event code(s): '6 CONNECTION REQUEST'
12:53:02, 13 Apr.( 168.760000) CWMP: Initializing transaction for event code 6 CONNECTION REQUEST
12:53:01, 13 Apr.( 167.420000) CWMP: session completed successfully
12:53:01, 13 Apr.IN: BLOCK [15] Default policy (TCP [135.92.6.74]:443-​>[109.149.79.51]:36156 on ppp3)
12:52:57, 13 Apr.( 163.640000) CWMP: Set Parameter by TR069 Success
12:52:56, 13 Apr.IN: BLOCK [15] Default policy (TCP [1.1.1.1]:443-​>[109.149.79.51]:60467 on ppp3)
12:52:55, 13 Apr.( 161.930000) CWMP: HTTP authentication success from https://pbthdmw.bt.mo
12:52:55, 13 Apr.IN: BLOCK [15] Default policy (TCP [92.118.37.58]:52233-​>[109.149.79.51]:9212 on ppp3)
12:52:51, 13 Apr.IN: BLOCK [15] Default policy (TCP [1.1.1.1]:443-​>[109.149.79.51]:60451 on ppp3)
12:52:48, 13 Apr.( 155.120000) NTP synchronization success!
12:52:46, 13 Apr.( 153.540000) New GUI session from IP 192.168.1.64
12:52:45, 13 Apr.( 152.650000) Admin login successful by 192.168.1.64 on HTTP
12:52:45, 13 Apr.BLOCKED 1 more packets (because of Default policy)
12:52:45, 13 Apr.IN: BLOCK [15] Default policy (TCP [185.156.73.54]:47729-​>[109.149.79.51]:1994 on ppp3)
12:52:42, 13 Apr.( 149.200000) CWMP: Server URL: https://pbthdmw.bt.mo; Connecting as user: Default username
12:52:42, 13 Apr.( 149.190000) CWMP: Session start now. Event code(s): '0 BOOTSTRAP,4 VALUE CHANGE'
12:52:41, 13 Apr.( 148.460000) NTP synchronization start
12:52:40, 13 Apr.( 147.390000) WAN operating mode is VDSL
12:52:39, 13 Apr.( 146.090000) PPP IPCP Receive Configuration ACK



0 Ratings
Reply
Highlighted
Distinguished Sage
Distinguished Sage
1,021 Views
Message 6 of 35

Re: My network is under attack


@Chris36 wrote:

I am a landscape gardener?
I use my network to surf facebook and play Battle.net games, there's not a lot of landscaping you can do via a PC...

Can we focus on the problem I'm suffering on my home network please?
I have no idea why this is going on, just a hunch it could be related to my work.


Then you have open ports, probably as a result of playing games, as that exposes your IP address to other users.

The firewall is blocking these attempts anyway, so just ignore the event log.

0 Ratings
Reply
Highlighted
Aspiring Contributor
1,014 Views
Message 7 of 35

Re: My network is under attack

I disabled all port forwarding, UPnP and UDP settings last night because they were exploring for vulnerability there.

0 Ratings
Reply
Highlighted
Distinguished Sage
Distinguished Sage
1,005 Views
Message 8 of 35

Re: My network is under attack


@Chris36 wrote:

I disabled all port forwarding, UPnP and UDP settings last night because they were exploring for vulnerability there.


Then you shold see less attempts now. Just ignore the logs, the firewall is doing its job.

0 Ratings
Reply
Highlighted
Aspiring Contributor
930 Views
Message 9 of 35

Re: My network is under attack

Ok thanks.
Will I just have to wait for them to get bored before I can turn on wireless again?

0 Ratings
Reply
Highlighted
Distinguished Sage
Distinguished Sage
922 Views
Message 10 of 35

Re: My network is under attack

If the firewall is doing its job, have you thought that it could just have been a hard drive failure that corrupted your operating system and ultimately the hard drive failed.

0 Ratings
Reply