Topic 'Re: intruder in my network' in forum 'Security' - dslreports.com

Re: intruder in my network

Mon, 31 Dec 2012 23:53:52 EDT

HELLFIRE posted :

said by anarchoi2 :

i have been using Hamachi since almost 2 years and i have NEVER seen "PIMP" in my network. Hamachi is used by millions of users and is supposed to be clean and trojan-free.

Forget clean and trojan free, I'm more worried about a) a misconfig in the Hamachi software itself, and b) how long "PIMP"
has been there, as from an operational perspective, "PIMP" was a computer on your LAN able to access your LAN resources
and WAN at will...

Keep off Hamachi for a week and see if "PIMP" pops back up or not... my 00000010bits

Regards

Re: intruder in my network

Fri, 28 Dec 2012 21:23:32 EDT

NetFixer posted :

said by anarchoi2 :

Ok there's something really weird... PIMP just showed up again in my network under ANARCHOI_LAPTOP...

So i did nbstat again. Here's the result.
25.176.120.102 is *NOT* my IP. It belongs to "Royal Signals and Radar Establishment".... WTF ???
Currently my IP is 206.80.243.*

See my previous reply for an explanation: »Re: intruder in my network
--
We can never have enough of nature.
We need to witness our own limits transgressed, and some life pasturing freely where we never wander.

Re: intruder in my network

Fri, 28 Dec 2012 20:50:30 EDT

anon posted : OMG i think i just found the source of the problem.

If i go to my network connections and turn off HAMACHI, then PIMP goes away and diseappear from my network.

However, i have been using Hamachi since almost 2 years and i have NEVER seen "PIMP" in my network. Hamachi is used by millions of users and is supposed to be clean and trojan-free. I have ran multiple anti-viruses and anti-spywares and my computer was always clean.
Hamachi is used to play games in LAN

I suppose i should uninstall it now :(

Re: intruder in my network

Fri, 28 Dec 2012 20:50:14 EDT

anon posted : Ok there's something really weird... PIMP just showed up again in my network under ANARCHOI_LAPTOP

Problem is that ANARCHOI_LAPTOP was NOT open at this time (it wasn't even in sleep mode). There was no computer at all connected to my network except my main PC (ANARCHOI-PC). But "PIMP" is showing under "ANARCHOI_LAPTOP"

See screenshot:
»www.ni-dieu-ni-maitre.com/_uploa···pwtf.png

Note: DBTOA000 was my girlfriend's laptop

So i did nbstat again. Here's the result.
25.176.120.102 is *NOT* my IP. It belongs to "Royal Signals and Radar Establishment".... WTF ???
Currently my IP is 206.80.243.*

*********************************

Microsoft Windows [version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. Tous droits réservés.

C:\Users\Anarchoi>nbtstat -c

ANARCHOI:
Adresse IP du noeud : [192.168.2.2] ID d'étendue : []

Aucun nom dans le cache

Hamachi:
Adresse IP du noeud : [25.162.23.89] ID d'étendue : []

Table de nom de cache distant NetBIOS

Nom Type Adresse d'hôte Vie [sec]
------------------------------------------------------------
PIMP UNIQUE 25.176.120.102 320

C:\Users\Anarchoi>

***********************************

Microsoft Windows [version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. Tous droits réservés.

C:\Users\Anarchoi>nbtstat -n

ANARCHOI:
Adresse IP du noeud : [192.168.2.2] ID d'étendue : []

Table nom local NetBIOS

Nom Type Statut
---------------------------------------------
ANARCHOI-PC UNIQUE Inscrit
WORKGROUP Groupe Inscrit
ANARCHOI-PC UNIQUE Inscrit
WORKGROUP Groupe Inscrit
WORKGROUP UNIQUE Inscrit
..__MSBROWSE__. Groupe Inscrit

Hamachi:
Adresse IP du noeud : [25.162.23.89] ID d'étendue : []

Table nom local NetBIOS

Nom Type Statut
---------------------------------------------
ANARCHOI-PC UNIQUE Inscrit
WORKGROUP Groupe Inscrit
ANARCHOI-PC UNIQUE Inscrit
WORKGROUP Groupe Inscrit

C:\Users\Anarchoi>

*******************************************

Microsoft Windows [version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. Tous droits réservés.

C:\Users\Anarchoi>nbtstat -S

ANARCHOI:
Adresse IP du noeud : [192.168.2.2] ID d'étendue : []

Aucune connexion

Hamachi:
Adresse IP du noeud : [25.162.23.89] ID d'étendue : []

Aucune connexion

C:\Users\Anarchoi>

Re: intruder in my network

Wed, 26 Dec 2012 19:53:44 EDT

HELLFIRE posted : So from your nbtstat output, doesn't look like PIMP is detected / resolivng from the CLI. Was PIMP
still present in Windows Explorer at the time you pulled up this output?

My only question is what this host is

DBTOA000 UNIQUE 192.168.2.5 215

Regards

Re: intruder in my network

Sat, 22 Dec 2012 09:16:22 EDT

Lagz posted : The 5.x.x.x address block was reserved at one time. The 5.x.x.x block was used by Hamachi to avoid collisions with private IP networks that might be in use on the client side. Hamachi was wrong to hijack the range, but if IANA has it reserved, then one might as well utilize it. I hope IANA doesn't decide to simply allocate the 10.x.x.x range at some point in the future. :)
--
When somebody tells you nothing is impossible, ask him to dribble a football.

Re: intruder in my network

Sat, 22 Dec 2012 01:07:14 EDT

NetFixer posted :

said by Lagz:

Hamachi is a VPN. So you didn't entirely delete all the VPN software

And the owner of the IP address used by that Himachi connection is somewhat interesting:

% This is the RIPE Database query service.% The objects are in RPSL format.%% The RIPE Database is subject to Terms and Conditions.% See http://www.ripe.net/db/support/db-terms-conditions.pdf% Note: this output has been filtered.%       To receive output for a database update, use the "-B" flag.% Information related to '25.0.0.0 - 25.255.255.255'inetnum:        25.0.0.0 - 25.255.255.255netname:        UK-MOD-19850128descr:          DINSA, Ministry of Defencecountry:        GBorg:            ORG-DMoD1-RIPEadmin-c:        MN1891-RIPEtech-c:         MN1891-RIPEstatus:         ALLOCATED PAmnt-by:         RIPE-NCC-HM-MNTmnt-lower:      UK-MOD-MNTmnt-domains:    UK-MOD-MNTmnt-routes:     UK-MOD-MNTsource:         RIPE # Filteredorganisation:   ORG-DMoD1-RIPEorg-name:       DINSA, Ministry of Defenceorg-type:       LIRaddress:        Not Published                Not Published Not Published                United Kingdomphone:          +44 (0)30 677 00816admin-c:        MN1891-RIPEmnt-ref:        UK-MOD-MNTmnt-ref:        RIPE-NCC-HM-MNTmnt-by:         RIPE-NCC-HM-MNTsource:         RIPE # Filteredperson:         Mathew Newtonaddress:        C4 Architectureaddress:        UK Ministry of Defencephone:          +44 (0)30 677 00816abuse-mailbox:  hostmaster@mod.uknic-hdl:        MN1891-RIPEsource:         RIPE # Filteredmnt-by:         UK-MOD-MNT% Information related to '25.0.0.0/8AS5378'route:          25.0.0.0/8descr:          INS-MOD-NETdescr:          INSnet core/customer routedescr:          Address Space owned by MODdescr:          see whois.arin.netmember-of:      RS-AS5378origin:         AS5378mnt-by:         AS5378-MNTsource:         RIPE # Filtered% This query was served by the RIPE Database Query Service version 1.47.5 (WHOIS1)

My assumption was that connection was probably "work related", but...

EDIT:
OK, the Himachi/UK MoD mystery is solved:

»b.logme.in/2012/11/07/changes-to···er-19th/

The first change concerns the use of the 5.x.x.x address space. As you may or may not be aware, this address space has been allocated by IANA to RIPE NCC two years ago. RIPE NCC has been handing out these addresses to their customers, and having Hamachi active on your computer means that you’re not able to access a growing portion of the Internet. We’ve added IPv6 support to Hamachi a while back, and you can simply turn off the use of the 5/8 space, but we realize that IPv4 is still very important to most of you. Therefore we’ll be changing every Hamachi node’s address to the 25/8 space...

Why 25/8? Well, it rhymes a bit with 5/8, and furthermore, it’s a block that’s been allocated to a foreign government agency for private use for almost two decades. We have no Hamachi users from this address space, and it’s highly unlikely that the general public would need to access one of these IP addresses. However, our general recommendation is that if you can, please turn off IPv4 support in your Hamachi clients. The IPv6 space we’re using has been registered to LogMeIn, and most modern software should function perfectly without needing an IPv4 address.

So, it seems that LogMeIn/Himachi has simply hijacked the UK MoD's IPv4 address space. I can't believe that the UK MoD has not already nuked them.

OTOH, the phrase "plausible deniability" does come to mind, so maybe the UK MoD isn't really too upset about LogMeIn/Himachi spoofing their IP addresses.
--
We can never have enough of nature.
We need to witness our own limits transgressed, and some life pasturing freely where we never wander.

Re: intruder in my network

Sat, 22 Dec 2012 00:57:25 EDT

Lagz posted : Hamachi is a VPN. So you didn't entirely delete all the VPN software

Re: intruder in my network

Sat, 22 Dec 2012 00:56:21 EDT

NetFixer posted : A .pbk file is just a text file, not an executable, so it is unlikely that anybody's malware scanner will tell you anything. The "pbk" file extension is an acronym for "phonebook", and the file contains text parameter entries used by Windows for making dialup and VPN connections.

FWIW, here is the relevant information for the "Ukraine" entries in the file you uploaded:

[EUROIP L2TP Ukraine]Encoding=1Type=2AutoLogon=0UseRasCredentials=1LowDateTime=-1331370144HighDateTime=29944263DialParamsUID=172546Guid=7106BE987679AF4B8258EFCCADA692A5BaseProtocol=1VpnStrategy=3ExcludedProtocols=2LcpExtensions=1DataEncryption=8SwCompression=1NegotiateMultilinkAlways=1SkipNwcWarning=0SkipDownLevelDialog=0SkipDoubleDialDialog=0DialMode=1OverridePref=15RedialAttempts=99RedialSeconds=30IdleDisconnectSeconds=0RedialOnLinkFailure=0CallbackMode=0CustomDialDll=CustomDialFunc=CustomRasDialDll=ForceSecureCompartment=0DisableIKENameEkuCheck=0AuthenticateServer=0ShareMsFilePrint=1BindMsNetClient=1SharedPhoneNumbers=0GlobalDeviceSettings=0PrerequisiteEntry=PrerequisitePbk=PreferredPort=VPN2-0PreferredDevice=WAN Miniport (L2TP)PreferredBps=0PreferredHwFlow=1PreferredProtocol=1PreferredCompression=1PreferredSpeaker=1PreferredMdmProtocol=0PreviewUserPw=1PreviewDomain=0PreviewPhoneNumber=0ShowDialingProgress=1ShowMonitorIconInTaskBar=1CustomAuthKey=-1AuthRestrictions=544TypicalAuth=2IpPrioritizeRemote=1IpInterfaceMetric=0fCachedDnsSuffix=0IpHeaderCompression=0IpAddress=0.0.0.0IpDnsAddress=0.0.0.0IpDns2Address=0.0.0.0IpWinsAddress=0.0.0.0IpWins2Address=0.0.0.0IpAssign=1IpNameAssign=1IpDnsFlags=0IpNBTFlags=1TcpWindowSize=0UseFlags=0IpSecFlags=0IpDnsSuffix=IpCachedDnsSuffix=Ipv6PrioritizeRemote=1Ipv6InterfaceMetric=0Ipv6NameAssign=1Ipv6DnsAddress=::Ipv6Dns2Address=::Ipv6InterfaceId=0000000000000000 NETCOMPONENTS=ms_server=1ms_msclient=1ms_psched=1ms_nwsapagent=1ms_nwclient=1ms_pacer=1cfosspeed=1odysseyim4=1vmware_bridge=1 MEDIA=rastapiPort=VPN0-0Device=WAN-miniport (L2TP) DEVICE=vpnPhoneNumber=ttu.15.usaip.euAreaCode=CountryCode=98CountryID=98UseDialingRules=0Comment=LastSelectedPhone=0PromoteAlternates=0TryNextAlternateOnFail=1 [EUROIP PPTP Ukraine]Encoding=1Type=2AutoLogon=0UseRasCredentials=1LowDateTime=-1542958000HighDateTime=29944249DialParamsUID=172546Guid=7106BE987679AF4B8258EFCCADA692A5BaseProtocol=1VpnStrategy=1ExcludedProtocols=2LcpExtensions=1DataEncryption=8SwCompression=1NegotiateMultilinkAlways=1SkipNwcWarning=0SkipDownLevelDialog=0SkipDoubleDialDialog=0DialMode=1OverridePref=15RedialAttempts=99RedialSeconds=30IdleDisconnectSeconds=0RedialOnLinkFailure=0CallbackMode=0CustomDialDll=CustomDialFunc=CustomRasDialDll=ForceSecureCompartment=0DisableIKENameEkuCheck=0AuthenticateServer=0ShareMsFilePrint=1BindMsNetClient=1SharedPhoneNumbers=0GlobalDeviceSettings=0PrerequisiteEntry=PrerequisitePbk=PreferredPort=VPN2-0PreferredDevice=WAN Miniport (L2TP)PreferredBps=0PreferredHwFlow=1PreferredProtocol=1PreferredCompression=1PreferredSpeaker=1PreferredMdmProtocol=0PreviewUserPw=1PreviewDomain=0PreviewPhoneNumber=0ShowDialingProgress=1ShowMonitorIconInTaskBar=1CustomAuthKey=-1AuthRestrictions=544TypicalAuth=2IpPrioritizeRemote=1IpInterfaceMetric=0fCachedDnsSuffix=0IpHeaderCompression=0IpAddress=0.0.0.0IpDnsAddress=0.0.0.0IpDns2Address=0.0.0.0IpWinsAddress=0.0.0.0IpWins2Address=0.0.0.0IpAssign=1IpNameAssign=1IpDnsFlags=0IpNBTFlags=1TcpWindowSize=0UseFlags=0IpSecFlags=1IpDnsSuffix=IpCachedDnsSuffix=Ipv6PrioritizeRemote=1Ipv6InterfaceMetric=0Ipv6NameAssign=1Ipv6DnsAddress=::Ipv6Dns2Address=::Ipv6InterfaceId=0000000000000000 NETCOMPONENTS=ms_server=1ms_msclient=1ms_psched=1ms_nwsapagent=1ms_nwclient=1ms_pacer=1cfosspeed=1odysseyim4=1vmware_bridge=1 MEDIA=rastapiPort=VPN0-0Device=WAN-miniport (L2TP) DEVICE=vpnPhoneNumber=ttu.15.usaip.euAreaCode=CountryCode=98CountryID=98UseDialingRules=0Comment=LastSelectedPhone=0PromoteAlternates=0TryNextAlternateOnFail=1 [EUROIP SSTP Ukraine]Encoding=1PBVersion=1Type=2AutoLogon=0UseRasCredentials=1LowDateTime=463995664HighDateTime=30143741DialParamsUID=172546Guid=7106BE987679AF4B8258EFCCADA692A5VpnStrategy=5ExcludedProtocols=2LcpExtensions=1DataEncryption=8SwCompression=1NegotiateMultilinkAlways=1SkipDoubleDialDialog=0DialMode=1OverridePref=15RedialAttempts=99RedialSeconds=30IdleDisconnectSeconds=0RedialOnLinkFailure=0CallbackMode=0CustomDialDll=CustomDialFunc=CustomRasDialDll=ForceSecureCompartment=0DisableIKENameEkuCheck=0AuthenticateServer=0ShareMsFilePrint=1BindMsNetClient=1SharedPhoneNumbers=0GlobalDeviceSettings=0PrerequisiteEntry=PrerequisitePbk=PreferredPort=VPN0-0PreferredDevice=WAN Miniport (SSTP)PreferredBps=0PreferredHwFlow=1PreferredProtocol=1PreferredCompression=1PreferredSpeaker=1PreferredMdmProtocol=0PreviewUserPw=1PreviewDomain=0PreviewPhoneNumber=0ShowDialingProgress=1ShowMonitorIconInTaskBar=1CustomAuthKey=0AuthRestrictions=544IpPrioritizeRemote=1IpInterfaceMetric=0IpHeaderCompression=0IpAddress=0.0.0.0IpDnsAddress=0.0.0.0IpDns2Address=0.0.0.0IpWinsAddress=0.0.0.0IpWins2Address=0.0.0.0IpAssign=1IpNameAssign=1IpDnsFlags=0IpNBTFlags=1TcpWindowSize=0UseFlags=0IpSecFlags=0IpDnsSuffix=Ipv6Assign=1Ipv6Address=::Ipv6PrefixLength=0Ipv6PrioritizeRemote=1Ipv6InterfaceMetric=0Ipv6NameAssign=1Ipv6DnsAddress=::Ipv6Dns2Address=::Ipv6Prefix=0000000000000000Ipv6InterfaceId=0000000000000000DisableClassBasedDefaultRoute=0DisableMobility=0NetworkOutageTime=0ProvisionType=0PreSharedKey= NETCOMPONENTS=ms_server=1ms_msclient=1ms_psched=1ms_nwsapagent=1ms_nwclient=1ms_pacer=1cfosspeed=1odysseyim4=1vmware_bridge=1 MEDIA=rastapiPort=VPN0-0Device=WAN Miniport (SSTP) DEVICE=vpnPhoneNumber=vpn15.usaip.euAreaCode=CountryCode=98CountryID=98UseDialingRules=0Comment=FriendlyName=LastSelectedPhone=0PromoteAlternates=0TryNextAlternateOnFail=1

There is no way of knowing if you were hacked while attached to that VPN server, or if what you have is something that came packaged with some game you downloaded. However, the safest thing to do would be to nuke the effected PCs from orbit, change all passwords to everything you use that uses a password, and carefully check your bank and credit card accounts for at least several months. DBAN is the ultimate malware removal tool.

--
We can never have enough of nature.
We need to witness our own limits transgressed, and some life pasturing freely where we never wander.

Re: intruder in my network

Sat, 22 Dec 2012 00:33:11 EDT

anon posted : I uploaded the file here:
»www.2shared.com/file/xJjERHDA/CDKEYZIP.html

Microsoft Windows [version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. Tous droits rÃ©servÃ©s.

C:\Users\Anarchoi>nbtstat -S

ANARCHOI:
Adresse IP du noeudÂ : [192.168.2.2] ID d'Ã©tendueÂ : []

Aucune connexion

Hamachi:
Adresse IP du noeudÂ : [25.162.23.89] ID d'Ã©tendueÂ : []

Aucune connexion

C:\Users\Anarchoi>

Re: intruder in my network

Sat, 22 Dec 2012 00:26:07 EDT

HELLFIRE posted : Okay, so PBK files supposedly store connection settings for Windows... dunno if you still have the file to
be reviewed and/or submitted for a malware investigation / analysis.

...and it was "nbtstat -S" (capitalized, not lower case).

Regards

Re: intruder in my network

Fri, 21 Dec 2012 22:58:53 EDT

anon posted :

What website was this, and what "VPN" software did you have to download / install?

First VPN was a game i bought on eBay. The seller sent me a file called
CDKEYZIP.pbk and asked me to connect to "EUROIP PPTP Ukraine" VPN

Second one was from www.direct2play.com

The game was Borderlands 2

Also agree with Bullwhip See Profile in that is the VPN software still running on Anarchoi-Pc and Anarchoi-Laptop
at the time "PIMP" is visible?

I deleted all files related to the VPN's

When i do "nbtstat" i don't see PIMP in the list even if i see it in the windows network neighboorhood. "DBTOA000" is listed twice (this is my girlfriend's laptop)

C:\Users\Anarchoi>nbtstat -c

ANARCHOI:
Adresse IP du noeud : [192.168.2.2] ID d'étendue : []

Table de nom de cache distant NetBIOS

Nom Type Adresse d'hôte Vie [sec]
------------------------------------------------------------
ANARCHOI_LAPTOP UNIQUE 192.168.2.9 227
DBTOA000 UNIQUE 192.168.2.5 215
DBTOA000 UNIQUE 192.168.2.5 215

Hamachi:
Adresse IP du noeud : [25.162.23.89] ID d'étendue : []

Table de nom de cache distant NetBIOS

Nom Type Adresse d'hôte Vie [sec]
------------------------------------------------------------
ANARCHOI_LAPTOP UNIQUE 25.207.9.158 187

Microsoft Windows [version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. Tous droits réservés.

C:\Users\Anarchoi>nbtstat -n

ANARCHOI:
Adresse IP du noeud : [192.168.2.2] ID d'étendue : []

Table nom local NetBIOS

Nom Type Statut
---------------------------------------------
ANARCHOI-PC UNIQUE Inscrit
WORKGROUP Groupe Inscrit
ANARCHOI-PC UNIQUE Inscrit
WORKGROUP Groupe Inscrit
WORKGROUP UNIQUE Inscrit
..__MSBROWSE__. Groupe Inscrit

Hamachi:
Adresse IP du noeud : [25.162.23.89] ID d'étendue : []

Table nom local NetBIOS

Nom Type Statut
---------------------------------------------
ANARCHOI-PC UNIQUE Inscrit
WORKGROUP Groupe Inscrit
ANARCHOI-PC UNIQUE Inscrit
WORKGROUP Groupe Inscrit

C:\Users\Anarchoi>

Microsoft Windows [version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. Tous droits réservés.

C:\Users\Anarchoi>nbtstat -s

ANARCHOI:
Adresse IP du noeud : [192.168.2.2] ID d'étendue : []

Table de connexion NetBIOS

Nom local État Ent/Sor Hôte Distant Entrée Sortie
---------------------------------------------------------------------------
ANARCHOI-PC Connecté Sortie DBTOA000
665B 656B

Hamachi:
Adresse IP du noeud : [25.162.23.89] ID d'étendue : []

Aucune connexion

C:\Users\Anarchoi>

Re: intruder in my network

Fri, 21 Dec 2012 20:28:35 EDT

Just Bob posted : Have you checked to see if you can find pimp.exe anywhere on your computer?

If so, it may or may not be a problem, but this is the most authoritative source I've found:
»www.prevx.com/filenames/X1612480···EXE.html
--
"...an imbalance between rich and poor is the oldest and most fatal ailment of all republics." Plutarch
Judging other people is easy. Understanding them can break your heart.

Re: intruder in my network

Fri, 21 Dec 2012 17:57:11 EDT

NetFixer posted :

said by Teknikal01 :

Wireless is simple unsecure - Despite the security/authentication protocols....

You would have better luck with a wired network.

And some posters would have better luck if they actually read a thread before responding to it. :uhh:
--
We can never have enough of nature.
We need to witness our own limits transgressed, and some life pasturing freely where we never wander.

Re: intruder in my network

Fri, 21 Dec 2012 16:51:13 EDT

anon posted : Wireless is simple unsecure - Despite the security/authentication protocols....

You would have better luck with a wired network.

Re: intruder in my network

Fri, 21 Dec 2012 04:09:07 EDT

HELLFIRE posted :

said by anarchoi2 :

- "PIMP" is still here even if i turn off wifi. Not a wifi problem.
- If i turn off internet, "PIMP" will diseappear after around 15 minutes

Okay, that DEFINATELY helps clarify and narrow things down.

said by anarchoi2 :

The website asked me to download a VPN software to connect to a Russian IP to download the game from Steam because it was meant to be available only for russians users.

What website was this, and what "VPN" software did you have to download / install?

Also agree with Lagz in that is the VPN software still running on Anarchoi-Pc and Anarchoi-Laptop
at the time "PIMP" is visible?

Also, from the command prompt, try "nbtstat -c" "nbtstat -n" and "nbtstat -S" and post the results

Regards

Re: intruder in my network

Thu, 20 Dec 2012 06:26:58 EDT

Lagz posted : Sorry I missed the VPN post earlier. This is probably related to the VPN since pimp is only visible from those computers. Have you uninstalled the VPN or do you need it to play the game? What VPN did you install?

edit: It seems steam isn't to particularly fond of VPN's.
--
When somebody tells you nothing is impossible, ask him to dribble a football.

Re: intruder in my network

Thu, 20 Dec 2012 05:49:10 EDT

anon posted : Ok after some investigations:

- "PIMP" is still here even if i turn off wifi. Not a wifi problem.
- If i turn off internet, "PIMP" will diseappear after around 15 minutes

Like i explained earlier, a few days ago i bought Borderlands 2 in digital game. The website asked me to download a VPN software to connect to a Russian IP to download the game from Steam because it was meant to be available only for russians users.
"Anarchoi-pc" and "Anarchoi-Laptop" were exposed to the VPN files that may have been infected.

Notes:
- I use the default settings of my router
- I'm on DSL (Distributel) and Windows 7 on almost all PC.
- "PIMP" is only visible from the computers that were exposed to the Russian VPN files. When i check the network from my HTPC, i can't see "PIMP" !!!
- I don't have Ethernet over power line.
- I don,t have an apartment with built-in ethernet.

Some screenshots:

From my main computer (Anarchoi-Pc) that was exposed to the russian VPN
»www.ni-dieu-ni-maitre.com/_uploads/pimp1.jpg

From my laptop (Anarchoi-Laptop) that was exposed to the russian VPN
»www.ni-dieu-ni-maitre.com/_uploads/pimp2.jpg

Another screenshot from my Laptop. Note that "PIMP" is now displayed as a media share (it happens rarely)
»www.ni-dieu-ni-maitre.com/_uploa···mp2b.jpg

Screenshot from my HTPC that was NOT exposed to the russian VPN. Note that "PIMP" is not visible from this computer
»www.ni-dieu-ni-maitre.com/_uploads/pimp3.jpg

Re: intruder in my network

Thu, 20 Dec 2012 00:45:11 EDT

Doctor Olds posted :

said by anarchoi2 :

Yesterday i noticed a new computer was listed in my network computers... It's called "PIMP"

Post a screenshot of that please.

»Software FAQ »How do I make a Screenshot?

»/dev/null forum FAQ »How do I post attachments & screen shots?
--
What�s the point of owning a supercar if you can�t scare yourself stupid from time to time?

Re: intruder in my network

Wed, 19 Dec 2012 19:45:26 EDT

NetFixer posted : I have no way to know how your network is setup, but if you have an Ethernet over power line switch/bridge in your network, they can be a bigger security risk than WiFi. Most such devices can be setup reasonably securely, but the factory default values (which are often not changed) can leave them wide open for intrusion by anyone attached to the same power circuit. I have run into multiple cases where the end user had such devices, but did not have a clue about what they were or the security implications.

Another possibility if you live in an apartment that has built-in Ethernet distribution between rooms, is that your connections may be accessible from another apartment if the apartment building's wiring or VLAN setup is not done properly. Like the Ethernet over power line switch/bridge mentioned above, I have run into this situation too.
--
We can never have enough of nature.
We need to witness our own limits transgressed, and some life pasturing freely where we never wander.

Re: intruder in my network

Wed, 19 Dec 2012 19:19:09 EDT

HELLFIRE posted : Guessing this was in Windows Network Neighborhood? Got a screenshot?

Can you view the FVS318N's ARP table, or DHCP leases?

If wifi's off and this 'PIMP' is still there, I'd start looking at the physical connections.

said by anarchoi2 :

What the hell happenned ? WPA2 is almost impossible to crack, right ?

IF it is configured right... but there's the old adage, "if it was made by human hands, it
can be broken by human hands."

Regards

Re: intruder in my network

Wed, 19 Dec 2012 19:13:11 EDT

Ken1943 posted : What OS and internet connection cable/dsl

Re: intruder in my network

Wed, 19 Dec 2012 18:35:19 EDT

Juggernaut posted : Do a router FW upgrade lately? :hmm:

At this point, I'll bet the router has been breached someway, somehow. Try a different router, and see what happens.
--
"I fear the day that technology will surpass our human interaction. The world will have a generation of idiots." ~ Albert Einstein

Re: intruder in my network

Wed, 19 Dec 2012 18:31:13 EDT

anon posted : I have just ran full scans of AVG, Malware Bytes and Ad-Aware. Everything should be clean, but there's still the intruder in my network.

I have tryed turning off my computer, then logging on the network from a laptop and the intruder is still connected to the network !!!! So it can't be a virus since my computer was off...

I don't understand...

Re: intruder in my network

Wed, 19 Dec 2012 17:57:40 EDT

Juggernaut posted : Or, a bot.

I'd disconnect and work from another computer if possible. As suggested, see if you can download MalwareBytes to your drive, run it, and update it. Or, download MalwareBytes from a safe computer onto a thumb drive, and try to load it to your box that way.

If all else fails, go to »Security Cleanup and follow the instructions first.
--
"I fear the day that technology will surpass our human interaction. The world will have a generation of idiots." ~ Albert Einstein

Re: intruder in my network

Wed, 19 Dec 2012 17:48:06 EDT

anon posted : I just disabled wifi on my router, and the intruder is still in my network !!! This is definatly a trojan or something.

Re: intruder in my network

Wed, 19 Dec 2012 16:28:23 EDT

anon posted : I don't know, i'm using a Netgear ProSafe FVS318N

Re: intruder in my network

Wed, 19 Dec 2012 16:22:31 EDT

Juggernaut posted : Why don't you turn off the wifi until you get this fixed? I sure the heck would! You are responsible for whatever this person is downloading, or doing on your connection.
--
"I fear the day that technology will surpass our human interaction. The world will have a generation of idiots." ~ Albert Einstein

Re: intruder in my network

Wed, 19 Dec 2012 15:51:53 EDT

Lagz posted :

said by anarchoi2 :

Yesterday i noticed a new computer was listed in my network computers... It's called "PIMP"

I don't have any computers using that name so i thought i had been hacked.

I don't understand how it happenned since my password isn't easy to guess and i am using WPA2/PSK

So i changed my network password and even changed the network name. Then today, the intruder is back in my network again.

What the hell happenned ? WPA2 is almost impossible to crack, right ?

Does your device have WPS?
»en.wikipedia.org/wiki/Wi-Fi_Prot···Security
--
When somebody tells you nothing is impossible, ask him to dribble a football.

Re: intruder in my network

Wed, 19 Dec 2012 14:41:00 EDT

EGeezer posted :

said by anarchoi2 :

... I recently had to use a VPN software to connect to Russia to download a digital game i bought... Is it possible that there was a virus inside the VPN or something like that ?

I would guess your computer has a remote access trojan. I recommend downloading Malwarebytes free scanner, disconnecting the PC(s) from the network and running a full scan of all systems that were on the network with it.

Then follow the steps in »Security Cleanup FAQ »Mandatory Steps Before Requesting Assistance and »Security Cleanup

I'd also recommend a factory reset and re-configuration of your router after the scan.
--
Buckle Up. It makes it harder for the aliens to suck you out of your car.

Re: intruder in my network

Wed, 19 Dec 2012 14:24:44 EDT

anon posted : I just changed my password and SSID name again, and 10 minutes after the intruder with computer name "PIMP" is back in my network... Is it really possible to crack WPA2 in only a few minutes ?

Also i live in a small town i doubt there are computer nerds around my house that could crack my wifi...

I recently had to use a VPN software to connect to Russia to download a digital game i bought... Is it possible that there was a virus inside the VPN or something like that ?

I'm not sure what TKIP and AES is...

My settings are:
Security - WPA2
Encryption - CCMP
Auth: PSK

Re: intruder in my network

Wed, 19 Dec 2012 13:53:15 EDT

Sarick posted : Was it set to AES or TKIP

TKIP is known to have security issues. (use AES)

If your password is under 20 characters fix it. Use something like this.

»www.grc.com/passwords.htm

Last make sure your access point doesn't have a common SSID name. The SSID name is used as part of the encryption. People have created rainbow tables for common names. These give shortcuts shortcuts in breaking in Wi-fi.
--
Sarick's Dungeon Clipart

intruder in my network

Wed, 19 Dec 2012 13:27:46 EDT

anon posted : Yesterday i noticed a new computer was listed in my network computers... It's called "PIMP"

I don't have any computers using that name so i thought i had been hacked.

I don't understand how it happenned since my password isn't easy to guess and i am using WPA2/PSK

So i changed my network password and even changed the network name. Then today, the intruder is back in my network again.

What the hell happenned ? WPA2 is almost impossible to crack, right ?