Was hacked. Am I safe now? Are these danger signs?

[Bluexanadu]

Hello, lately I think Ive been having some issues with my internet security. I was wondering what people here thought. Any help into if there still seems to be an issue or insight as to what could have happened is appreciated.

Recently,

-An email I made for my younger sister to play Elder scrolls online that didnt get any use outside of that and has been stagnant since, I was made aware got hacked and was apparently banned and used to spam. (Says when I logged into it) I wasnt even going to log into it, however, when I went to enter my email on my iPhone, it came up in the auto suggest and I was surprised because its usually my two main that I frequently use and I never have used it since I made it to my acknowledgement. Im not even sure that I ever even saved the password to my phone or even logged in on my phone. The email DOESNT appear on haveibeenpwned. This tipped me off into looking into my security more.

-As I was changing some email things like passwords etc for safety, juggling my iPhone and iMac for ease, I got an email pretending to be apple to an email that doesnt even have an iCloud account attached to it with poor syntax and definitely not apple and no virus-ey link to click, just asking that I go and update my information as there was (I forget exactly) an unknown log in attempt or something. I only cared really because usually it goes right to spam and I dont click but it went to my main inbox. Which makes me think, that someone can see what Im entering to some degree then since they didnt try to direct me anywhere? Or maybe it is literally just purely coincidence. Also the account they said had an Apple ID does not. 

-I noticed that my main email had lots of unsuccessful syncs from various IPs around the world.
(At this point I factory reset all of my devices except ones that arent mine)

-Before, there were more unknown devices (Unknown-XX-XX-XX-XX-XX-XX). There is one that keeps coming up even if I delete it.

IP address looks the same as the rest of the recognized devices except for the last number. I dont know what I have thats creating it as everything is accounted for.

-On my router homepage under protected intrusions, I see these

tcp_port_scan 9
tcp_syn_scan 1
tcp_data_on_syn_segment 42
ping_sweep_scan 1
tcp_syn_flood 1
udp_port_scan 2

Previously, despite being told that everything is constantly under attack, and that this is normal everything read 0s and Ive never intentionally reset my statistics. The number is of course only going up by the day.

-On my router homepage, I get many of these notifications

1. IDS proto parser : tcp data on syn segment

2. IDS scan parser : udp port scan: [NOT MY IP] scanned at least 20 ports at [ROUTER IP] . (1 of 1) : [NOT MY IP] [ROUTER IP] XXXX UDP XXXX->XXXXX

3. FIREWALL replay check (1 of 17): Protocol: ICMP Src ip: [MY IP] Dst ip: [NOT MY IP] Type: Destination Unreachable Code: Port Unreacheable

4. FIREWALL icmp check (1 of 1): Protocol: ICMP Src ip: [NOT MY IP] Dst ip: [ROUTER IP] Type: Time Exceeded Code: Time to Live exceeded in Transit

And more.

The times that these events happen often will be very close together. (Within about 20 minutes or less and then cut off for a bit)

Most of these IPs say they belong to apple, google, amazon or companies. Is this normal? Is this safe? I ask because is it possible to spoof an IP to make it easier to try and enter a network or something?

-My Wireless mouse and keyboard are not working correctly/ the keyboard even with batteries replaced will often not type correctly. This has only started happening within the last few days.

-Sometimes webpages will not load fully or will just not let me access them to a more frequent than usual degree. 
My internet across all devices is extremely slowed down pretty suddenly. 4.32 DL speed, 0.83 upload speed, 15 pings.

-Unsure if related but: I have gotten 2 spam phone calls when really over this entire year Ive maybe gotten 4ish, then now I get two in two days. I realize thats not a lot but its still odd to me considering the time this happening.

Heres what Ive done so far:
-Added authenticators to things that I could
-Changed any passwords I care about
-Deleted my paypal just to be safe
-Changed my internet passwords that care about
-System reset all of my devices and only loaded back on some things from iCloud. 
-Cleared out my iCloud almost entirely
-Upgraded my mac OS (my computer wouldnt let me before without system resetting apparently)

Maybe it was too much, maybe it wasnt? Honestly, Im not sure. I just wanted to be safe. Id just like to know what you all think if given the things that are still happening if its normal and safe? Thanks so much for reading and maybe helping out. Have a great day.

[David H. Lipman]

Besides locking down your accounts, lock down the Router.  Security through obscurity.

• Disable acceptance of ICMP Pings
• Change the Default Router password
• Use a Strong WiFi password on WPA2 using AES  encryption
• Disable Remote Management
• Is the Router Firmware up-to-date ?
• Specifically set Firewall rules to BLOCK;   TCP and UDP ports 135 ~ 139 and 445

 

 

Edited November 12, 2018 by David H. Lipman

[Bluexanadu]

6 hours ago, David H. Lipman said:

Besides locking down your accounts, lock down the Router.  Security through obscurity.

• Disable acceptance of ICMP Pings
• Change the Default Router password
• Use a Strong WiFi password on WPA2 using AES  encryption
• Disable Remote Management
• Is the Router Firmware up-to-date ?
• Specifically set Firewall rules to BLOCK;   TCP and UDP ports 135 ~ 139 and 445

 

 

Thank you for your reply. I appreciate it throgoughly.

ive changed the password to be very complex very soon after everything happened. I also have changed it a few times since.

AES encryption is the same as WPA2? When I look it up that’s what it says. I’ve since changed my security from WPA/WPA2 mixed to just WPA2.

remote management has always been off, thankfully.

the router auto updates so it should be up to date. I called my ISP and that’s what they said.

i go to my firewall section on my router homepage and go to create new rules but I’m very confused by how to get TCP and UDP ports blocked because those options are in none of the drop downs. (I attached a picture of the options below)

Similarly with disabling acceptance of ICMP pings. 

Ive tried googling but I’m not finding the right information. I’d really appreciate some more help if you wouldn’t mind...

[David H. Lipman]

1. Who is the ISP ?
2. Is the Router provided by the ISP ?
3. What is the Make and Model of the Router ?

 

[Bluexanadu]

2 hours ago, David H. Lipman said:

1. Who is the ISP ?
2. Is the Router provided by the ISP ?
3. What is the Make and Model of the Router ?

 

1. Primus

2. Yes

3. Technicolor TG582n

[David H. Lipman]

Technicolor TG582n   is a DSL Modem+Router

http://www.telecom.co.nz/binarys/telecom-wireless-full-technical.pdf

Creating Firewall Rules is under 9 INTERNET SECURITY on Page 78.  I can not be more specific as I do not know how the settings and/or screens may appear on you appliance.

Source:  Any IP

Destination:  Any IP

Service:  User defined

TCP Ports 135 ~ 139

Action:  Deny

Repeat for:

UDP Ports 135 ~ 139

TCP port 445

UDP Port 445

I could not find how to deny ICMP Pings.  I do not know how the settings and/or screens may appear on you appliance and I could not find anything helpful in the manual.

The below graphic shows how it is configured on my Router. 

 

[alvarnell]

12 hours ago, Bluexanadu said:

AES encryption is the same as WPA2? When I look it up that’s what it says. I’ve since changed my security from WPA/WPA2 mixed to just WPA2

WPA originally used two forms of encryption TKIP & AES, but the former was easily cracked and is now deprecated and no longer considered secure. WPA2 has mandatory use of AES but can still fall back to TKIP for backward compatibility. That's why David specified AES. Usually selecting WPA/WPA2 will use the latter, but you are probably better off having chosen WPA2 to be sure that's what you are getting. 

[Bluexanadu]

On 11/13/2018 at 3:38 AM, alvarnell said:

WPA originally used two forms of encryption TKIP & AES, but the former was easily cracked and is now deprecated and no longer considered secure. WPA2 has mandatory use of AES but can still fall back to TKIP for backward compatibility. That's why David specified AES. Usually selecting WPA/WPA2 will use the latter, but you are probably better off having chosen WPA2 to be sure that's what you are getting. 

Okay that makes sense. Thank you so much.