Needing help with a persistent DoS attack.

[dw222016]

Hi everyone, this is my first time here. I've got a major problem happening with my router and internet connection. First thing's first, the symptoms are very frequent network disconnections that are there and gone in seconds, along with even more frequent router logs telling me about remote lan access log ins and various Syn/Ack and "Chargen" DoS attacks. I'm using a Netgear WNDR 4300V3, and I've done all the securing I understand how to do on it, yet these attacks just keep coming and seemingly succeeding. 

 

  I don't have UPnP enable, nor Remote Access, I've locked it down with a good password, changed DNS to OpenDNS, etc. I'm fearing a botnet or rootkit issue, but I've ran both Avast and MBAM premium and neither one of them have found a thing. I tried running HijackThis, but I just don't have the knowledge to read it and understand it. Some entries it says are suspicious, but "visitors say it's safe"..I just don't want to muck with it without knowing what I'm getting into. 

 

  I'd really like to settle this without having to reformat everything, but I'll do what I have to do to get these people/person out of my hair. If a HijackThis log is requested, I can easily post it.

 

  Thanks.

[TwinHeadedEagle]

Hello,

    

 

They call me TwinHeadedEagle around here, and I'll try to help your with your issue.

 

     

    

Before we start please read and note the following:

• We're primarily oriented on malware removal here, so you must know that some issues just cannot be solved and you must be prepared for this. Some tools we use here will remove your browser search history, so backup your important links and all the files whose loss is unacceptable.
• Limit your internet access to posting here, some infections just wait to steal typed-in passwords.
• Please be patient. I know it is frustrating when your PC isn't working properly, but malware removal takes time. Keep in mind that private life gets in the way too. Note that we may live in totally different time zones, what may cause some delays between answers.
• Don't run any scripts or tools on your own, unsupervised usage may cause more harm than good.
• Do not paste the logs in your posts, attachments make my work easier. There is a More reply options button, that gives you Upload Files option below which you can use to attach your reports. Always attach reports from all tools.
• Always execute my instructions in given order. If for some reason you cannot completely follow one instruction, inform me about that.
• Do not ask for help for your business PC. Companies are making revenue via computers, so it is good thing to pay someone to repair it.
• If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.

I can't foresee everything, so if anything not covered in my instructions happens, please stop and inform me!

There are no silly questions. Never be afraid to ask if in doubt!

 

 

 

  Rules and policies

 

We won't support any piracy.

That being told, if any evidence of illegal OS, software, cracks/keygens or any other will be revealed, any further assistance will be suspended. If you are aware that there is this kind of stuff on your machine, remove it before proceeding!

The same applies to any use of P2P software: uTorrent, BitTorrent, Vuze, Kazaa, Ares... We don't provide any help for P2P, except for their removal. All P2P software has to be uninstalled or at least fully disabled before proceeding!

 

Failure to follow these guidelines will result with closing your topic and withdrawning any assistance.

 

 

---

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.

Only one of them will run on your system, that will be the right version.

• Double-click to run it. When the tool opens click Yes to disclaimer.
• Press Scan button.
• It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
• The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

[dw222016]

Hello there, thank you for the reply and any help you can give. I very much appreciate it. I ran this Farbar last night after realizing I was supposed to before I asked for help, but couldn't edit my post. I've attached both the Addition files from that first scan, and a FRST scan from just a few minutes ago so that it can be certain nothing has changed between those times.

Addition.txt

FRST.txt

[TwinHeadedEagle]

Please delete all pirated software from your PC if you want to continue working with me.

[dw222016]

Hello, I totally understand and will be glad to do so, but I'm not quite certain which software you're referring to?  I'm in a multi-member household and haven't installed anything myself that I knew to be pirated. 

[dw222016]

TwinHeadedEagle, it looks like I've found two issues, my current DoS issue and a kid playing on the wrong side of the internet. I found this "pre-crack" and the game that was with it. It's gone now. 

[TwinHeadedEagle]

Is everything fine now? Beside some Adware leftovers I didn't spot sings of malware.

[dw222016]

Unfortunately it doesn't seem so. This is what I am seeing in my router logs:

 

"[DoS Attack: SYN/ACK Scan] from source: 23.235.39.193, port 80, Saturday, November 28, 2015 14:29:49

[LAN access from remote] from 220.167.100.13:6000 to 192.168.1.150:80, Saturday, November 28, 2015 13:50:29

[LAN access from remote] from 185.106.94.2:57578 to 192.168.1.150:80, Saturday, November 28, 2015 13:26:09

[DoS Attack: SYN/ACK Scan] from source: 104.71.249.130, port 80, Saturday, November 28, 2015 13:21:47

[DoS Attack: ACK Scan] from source: 169.54.233.119, port 53, Saturday, November 28, 2015 13:16:23

[admin login] from source 192.168.1.150, Saturday, November 28, 2015 13:13:58

[DoS Attack: SYN/ACK Scan] from source: 45.58.135.130, port 6667, Saturday, November 28, 2015 13:13:32

[DoS Attack: ACK Scan] from source: 93.186.251.13, port 80, Saturday, November 28, 2015 13:01:46

[LAN access from remote] from 54.162.124.221:59983 to 192.168.1.150:443, Saturday, November 28, 2015 12:42:29

[LAN access from remote] from 54.159.78.53:53779 to 192.168.1.150:80, Saturday, November 28, 2015 12:38:00"

 

  I know that port scans are a common thing and not necessarily an issue, but these remote log ins are unexplained.

[TwinHeadedEagle]

Scan with Farbar Recovery Scan Tool

 

Please re-run Farbar Recovery Scan Tool to give me a fresh look at your system.

• Right-click on icon and select Run as Administrator to start the tool.

  (XP users click run after receipt of Windows Security Warning - Open File).

• Make sure that Addition option is checked.
• Press Scan button and wait.
• The tool will produce two logfiles on your desktop: FRST.txt and Addition.txt.

Please upload them into your next reply.

[dw222016]

Hello, here are the files you requested. I think I am slowing figuring this out, TwinHeaded. You see, one of my younger family members plays World of Warcraft, and of course ports are needed to be forwarded. Well, he looked here for that information: https://us.battle.net/support/en/article/configuring-router-and-firewall-ports.

 

  Port 80 and 443 don't seem to be ports one should be forwarding haphazardly, according to Google. So, I went in and took those two ports off the forwarding list. Sure enough, no more "remote lan access" messages since then. That being said, I am still being knocked offline at times by these "Syn/Ack" and "Dos Chargen" attacks. So I'm not quite out of the woods yet. I tell you, I've ran multiple malware scans with other programs such as Malwarebytes Anti-Rootkit and Hitman Pro along with MBAM Premium and Avast..and they just are not finding any infections.

 

  I hope these logs attached provide some kind of answers. I'll use whatever other tools and upload whatever other logs you need to get this thing settled.

 

 

Addition.txt

FRST.txt

[TwinHeadedEagle]

Fix with Farbar Recovery Scan Tool
 

This fix was created for this user for use on that particular machine.
Running it on another one may cause damage and render the system unstable.

 
Download attached fixlist.txt file and save it to the Desktop:
 
Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

• Right-click on icon and select Run as Administrator to start the tool.
  (XP users click run after receipt of Windows Security Warning - Open File).
• Press the Fix button just once and wait.
• If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
• When finished FRST will generate a log on the Desktop, called Fixlog.txt.

Please upload it to your reply.

fixlist.txt

[dw222016]

Hello, here's the log you asked for. I hope the post comes through okay, I was just hit with another scan/attack while posting and it may mess it up.

Fixlog.txt

[TwinHeadedEagle]

Good. We only removed some Adware leftovers. Your PC is clean.

[dw222016]

That is so strange, I don't understand why I'm being hit like this then if there are no botnets, rootkits, etc on the system. I'm certainly happy about a clean PC...but then it makes figuring out how to stop these attacks that much more complicated (to me at least since I've not a clue how all this works on a technical level).

[TwinHeadedEagle]

I don't see a reason why someone would attempt to DDOS you. Some firewalls see P2P connections as DDOS attacks, and Blizzard Downloader is using BitTorrent to download content, so this could be a cause of this.

[dw222016]

Even if the downloader is not currently running?  It wouldn't have explained the remote lan access or being knocked offline with every scan attack either. I've never had the downloader do this before, and we've had WoW for some time now. Forgive all the questions, I'm just a newbie to this sort of thing and concerned about hacks and data theft.

[TwinHeadedEagle]

Do you know if you have latest firmware on your router?

[dw222016]

Yes I do actually. In fact I updated it successfully a couple of days ago. 

[TwinHeadedEagle]

Can you borrow another router to see how is it behaving? Contacting Netgear support isn't a bad idea too.

[dw222016]

I guess I can go out and buy one. I'm getting very tired of this, my ISP has been contacted and given logs of these attacks and was told they'd change my IP address..which they didn't. My PC is supposedly clean, I've checked every security option in the router I know to check, etc. For a time, the attacks had ceased knocking me offline, a very short time but a time. Now whomever these people are have started hitting me hard again and knocking my connection out.

 

  I don't really want to spend money on a new router and then come home with it and the attacks still continue, but since I have no other ideas and my ISP isn't all that interested in doing much, I guess I'll just do it.

[AdvancedSetup]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!