June 16th, 2013, 08:23 AM
I have/am being hacked!
OK just did some sniffing using microsoft network monitor and saw a remote connection from a random IP. Heres the run down.
1738 open for PPTP
47 for protocol GRE
and 2 other ports. RDP 3389 is closed as i connect to my VPN to RDP.
Today, connected and found some PPTP traffic from 18.104.22.168 (attackers address). This soon lead to ALL public DNS A records being changed with this IP. Dynamic updates are disabled.
Domain: megahosting.co.nz (domain name is for educational purposes)
All ports are now closed so DNS may not resolve anymore to this domain!
My tipology is
DSL Router @ 192.168.1.2
Server NIC1 @ 192.168.1.1
Server NIC2 @ 10.16.1.1
WiFi @ 10.16.1.2
This is a PHISICAL break between WAN and LAN. I have disabled NIC2 the LAN interface and the attacks on the server are STILL taking place! (i am letting them roll on so i can get as much info as possible) I currently have a constant flow of traffic from this address using UDP port 51511 and UDP 59168 which is currently pointing to forums.megahosting.co.nz (hacked DNS)
So, how did this person get my VPN password. I am using password complexity requirements and the password is reasonably complex. Is it possible to brute force a VPN? Please help im not all that familiar to attacks and this is the first time ive been HACKED!!
Ive done a little digging on the IP, apparantly it comes from Invercargil, New Zealand which is doubt is true. Im sure hes going through like 100+ proxies.
Last edited by onlinegamesnz; June 16th, 2013 at 08:29 AM.
June 16th, 2013, 08:37 AM
Sorry 1 more thing, netstat-an shows almost every port open, i had to close it as it wouldnt stop loading open ports. Ive checked windows firewall, DMZ setting in router, router NAT forwards, server NAT rules etc, all seems fine.
June 16th, 2013, 11:10 AM
I would run a port scan on your public IP and see what's visible. Google "Shields Up" by Gibson Research. It's free and will tell you what ports are open. I would also suggest running Wireshark on your server and see what it's sending (i.e., do you see consistent packets going to a strange IP). Also, run a virus scan on your server to make sure it's not infected.
Did you say your public DNS records got changed? You should probably change your password to the site that hosts your DNS records.