Has my system been hacked via broadband?

koHd

Ok this is a strange one, and I may be hacked.

My laptop is downloading and uploading constantly when I'm connected to the router via ethernet cable. I see this because I have a network activity monitor installed. It shows download and upload activity on a graph. Without it, I'd probably be oblivious.

Strange thing is when I'm connected through wireless this doesn't happen.

I've had this network monitor installed for a while and used ethernet in the past and this hasn't happened.

My computer is definitely not downloading or uploading anything that I can find. And sure, if it was, why would it not do it when on wireless connection?

Would there be any reason besides a hack that this could be happening when hard wired into the router?

Or am I going to have to do a reformat to try get rid of poxy hackers?

techie

Download a program called combofix and run it, it will relieve your laptop of any undesirables

koHd

techie wrote: »

Download a program called combofix and run it, it will relieve your laptop of any undesirables

Will have a read about this and see if I should give it a try.

Cheers.

Feidhlim

I always use Spybot, search and destroy

Good luck anyway, I'm no expert- you'll probably get better answers here!

Vico1612

I use this http://www.malwarebytes.org/ , did the trick for me in the past
Good luck
V

Champ

Get a software firewall on your laptop which handles inbound as well as outbound connections (the default Windows firewall is notoriously inadequate in regards to outbound connections). Also such software will usually let you see what app/process etc is running the connection so you can see whether its legit or not.

It could also be something as innocent as something like Windows or Adobe trying to download updates automatically in the background (I really dislike software that automatically sets itself to do auto updates).

Take your pick: http://en.wikipedia.org/wiki/Comparison_of_firewalls

Amalgam

Could someone be sharing through your laptop, isn't there internet sharing in Windows?

Do you have wifi toggled on most of the time on the laptop?

jor el

koHd wrote: »

I've had this network monitor installed for a while and used ethernet in the past and this hasn't happened.

My computer is definitely not downloading or uploading anything that I can find. And sure, if it was, why would it not do it when on wireless connection?

Your monitor may only be monitoring the Ethernet connection, and not all connections. If this is the case, then the computer is still downloading when you're on Ethernet, but you just aren't monitoring it.

Snake Plisken

Feidhlim wrote: »

I always use Spybot, search and destroy

Good luck anyway, I'm no expert- you'll probably get better answers here!

Don't recommend this I've seen it mess up system registries, stick with Combofix, Smithfraudfix, Malwarebytes & Super antispyware. Also recommend Kaspersky over crappy Norton or McAffee, you can download a months trial of KAV 10 for free.

koHd

jor el wrote: »

Your monitor may only be monitoring the Ethernet connection, and not all connections. If this is the case, then the computer is still downloading when you're on Ethernet, but you just aren't monitoring it.

No it monitors all network activity. When I'm on wireless though it acts as it should. Showing up the network activity I know about.

ynotdu

it IS a strange one,you sure the physical cable to your ethernet has not been spliced before it even enters your home?

even then a hacker would have to crack your passwords etc on your router.

you dont say who your provider is but i know on eircom.net you can check your past and present internet usage,has it shown a dramatic increase over previous months?

i would not let this go as anything bogey done from your IP address leaves you legally responsible.

contact your isp ASAP,and check it out:eek:

koHd

ynotdu wrote: »

it IS a strange one,you sure the physical cable to your ethernet has not been spliced before it even enters your home?

even then a hacker would have to crack your passwords etc on your router.

you dont say who your provider is but i know on eircom.net you can check your past and present internet usage,has it shown a dramatic increase over previous months?

i would not let this go as anything bogey done from your IP address leaves you legally responsible.

contact your isp ASAP,and check it out:eek:

:eek: is right.

Will check this out today.

Freekin hackers need to get a job! :pac:

Champ

ynotdu wrote:

it IS a strange one,you sure the physical cable to your ethernet has not been spliced before it even enters your home?

Never heard of this happening, I'd say this should be the very last possibility considered.

ynotdu wrote:

even then a hacker would have to crack your passwords etc on your router

I think this is very doubtful as by default most routers disable admin outside of the LAN (i.e. the WAN). Unless your wireless access point (if you have one) has been using a very weak password with WEP then I don't think you have to worry about this possibility.. ie. if they connected successfully to the access point then they're in the LAN side.

Actually it's not at all strange. Many people assume their routers will handle all the necessary security etc. This is largely true for uninitated connections from the WAN side but any activity on the LAN side is generally assumed to be authentic / legit. Hackers & Co keep this in mind when utilising software exploits to get stuff onto PCs on the LAN side. Once inside the malicous software communicates outside to the WAN (at first opportunity say after login) to do whatever its intended to do and since the traffic originates from inside the LAN your router can't / won't give it a second glance.

I've had to help people (who were using routers too) with this scenario before and here are two examples:
-In one case while browsing websites a person encountered one of those annoying popups in this case it was saying spyware has been detected on your computer and do you want to download software to remove it. Regardless of what the person clicked (no in this case) it downloaded crap with the result that even if she / he wasn't surfing popup windows would regularly appear prompting for a purchase of the software to remove the detected spyware. Long story cut short the normally safe website was infected with a variant of the vundu trojan which is how the crap got onto the PC.
Purpose: malware to get cash

-In another case a person was browsing one of his usual and safe favourites. However the 3'rd party ad banners were hacked... Much to his surprise a PDF started opening automatically by Adobe Reader even though no pdf link was clicked on, the site didn't even host PDF files! The PDF opened was malformed and exploited a vulnerability (now addressed) in how Adobe Reader handled javascript. The result was malicous software was automatically downloaded from the web which gave the hackers remote control of the PC anytime it was online. Since the malicous software would start the connection from the LAN side to check into the hacker network... the router thought all was good.
Purpose: a zombified PC to utilise for DOS (denial of service) attacks

That's why I recommend a good software firewall for PCs to handle outbound connections. If any malicous software somehow gets onto the PC in question it will generally do at least two things:
-Let you know something you haven't authenticated is trying to connect somewhere.. i.e. a warning
-Stop said software from communicating... e.g. stop remote control, stop transmission of personal info from say key stroke loggers etc...

measurement

Have you considered the possibility that when you are using the Ethernet, someone else is 'borrowing' your wireless connection (e.g. a neighbour, or neighbour's child:D), but when you are using he wireless yourself, they find it 'not fast enough' to bother?
The fact that the stats seem ok when you are on wireless seems to indicate that when it is 'free' it is also accessible by others. Have you changed your WEP or WPA password recently?;)
Its also possible that you prevent certain types of traffic on wireless (because the setup asks you if you want it) but you haven't been as careful with Ethernet settings.

vibe666

Champ wrote: »

Never heard of this happening, I'd say this should be the very last possibility considered.

there is a very good reason why you've never heard of it (outside of spooks). :rolleyes:

so much FUD, so little time.

oh well, i'll give it a go anyway.

you have a network monitor on your PC. that network monitor can only see data coming and going through network ports on that PC, so lets forget about fairies splicing ethernet cables outside your house (why would you have ethernet outside your house anyway?) or keanu reeves hacking into your router for a minute and think about it logically (and realistically). if the network monitoring application running on your PC can see network activity then whatever it is seeing is also running on your PC.

how much data are we talking about anyway? 100kb an hour, 100mb an hour or what? is it mostly incoming or outgoing data?

there are dozens of background windows processes and services that you can't see running that could legitimately be using your network connection for various reasons but without knowing what processes are running and how much data they are transferring it's impossible to say for sure, so we need an idea of what we're dealing with.

what anti-virus software are you running? is it up to date? do you do regular virus scans? what about other firewall or anti-spyware software? have you done any other scans?

download hijackthis and run it to scan for items that run every time you boot up your PC (the easiest way to find the nasty stuff that could be messing with your PC) DON'T makes any changes with hijackthis, you could bork your PC and you don't want to do that. just run the scan and save the log file.

once you have run the scan by clicking on the option that says "do a scan and save a log file" (it doesn't make any changes unless you tell it to), copy paste the resulting log file that opens up in notepad into pastebin and post the link it gives you for your log. if you don't want to post it publicly (In case it might contain any personal info which is vaguely possible, but unlikely in most cases) you can send the link to my via PM if you like and I'll take a look and see if anything malicious is running in the background when you start your PC or web browser.

ynotdu

I at least made a few suggestions on the day the OP posted,Where were YOU guys?

To simplify my response i said Ethernet being spliced as it was not clear how the OP was receiving their BB.

I know of many cases were phone lines were spliced before they entered the house of a customer.

Eircom routers now use WPA and have their own firewall as well as whatever firewall a person chooses to install on their computor(s)

in case you did not hear Eircom were shown by a *good*hacker how he could hack WEP of anybody in range in five minutes and sent letters to ALL their BB customers as to how to make wep/wpa more secure.

what is strange about this is it does not appear to be the wireless that was acting strangely but the physical cable somewhere along the line.

I think comparing your BB usage to previous months is always a good first step(if your personal use of the net has not changed much)
the problem is not always down to Malware,and depending on one persons recomendations as to what malware finder to download,run, and upload the results of the scan having saved it to clipboard can be a total pain in the ass!(wait around until they decide to bother to check the scan and at THEIR lesiour reply with what *THEY*think is the problem.

Of course the OP could install Hijack This and post it to the hijack this online community were He/She can get a million peoples opinion.

OP contact you isp as a first resort to cover your ass against anything done from YOUR ip adress.

vibe666

ynotdu wrote: »

I at least made a few suggestions on the day the OP posted,Where were YOU guys?

sorry, but posting bad advice early doesn't make it good advice.

ynotdu wrote: »

To simplify my response i said Ethernet being spliced as it was not clear how the OP was receiving their BB.

I know of many cases were phone lines were spliced before they entered the house of a customer.

it doesn't matter how he gets his broadband, you can't 'splice' ethernet and even if you could, he's not going to have any outside his house. if he has DSL then the line coming into his house is twisted pair copper (i.e. bog standard phone cable), not ethernet. if he has cable broadband then it's coax, which again is not ethernet.

the phone line 'splicing' you are talking about is known as a pairgain or line splitter and is used by cheapskate phone companies like eircom to make two lines out of one rather than install more cabling and if the OP had one of those on the line they wouldn't (ever) be able to get broadband in the first place so we can be pretty sure they don't have that problem for several reasons, least of which is that it was an irrelevant statement.

ynotdu wrote: »

Eircom routers now use WPA and have their own firewall as well as whatever firewall a person chooses to install on their computor(s)

in case you did not hear Eircom were shown by a *good*hacker how he could hack WEP of anybody in range in five minutes and sent letters to ALL their BB customers as to how to make wep/wpa more secure.

no they weren't and no he didn't. anyone can crack WEP or WPA with the right knowledge and tools, but it's not that easy and it's not what happened with eircom's WEP encrypted wifi routers.

all that happened with the eircom WEP key issue was that someone figured out that the WEP key on eircom routers was generated from their wireless SSID (which is derived from their eircom account number) and what that calculation was. when it turned out that eircom were not interested in fixing the problem he wrote a java app that did the calculation and posted it on the net to force eircom to do something about it, which (after getting quite a lot of bad publicity) they did.

there is no hacking or cracking involved, just simple maths and the WEP key can be calculated by anyone (with a laptop or mobile phone which has the java app installed) as quickly as they can type in the 8 digits of the eircom SSID of the router they want to connect to. did you just pull a figure of "5 minutes" out of thin air?

other than sending out a letter to users that most of them would probably not understand, eircom did very little to solve the existing problem and just changed the way the WEP key was calculated and then switched to WPA. there are still a large number of eircom routers out there still using their original vulnerable WEP key that can be compromised in a couple of seconds by anyone with that java app.

ynotdu wrote: »

what is strange about this is it does not appear to be the wireless that was acting strangely but the physical cable somewhere along the line.

it's only strange if you don't understand what is and isn't happening. he has a network monitor installed on his PC, not 'somewhere along the line'. that network monitor can only see data passing through network devices on that PC. any other part of the network is totally invisible to it. even if he had 2 PC's sat right next to each other on the same network with one of them having that network monitor on it, it can't see a single kb of data being transferred between the other PC and the internet so your argument here is totally invalid.

ynotdu wrote: »

I think comparing your BB usage to previous months is always a good first step(if your personal use of the net has not changed much)

we don't even know how much data he is talking about at the moment, it's just a generic plot on a graph at this stage and it's data coming and going from his own PC, not someone using his wifi so it's unlikely to be enough that it would show up anyway for the reasons i've already mentioned.

ynotdu wrote: »

the problem is not always down to Malware,and depending on one persons recomendations as to what malware finder to download,run, and upload the results of the scan having saved it to clipboard can be a total pain in the ass!(wait around until they decide to bother to check the scan and at THEIR lesiour reply with what *THEY*think is the problem.

Of course the OP could install Hijack This and post it to the hijack this online community were He/She can get a million peoples opinion.

no, PC problems are not always down to malware, but in this case it is most definitely 100% guaranteed that there is an application on his PC using his network connection, NOT some phantom hacker splicing cables outside his house. the only way to find out if it's something legitimate or malicious is to check his PC for malicious software. the easiest way to do that is with a hijackthis scan, which i'm happy to look at for him as would any number of other experienced posters, or he can post it to any one of several websites that can tell him the same thing, i'm just offering constructive advice from someone with a lot of professional experience supporting thousands of PC's who is actually able to help, rather than making stuff up that looks like it might fit, but which actually makes very little sense.

and anyone who can't be bothered to spend 5 minutes of their time to download and run a small tool and then copy/paste the results to potentially fix something that they see as a problem on their PC is never going to get anything sorted.

after running his own AV and spyware scans, running hijackthis is the fastest and most reliable way to get past the first step of determining if he actually has a problem or not.

ynotdu wrote: »

OP contact you isp as a first resort to cover your ass against anything done from YOUR ip adress.

nothing he can say to his ISP will indemnify him from responsibility for what happens on his internet connection. either way, he is legally responsible for what happens on it regardless if it was done by him or someone else using it without his knowledge.

look, nobody has any problems with anyone trying to help out, but when people post information on threads that is clearly untrue or misleading (whether they know it or not) all it does is create confusion for everyone and nothing gets solved.

koHd

Cheers to everybody that has chipped in with advice.

I just ran hijackthis and have the log file.

And to update, the activity has now started when I'm wireless also. It's about 5kb upload and download every second.

What will I do with this log file? Anything in particular to look for in it?

vibe666

koHd wrote: »

What will I do with this log file? Anything in particular to look for in it?

tbh it could be any one of hundreds of possibilities, but you have several options. so in the interests of impartiality...you can get it automatically analysed online at any of the websites listed in this link (just copy/paste the log file contents, or upload the log directly) and it will check the contents against known nasties and give you the results.

they can give you a good idea for what might be good or bad on your PC, but they are still just automated scanners so you can't rely on them 100%, so another option is to sign up for any one of dozens of tech support sites that specialise in that kind of thing such as the tech support guy forums or any other similar online forums.

you could paste the contents into pastebin and copy paste the link it gives you here for us to have a look at if you're feeling like we're trustworthy, or you could PM the contents to me and I can take a look if you don't want everyone to see (in case you spot anything in there you don't want everyone to see, which can occasionally happen with anything internet related) i've been working in various tech support roles for the last 14 years and have plenty of experience and you've got my word that anything you decided to divulge via PM will be kept in the strictest confidence on pain of death, or even worse a mod banning me from the forums. :eek:

its entirely up to you what you do though whatever you decide is fine by me, i'm just some randomer on the internet there's no reason for you to trust me so feel free to pick any of the above options that you feel comfortable with.

one thing i will say though, is be careful not to remove anything with hijackthis untl you've had it confirmed by *someone* first. there is definitely room for some major PC breakage by using it incorrectly.

it's time i was asleep now though, so it might have to wait till the morning if that's okay.

Fuzzy Clam

koHd wrote: »

.

And to update, the activity has now started when I'm wireless also. It's about 5kb upload and download every second.

quote]

Not meaning to be smart, but I suspect the activity was there on both wireless and ethernet all along.

koHd

Fuzzy Clam wrote: »

koHd wrote: »

.

And to update, the activity has now started when I'm wireless also. It's about 5kb upload and download every second.

quote]

Not meaning to be smart, but I suspect the activity was there on both wireless and ethernet all along.

Nope.

I tested it on several occasions with ethernet and wireless.

It was literally completely inactive on the wireless when I wasn't using the connection.

But on ethernet the activity is a lot more than 5kb. It's constantly downloading at a rate of about 100kbps.

And I'd just like to take this opportunity to also thank Vibe666 who is helping me a lot with this problem via pm. Instead of trying to make me out to be an idiot that can't see what's in front of their eyes (not being smart or anything).

vibe666

np, glad to help.

i've had an immeasurable amount of help from boards.ie over the years so it's nice to be able to repay the favours occasionally when i know i can help someone out.

Fuzzy Clam

koHd wrote: »

It was literally completely inactive on the wireless when I wasn't using the connection.

But on ethernet the activity is a lot more than 5kb. It's constantly downloading at a rate of about 100kbps.

Of course it's inactive when you're not using the connection.

Do you think that when connected to the net that there would not be some activity? The amounts you mention are very small. Just opening a site can show up as 100's of kbps. Even the router just communicating with your pc will show up as activity.

I don't think there's a problem.

koHd

Ok I got tired of trying to find the problem.

I backed up my documents and reformated my system to new.

I reinstalled the bitmeter network monitor and now there's no network activity at all when I'm not using the connection.

So it's solved.

Thanks to everybody that suggested fixes.