Jump to content
Due to inclement weather in Southwest Florida, our Clearwater support team is offline. Our other offices are available to assist you, however their responses may be delayed. We appreciate your patience and understanding during this time. ×

Needing help with a persistent DoS attack.


dw222016
 Share

Recommended Posts

Hi everyone, this is my first time here. I've got a major problem happening with my router and internet connection. First thing's first, the symptoms are very frequent network disconnections that are there and gone in seconds, along with even more frequent router logs telling me about remote lan access log ins and various Syn/Ack and "Chargen" DoS attacks. I'm using a Netgear WNDR 4300V3, and I've done all the securing I understand how to do on it, yet these attacks just keep coming and seemingly succeeding. 

 

  I don't have UPnP enable, nor Remote Access, I've locked it down with a good password, changed DNS to OpenDNS, etc. I'm fearing a botnet or rootkit issue, but I've ran both Avast and MBAM premium and neither one of them have found a thing. I tried running HijackThis, but I just don't have the knowledge to read it and understand it. Some entries it says are suspicious, but "visitors say it's safe"..I just don't want to muck with it without knowing what I'm getting into. 

 

  I'd really like to settle this without having to reformat everything, but I'll do what I have to do to get these people/person out of my hair. If a HijackThis log is requested, I can easily post it.

 

  Thanks.

Link to post
Share on other sites

Hello,

    

 

They call me TwinHeadedEagle around here, and I'll try to help your with your issue.

 

     

    

Before we start please read and note the following:

  • We're primarily oriented on malware removal here, so you must know that some issues just cannot be solved and you must be prepared for this. Some tools we use here will remove your browser search history, so backup your important links and all the files whose loss is unacceptable.
  • Limit your internet access to posting here, some infections just wait to steal typed-in passwords.
  • Please be patient. I know it is frustrating when your PC isn't working properly, but malware removal takes time. Keep in mind that private life gets in the way too. Note that we may live in totally different time zones, what may cause some delays between answers.
  • Don't run any scripts or tools on your own, unsupervised usage may cause more harm than good.
  • Do not paste the logs in your posts, attachments make my work easier. There is a More reply options button, that gives you Upload Files option below which you can use to attach your reports. Always attach reports from all tools.
  • Always execute my instructions in given order. If for some reason you cannot completely follow one instruction, inform me about that.
  • Do not ask for help for your business PC. Companies are making revenue via computers, so it is good thing to pay someone to repair it.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
:excl: I can't foresee everything, so if anything not covered in my instructions happens, please stop and inform me!

:excl: There are no silly questions. Never be afraid to ask if in doubt!

 

 

 

  warning.gif Rules and policies

 

We won't support any piracy.

That being told, if any evidence of illegal OS, software, cracks/keygens or any other will be revealed, any further assistance will be suspended. If you are aware that there is this kind of stuff on your machine, remove it before proceeding!

The same applies to any use of P2P software: uTorrent, BitTorrent, Vuze, Kazaa, Ares... We don't provide any help for P2P, except for their removal. All P2P software has to be uninstalled or at least fully disabled before proceeding!

 

Failure to follow these guidelines will result with closing your topic and withdrawning any assistance.

 

 


Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.

Only one of them will run on your system, that will be the right version.

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
Link to post
Share on other sites

Hello there, thank you for the reply and any help you can give. I very much appreciate it. I ran this Farbar last night after realizing I was supposed to before I asked for help, but couldn't edit my post. I've attached both the Addition files from that first scan, and a FRST scan from just a few minutes ago so that it can be certain nothing has changed between those times.

Addition.txt

FRST.txt

Link to post
Share on other sites

Unfortunately it doesn't seem so. This is what I am seeing in my router logs:

 

"[DoS Attack: SYN/ACK Scan] from source: 23.235.39.193, port 80, Saturday, November 28, 2015 14:29:49

[LAN access from remote] from 220.167.100.13:6000 to 192.168.1.150:80, Saturday, November 28, 2015 13:50:29
[LAN access from remote] from 185.106.94.2:57578 to 192.168.1.150:80, Saturday, November 28, 2015 13:26:09
[DoS Attack: SYN/ACK Scan] from source: 104.71.249.130, port 80, Saturday, November 28, 2015 13:21:47
[DoS Attack: ACK Scan] from source: 169.54.233.119, port 53, Saturday, November 28, 2015 13:16:23
[admin login] from source 192.168.1.150, Saturday, November 28, 2015 13:13:58
[DoS Attack: SYN/ACK Scan] from source: 45.58.135.130, port 6667, Saturday, November 28, 2015 13:13:32
[DoS Attack: ACK Scan] from source: 93.186.251.13, port 80, Saturday, November 28, 2015 13:01:46
[LAN access from remote] from 54.162.124.221:59983 to 192.168.1.150:443, Saturday, November 28, 2015 12:42:29
[LAN access from remote] from 54.159.78.53:53779 to 192.168.1.150:80, Saturday, November 28, 2015 12:38:00"
 
  I know that port scans are a common thing and not necessarily an issue, but these remote log ins are unexplained.
Link to post
Share on other sites

FRST.gif Scan with Farbar Recovery Scan Tool

 

Please re-run Farbar Recovery Scan Tool to give me a fresh look at your system.

  • Right-click on FRST.gif icon and select RunAsAdmin.jpg Run as Administrator to start the tool.

    (XP users click run after receipt of Windows Security Warning - Open File).

  • Make sure that Addition option is checked.
  • Press Scan button and wait.
  • The tool will produce two logfiles on your desktop: FRST.txt and Addition.txt.
Please upload them into your next reply.
Link to post
Share on other sites

Hello, here are the files you requested. I think I am slowing figuring this out, TwinHeaded. You see, one of my younger family members plays World of Warcraft, and of course ports are needed to be forwarded. Well, he looked here for that information: https://us.battle.net/support/en/article/configuring-router-and-firewall-ports.

 

  Port 80 and 443 don't seem to be ports one should be forwarding haphazardly, according to Google. So, I went in and took those two ports off the forwarding list. Sure enough, no more "remote lan access" messages since then. That being said, I am still being knocked offline at times by these "Syn/Ack" and "Dos Chargen" attacks. So I'm not quite out of the woods yet. I tell you, I've ran multiple malware scans with other programs such as Malwarebytes Anti-Rootkit and Hitman Pro along with MBAM Premium and Avast..and they just are not finding any infections.

 

  I hope these logs attached provide some kind of answers. I'll use whatever other tools and upload whatever other logs you need to get this thing settled.

 

 

Addition.txt

FRST.txt

Link to post
Share on other sites

FRST.gif Fix with Farbar Recovery Scan Tool
 


icon_exclaim.gif This fix was created for this user for use on that particular machine. icon_exclaim.gif
icon_exclaim.gif Running it on another one may cause damage and render the system unstable. icon_exclaim.gif

 
Download attached fixlist.txt file and save it to the Desktop:
 
Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

  • Right-click on FRST.gif icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
    (XP users click run after receipt of Windows Security Warning - Open File).
  • Press the Fix button just once and wait.
  • If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
  • When finished FRST will generate a log on the Desktop, called Fixlog.txt.

Please upload it to your reply.

fixlist.txt

Link to post
Share on other sites

That is so strange, I don't understand why I'm being hit like this then if there are no botnets, rootkits, etc on the system. I'm certainly happy about a clean PC...but then it makes figuring out how to stop these attacks that much more complicated (to me at least since I've not a clue how all this works on a technical level).

Link to post
Share on other sites

Even if the downloader is not currently running?  It wouldn't have explained the remote lan access or being knocked offline with every scan attack either. I've never had the downloader do this before, and we've had WoW for some time now. Forgive all the questions, I'm just a newbie to this sort of thing and concerned about hacks and data theft.

Link to post
Share on other sites

I guess I can go out and buy one. I'm getting very tired of this, my ISP has been contacted and given logs of these attacks and was told they'd change my IP address..which they didn't. My PC is supposedly clean, I've checked every security option in the router I know to check, etc. For a time, the attacks had ceased knocking me offline, a very short time but a time. Now whomever these people are have started hitting me hard again and knocking my connection out.

 

  I don't really want to spend money on a new router and then come home with it and the attacks still continue, but since I have no other ideas and my ISP isn't all that interested in doing much, I guess I'll just do it.

Link to post
Share on other sites

  • Root Admin

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.