Author Topic: Need Help With Network Virus/Exploit  (Read 6978 times)

0 Members and 1 Guest are viewing this topic.

Offline SkilletSkool

  • Jr. Member
  • **
  • Posts: 50
Need Help With Network Virus/Exploit
« on: October 25, 2019, 06:27:08 AM »
Hi.

I am having issues with my network being hijacked.  I am aware of this as when I log into my email web interface, I get the last login information and it does not match my ISP server or my DNS settings (through my ISP) when I am connected through my TP-Link Archer c3200 WiFi Router.

As you can see from the 2 screenshots attached; one shows the correct information when I hard line directly to my ISP provided Fiber gateway (MY IP.utopia.xmission.net), the second shows the address I am being re-directed through when I am connected to my router (e221*DOT*mailout*DOT*ekwin*DOT*twelvehorses*DOT*com).

I get the same result from any computer or device attached to my router (as far as being redirected).  This lets me know that the redirect is coming through my router as one of those devices is my phone and it shows the proper IP info when not using the router.  I only get redirected through the suspicious IP/URL when connected to my router.

I do have another router I can try to see if its my current router as well as let me factory reset it.  I thought Id come here also as this is not the average style of virus/exploit.

Does anyone know of this URL 'twelvehorses*DOT*com'?  I cant find anything other than the WHOIS which also shows they have another URL out of Denmark I think 'twelvehorses*DOT*de'.

How do I get things under control, as I dont believe its coming from my Avast protected devices being infected?

Note:  Replaced part of the suspicious URL characters with *DOT* so others dont accidentally click or copy to a illicit URL site.
« Last Edit: October 25, 2019, 07:20:47 AM by SkilletSkool »

Offline SkilletSkool

  • Jr. Member
  • **
  • Posts: 50
Re: Need Help With Network Virus/Exploit
« Reply #1 on: October 26, 2019, 12:38:05 AM »
I have tried resetting the router as well as re-applying its firmware.  I a also working through their support and my ISP's as this is very odd.  So far no one knows why I would be getting the last known login location as the 'twelvehorses' bit (no pun intended but funny).

I can find info through like LinkedIn and a couple of other social sites yet the website given is an HTTP website and not an HTTPS website; which strikes even further concern.  When I tried to go to the website, nothing at all loads either (did through InPrivate browsing on a device not connected to my network).

Does anyone know about this twelvehorses company/URL?

Offline Michael (alan1998)

  • Massive Poster
  • ****
  • Posts: 2768
  • Volunteer
Re: Need Help With Network Virus/Exploit
« Reply #2 on: October 26, 2019, 01:57:52 AM »
« Last Edit: October 26, 2019, 02:01:02 AM by Michael (alan1998) »
VOLUNTEER

Senior Security Analyst; Sys Admin (Linux); Forensics/Incident Response.

Security is a mindset, not an application. Think BEFORE you click.

Offline SkilletSkool

  • Jr. Member
  • **
  • Posts: 50
Re: Need Help With Network Virus/Exploit
« Reply #3 on: October 26, 2019, 07:39:55 AM »
Yes they are separate issues...

No, I am not in Germany.  I am in the United States and I am not using any VPN.

I will run the scans but the info and checking I have already done state that the issue is within my router, not any of my machines.  Please re-read the OP.

Again, I will do these tests on both the PC's but they cant be done on my phone which shows the same issue only when connected to my router.  If it was on my machines then changing to a direct connection to the gateway and removing the router shouldn't affect the outcome occurring.
« Last Edit: October 26, 2019, 08:01:46 AM by SkilletSkool »

Offline SkilletSkool

  • Jr. Member
  • **
  • Posts: 50
Re: Need Help With Network Virus/Exploit
« Reply #4 on: October 26, 2019, 08:08:53 AM »
I'm assuming this thread and your other one are seperate from each other? >> https://forum.avast.com/index.php?topic=230202.msg1524178#msg1524178

Follow the instructions here please >> https://forum.avast.com/index.php?topic=194892.0


I have ran the logs.

I did want to clarify that this is not about the DEEPTEEP virus I already know is infecting my friends machine as it is in the installed apps/programs list. 

Here are the results pertaining to this separate occurrence, not the DEEPTEEP virus

MB shows no infections and I am guessing the log of FRST also shows the same.  I already know the infection is not on my machines because it also happens on my phone when I connect my phone to the router.

But here are the results anyhow... I am needing something to dig very deep into my router as that's where the exploit is occurring and where I get redirected through 'twlevehorses'.

I know its complicated and doesn't make sense and the details sound like something that cant happen as far as we know, but at a time BIOS virus, DNS changers, and rootkits were viewed as impossible too.

I look forward to some extensive diagnosing of this.  Enjoy :D

Offline SkilletSkool

  • Jr. Member
  • **
  • Posts: 50
Re: Need Help With Network Virus/Exploit
« Reply #5 on: October 26, 2019, 08:13:38 AM »
A little bit off topic... but still kind of on topic.

If Bleeping Computer were ever attacked and compromised, a hacker could easily replace the Farbar Recovery Scan Tool with an illicit version and it would be sometime before anyone became the wiser as it is not digitally signed by a publisher. 

This has happened on GitHub but the persons had a valid cert so when it was replaced it was easy to know since Windows gave a warning that the illicit version was not signed.  I hope that whoever is the creator of the Farbar Recovery Scan Tool understands this and backs up their tool by getting it a valid certificate.

Again... these tools make a person nervous who gets things like this.

Offline Michael (alan1998)

  • Massive Poster
  • ****
  • Posts: 2768
  • Volunteer
Re: Need Help With Network Virus/Exploit
« Reply #6 on: October 26, 2019, 07:28:40 PM »
I mean - CCleaner was attacked, and replaced, and it wasn't noticed until Talos (Cisco) stepped in. (I'd also note that Avast! owns Piriform, the developers of CCleaner.)

Farbar (the creator) is active on G2G if you'd like to report your concerns. >> http://www.geekstogo.com/forum/user/329828-farbar/ It's also worth noting that digital certs aren't the only way of verifying a programs authenticity. (Though, to be fair, Farbar doesn't post hashes of his program either...)

I will PM Sass Drake.

Edit: Sass Drake >> https://community.tp-link.com/us/home/forum/topic/174352
« Last Edit: October 26, 2019, 07:40:35 PM by Michael (alan1998) »
VOLUNTEER

Senior Security Analyst; Sys Admin (Linux); Forensics/Incident Response.

Security is a mindset, not an application. Think BEFORE you click.

Offline SkilletSkool

  • Jr. Member
  • **
  • Posts: 50
Re: Need Help With Network Virus/Exploit
« Reply #7 on: October 27, 2019, 12:34:05 AM »
I mean - CCleaner was attacked, and replaced, and it wasn't noticed until Talos (Cisco) stepped in. (I'd also note that Avast! owns Piriform, the developers of CCleaner.)

Farbar (the creator) is active on G2G if you'd like to report your concerns. >> http://www.geekstogo.com/forum/user/329828-farbar/ It's also worth noting that digital certs aren't the only way of verifying a programs authenticity. (Though, to be fair, Farbar doesn't post hashes of his program either...)

I will PM Sass Drake.

Edit: Sass Drake >> https://community.tp-link.com/us/home/forum/topic/174352

I am not overly concerned, yet its a good thing to have a valid cert these days so that users know the software they downloaded is by the author/publisher and not some illicit replacement version.

With that said...



So I did some further testing which most assuredly point to my TP-Link C3200 router being exploited with something odd and unknown.

I switched to another router I have that is also TP-Link and now I am getting the correct info as far as the last login location.  Then I went back to the suspect router and sure enough, I'm back to 'twelvehorses' as my last location.  You can see in the screenshot what the new router reported (which is correct minus my public IP blanked out) and then what happens when I go back to the old router.

I know Avast is mainly device protection.  I know Avast doesn't do support for TP-Link routers.  Yet my confidence in Avast and the support here on the forums is why I am asking for more help to figure out how this exploit is even happening when 'tracert' and tools that show my IP address report things as they should yet when connected to the C3200 I also get the strange last login location. 

I believe a concerted effort will end up with the best results.  Something is going on and I'd like to help TP-Link uncover it as well as let Avast help for their own 'street cred'.

So... where do we go from here?

EDIT:  Just wanted to add that the C1200 router was set up with the exact same protocols as the C3200; IE DDOS protection, WPA protection, Manual DNS, etc.
« Last Edit: October 27, 2019, 12:46:19 AM by SkilletSkool »

Offline Michael (alan1998)

  • Massive Poster
  • ****
  • Posts: 2768
  • Volunteer
Re: Need Help With Network Virus/Exploit
« Reply #8 on: October 27, 2019, 01:32:54 AM »
I mean - CCleaner was attacked, and replaced, and it wasn't noticed until Talos (Cisco) stepped in. (I'd also note that Avast! owns Piriform, the developers of CCleaner.)

Farbar (the creator) is active on G2G if you'd like to report your concerns. >> http://www.geekstogo.com/forum/user/329828-farbar/ It's also worth noting that digital certs aren't the only way of verifying a programs authenticity. (Though, to be fair, Farbar doesn't post hashes of his program either...)

I will PM Sass Drake.

Edit: Sass Drake >> https://community.tp-link.com/us/home/forum/topic/174352

I am not overly concerned, yet its a good thing to have a valid cert these days so that users know the software they downloaded is by the author/publisher and not some illicit replacement version.

With that said...



So I did some further testing which most assuredly point to my TP-Link C3200 router being exploited with something odd and unknown.

I switched to another router I have that is also TP-Link and now I am getting the correct info as far as the last login location.  Then I went back to the suspect router and sure enough, I'm back to 'twelvehorses' as my last location.  You can see in the screenshot what the new router reported (which is correct minus my public IP blanked out) and then what happens when I go back to the old router.

I know Avast is mainly device protection.  I know Avast doesn't do support for TP-Link routers.  Yet my confidence in Avast and the support here on the forums is why I am asking for more help to figure out how this exploit is even happening when 'tracert' and tools that show my IP address report things as they should yet when connected to the C3200 I also get the strange last login location. 

I believe a concerted effort will end up with the best results.  Something is going on and I'd like to help TP-Link uncover it as well as let Avast help for their own 'street cred'.

So... where do we go from here?

EDIT:  Just wanted to add that the C1200 router was set up with the exact same protocols as the C3200; IE DDOS protection, WPA protection, Manual DNS, etc.

To address your concerns about users knowing a genuine author from an illict one, many (and I do mean MANY) would not know any form of difference between a signed piece and unsigned. And even when Microsoft alerts them, they typically hit "Yes"/"OK"/"Ignore Warning" anyways. If they don't, they relaunch the program, and end up hitting "Yes"/"OK"/"Ignore Warning" because of the need to install. The average user is not educated enough to know that.

Why are you implementing DDoS protection? It is extremely unlikely that you will be DDoS'd off the internet for general usage. WPA (and given the lack of specification, I'm assuming you're using WPA1 here) is vulnerable (on TKIP). WPA1 was designed as a stop gap measure to WEP attacks. Switch to WPA2 (AES) with a secure passphrase.

aircrack article >> http://dl.aircrack-ng.org/breakingwepandwpa.pdf
Aruba Article >> https://community.arubanetworks.com/t5/Community-Tribal-Knowledge-Base/TKIP-Vulnerabilities/ta-p/25384

Factory Settings >> https://www.tp-link.com/ca/support/faq/497/?utm_medium=select-local

Given your concern about a compromised router, I'd be opting for a hardware reset then through the management console.

Sass Drake will likely check your FRST logs tomorrow.

VOLUNTEER

Senior Security Analyst; Sys Admin (Linux); Forensics/Incident Response.

Security is a mindset, not an application. Think BEFORE you click.

Offline SkilletSkool

  • Jr. Member
  • **
  • Posts: 50
Re: Need Help With Network Virus/Exploit
« Reply #9 on: October 27, 2019, 04:26:26 AM »


Why are you implementing DDoS protection? It is extremely unlikely that you will be DDoS'd off the internet for general usage. WPA (and given the lack of specification, I'm assuming you're using WPA1 here) is vulnerable (on TKIP). WPA1 was designed as a stop gap measure to WEP attacks. Switch to WPA2 (AES) with a secure passphrase.

Given your concern about a compromised router, I'd be opting for a hardware reset then through the management console.


Ive had issues in the past.  I get kinda 'noisy' in social media influencing and activism.  Probably why Im dealing with this unique exploit on my router right now.

Im pretty up to date on things.  Of course I use WPA2.  Also hide my SSID to help protect against neighborhood leeching... here in my neighborhood its a big thing too.  I learned a lot working in ISMO (Information Services Management Office) for the USMC and so I know how to lock things down pretty well, even past what is probably needed but it never affects my throughput or connectivity.

The University I live close to has one of the best IT departments in the US.  A couple years ago the sophomores from UVU beat MIT graduate students in a hackathon, so I'm just say'n there is a lot of knowledge in and around my neighborhood.  Plus, people can get tools to hack WPA2 without even having to go 'darkweb' these days and if they usually only go for networks they can see unless they are a super black hat type of person. 

Im super stoked for the new WiFi6 gen of routers for their advances on protecting wifi traffic.

I know, I know... with all dat I should be also VPN but I get a Gig fiber here and VPN usually slows that down to at least half as most just aren't set up for a full Gig down AND up stream.  That's part of why I lock my router down so much so not using a VPN isn't that big a deal.  Plus my provider, XMission, does a good job at protecting their customers.

Also, I am not a typical user who just hits accept or allow without knowing why.

I have also done a full factory reset on the c3200 as well as a 30/30/30 reset for the fun of it (even though that's mainly a Netgear and D-Link issue for 3rd party DDWRT and Tomato... never done any of that though).  Soon as I got back up, my internet went live then dropped then back on and sure enough I was back to the 12 horsies issue :P

I really do want to nail this exploit down though and I would love, if we do, to give Avast community props in it all for the help.

Next to my ISP, Avast is the next best business model I know of.  They are no XMission, but they are above most the rest.



Off topic, here is a video of the CEO of XMission at an OpenWest conference on security and user protection if you want to read about a top notch company!

https://www.youtube.com/watch?v=tl3muxsiSP0
« Last Edit: October 27, 2019, 05:04:30 AM by SkilletSkool »

Offline Michael (alan1998)

  • Massive Poster
  • ****
  • Posts: 2768
  • Volunteer
Re: Need Help With Network Virus/Exploit
« Reply #10 on: October 27, 2019, 05:57:04 AM »


Why are you implementing DDoS protection? It is extremely unlikely that you will be DDoS'd off the internet for general usage. WPA (and given the lack of specification, I'm assuming you're using WPA1 here) is vulnerable (on TKIP). WPA1 was designed as a stop gap measure to WEP attacks. Switch to WPA2 (AES) with a secure passphrase.

Given your concern about a compromised router, I'd be opting for a hardware reset then through the management console.


Ive had issues in the past.  I get kinda 'noisy' in social media influencing and activism.  Probably why Im dealing with this unique exploit on my router right now.

Im pretty up to date on things.  Of course I use WPA2.  Also hide my SSID to help protect against neighborhood leeching... here in my neighborhood its a big thing too.  I learned a lot working in ISMO (Information Services Management Office) for the USMC and so I know how to lock things down pretty well, even past what is probably needed but it never affects my throughput or connectivity.

The University I live close to has one of the best IT departments in the US.  A couple years ago the sophomores from UVU beat MIT graduate students in a hackathon, so I'm just say'n there is a lot of knowledge in and around my neighborhood.  Plus, people can get tools to hack WPA2 without even having to go 'darkweb' these days and if they usually only go for networks they can see unless they are a super black hat type of person. 

Im super stoked for the new WiFi6 gen of routers for their advances on protecting wifi traffic.

I know, I know... with all dat I should be also VPN but I get a Gig fiber here and VPN usually slows that down to at least half as most just aren't set up for a full Gig down AND up stream.  That's part of why I lock my router down so much so not using a VPN isn't that big a deal.  Plus my provider, XMission, does a good job at protecting their customers.

Also, I am not a typical user who just hits accept or allow without knowing why.

I have also done a full factory reset on the c3200 as well as a 30/30/30 reset for the fun of it (even though that's mainly a Netgear and D-Link issue for 3rd party DDWRT and Tomato... never done any of that though).  Soon as I got back up, my internet went live then dropped then back on and sure enough I was back to the 12 horsies issue :P

I really do want to nail this exploit down though and I would love, if we do, to give Avast community props in it all for the help.

Next to my ISP, Avast is the next best business model I know of.  They are no XMission, but they are above most the rest.



Off topic, here is a video of the CEO of XMission at an OpenWest conference on security and user protection if you want to read about a top notch company!

https://www.youtube.com/watch?v=tl3muxsiSP0

Edit: I meant to address WPA2 hacking. It's very, very difficult to break WPA2 (AES). The only way I'm aware of is running dictionary/bruteforce/Social Engineering (Evil Twin) attacks on it. Alternatives do exist (KRACK attack), but to my knowledge, only affect Linux and Android devices.

======================================================================

Well, looking at twelvehorses(dot)com's source code, reveals sedoparking(dot)com.

Code: [Select]
'src="//sedoparking.com/frmpark/'
                            + window.location.host + '/'
                            + 'IONOSParkingUS'
                            + '/park.js">'

* Where window.location.host is "twelvehorses.com"
// is the short form of hxxps://sedoparking.com/frmpark/

The fully constructed URL is hxxp://sedoparking.com/frmpark/twelvehorses.com/IONOSParkingUS/park.js

Code: [Select]
    var google_afd_request = {"client":"ca-dp-sedo89_3ph","drid":"as-drid-2638193593145307","domain_name":"twelvehorses.com","session_token":"create"};
    var setup = {
        domain : 'twelvehorses.com',
        registrar : 'IONOSParkingUS',
    };    function google_afd_ad_request_done( google_afd_response ) {

        if( typeof(google_afd_response.session_token) == 'undefined' ){
           google_afd_response.session_token = '';
        }

        loadContentFrame( google_afd_response.session_token );
    }

    document.write(
        '<script type="text/javascript" language="JavaScript" ' +
        'src="http://pagead2.googlesyndication.com/apps/domainpark/show_afd_ads.js"><\/script>' );

    function loadContentFrame( session_token ){

        var contentFrame = document.createElement('iframe');
        contentFrame.setAttribute( 'src',
                'http://sedoparking.com/search/registrar.php'+
                '?domain=' + setup.domain +
                '&rpv=2' +
                '&registrar=' + setup.registrar +
                '&gst=' + session_token +
                '&ref=' + document.referrer +
                ''
        );

        contentFrame.setAttribute('name', 'regpark' );
       
       
        contentFrame.setAttribute('frameBorder', '0' );

        var contentContainer = document.getElementById("partner");
        if( typeof(contentContainer) == 'undefined' ){
            contentContainer = document.createElement('div');
            contentContainer.setAttribute('id', 'partner');
        }

        contentContainer.appendChild( contentFrame );
    }

It's currently 1:30AM here, and I don't feel like firing KALI VM's up and running Burpsuite, so I cheated.

Code: [Select]
hxxp://sedoparking.com/search/registrar.php?domain=twelvehorses.com&rpv=2&registrar=IONOSParkingUSIONOSParkingUS&gst=X&ref=X

That reveals that twelvehorses(dot)com is a parked domain.

Read the little splurge about "Parked Domains"
Code: [Select]
<div class="row marketing">
        <h4 class="col-xs-12">What Is Domain Parking?</h4>
        <div class="col-xs-7">
            <p>
                Domain Parking is a simple way to earn money from your domains'
                natural traffic. If you have registered domain names, but they
                are not currently being used, then domain parking is a great way
                to put those domains to work, earning you revenue.
            </p>
            <p>
                You can make money without even lifting a finger! The idle
                domain is used to display relevant advertisements -every time a
                consumer clicks on one of the advertisements, you earn money.
            </p>

What's interesting is that I cannot get the e221.* domain to actually resolve.

A ping nmap scan of twelvehorses(dot)com reveals ports 80, 81, 443
Code: [Select]
nmap -p- -v twelvehorses.com

Port 81 is atypical... Try it? Oh, it's a login screen. Scan it. *Note: Scanning domains may or may not be legal depending on your location. DO NOT RUN THESE SCANS. AGGRESSIVE SCANNING MAY CRASH DOMAINS!!

Code: [Select]
nmap -sC -sV -p T:81 -T5 -A -v --script vuln twelvehorses.com

Not much there >>

Code: [Select]
Starting Nmap 7.70 ( https://nmap.org ) at 2019-10-27 01:44 Atlantic Daylight Time

NSE: Loaded 145 scripts for scanning.

NSE: Script Pre-scanning.

Initiating NSE at 01:44

NSE Timing: About 50.00% done; ETC: 01:45 (0:00:31 remaining)

Completed NSE at 01:45, 34.01s elapsed

Initiating NSE at 01:45

Completed NSE at 01:45, 0.00s elapsed

Pre-scan script results:

| broadcast-avahi-dos:

|   Discovered hosts:

|     224.0.0.251

|   After NULL UDP avahi packet DoS (CVE-2011-1002).

|_  Hosts are all up (not vulnerable).

Initiating Ping Scan at 01:45

Scanning twelvehorses.com (74.208.236.207) [4 ports]

Completed Ping Scan at 01:45, 0.96s elapsed (1 total hosts)

Initiating Parallel DNS resolution of 1 host. at 01:45

Completed Parallel DNS resolution of 1 host. at 01:45, 0.21s elapsed

Initiating SYN Stealth Scan at 01:45

Scanning twelvehorses.com (74.208.236.207) [1 port]

Discovered open port 81/tcp on 74.208.236.207

Completed SYN Stealth Scan at 01:45, 0.05s elapsed (1 total ports)

Initiating Service scan at 01:45

Scanning 1 service on twelvehorses.com (74.208.236.207)

Completed Service scan at 01:45, 6.11s elapsed (1 service on 1 host)

Initiating OS detection (try #1) against twelvehorses.com (74.208.236.207)

Retrying OS detection (try #2) against twelvehorses.com (74.208.236.207)

Initiating Traceroute at 01:45

Completed Traceroute at 01:45, 0.07s elapsed

Initiating Parallel DNS resolution of 14 hosts. at 01:45

Completed Parallel DNS resolution of 14 hosts. at 01:45, 0.25s elapsed

NSE: Script scanning 74.208.236.207.

Initiating NSE at 01:45

Completed NSE at 01:47, 113.01s elapsed

Initiating NSE at 01:47

Completed NSE at 01:47, 0.00s elapsed

Nmap scan report for twelvehorses.com (74.208.236.207)

Host is up (0.048s latency).

rDNS record for 74.208.236.207: 74-208-236-207.elastic-ssl.ui-r.com



PORT   STATE SERVICE VERSION

81/tcp open  http    nginx

|_http-csrf: Couldn't find any CSRF vulnerabilities.

|_http-dombased-xss: Couldn't find any DOM based XSS.

|_http-iis-webdav-vuln: Could not determine vulnerability, since root folder is password protected

| http-server-header:

|   Apache

|_  nginx

|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.

Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port

Device type: general purpose|media device|specialized|storage-misc

Running (JUST GUESSING): Linux 3.X|4.X (91%), Netgem embedded (89%), Crestron 2-Series (87%), HP embedded (85%), Oracle VM Server 3.X (85%)

OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 cpe:/h:netgem:n7700 cpe:/o:crestron:2_series cpe:/h:hp:p2000_g3 cpe:/o:oracle:vm_server:3.4.2 cpe:/o:linux:linux_kernel:4.1

Aggressive OS guesses: Linux 3.10 - 4.11 (91%), Linux 3.2 - 4.9 (91%), Netgem N7700 set-top box (89%), Linux 3.18 (87%), Crestron XPanel control system (87%), Linux 3.16 (86%), Linux 3.13 or 4.2 (85%), HP P2000 G3 NAS device (85%), Oracle VM Server 3.4.2 (Linux 4.1) (85%)

No exact OS matches for host (test conditions non-ideal).

Uptime guess: 8.374 days (since Fri Oct 18 16:49:32 2019)

Network Distance: 14 hops

TCP Sequence Prediction: Difficulty=262 (Good luck!)

IP ID Sequence Generation: All zeros

<Traceroute Removed>

Basically, twelvehorses.com is a parked domain. I have zero idea what it *should* be pointing to, but it's not currently pointing to anything I can find. I've also DM'd polonus, who happens to know a shit load more then I do regarding domains.
« Last Edit: October 27, 2019, 06:07:08 AM by Michael (alan1998) »
VOLUNTEER

Senior Security Analyst; Sys Admin (Linux); Forensics/Incident Response.

Security is a mindset, not an application. Think BEFORE you click.

Offline SkilletSkool

  • Jr. Member
  • **
  • Posts: 50
Re: Need Help With Network Virus/Exploit
« Reply #11 on: October 27, 2019, 06:14:11 AM »
WOW!  That is a ton of great stuff! 

Thanks for all your help!!!

I run a web hosting company, or trying to get one off the ground at least, so I am fully aware of what a parked domain is.  12 Horses is not one of the domains I handle either.  I dont know why my router would be pointing to a parked domain unless its part of something maybe unknown right now as far as exploitation goes.  Maybe they park it and watch IP traffic to intercept. 

Again, I dunno I just know this is very odd in the way my ISP reports it vs regular tools and 'tracert' commands.  It wouldn't be the first time I was hit with an unknown variant/exploitation.

As I stated before, it wasn't that long ago that things like BIOS hijacking (which Dell now has a service to protect from), non-click DNS changers (Operation Ghost Click https://www.fbi.gov/news/stories/international-cyber-ring-that-infected-millions-of-computers-dismantled ), and other such things were called impossible.

"A thing is only impossible until someone does it." - Patrick Stewart as Captain Pickard.  In todays cyber-exploitation world that happens quicker than we are keeping up with.

Maybe Polunus will be able to add some more helpful info too or dig past what most normally think isn't possible.

If this can help TP-Link, then all the better!
« Last Edit: October 27, 2019, 06:15:56 AM by SkilletSkool »

Offline polonus

  • Avast √úberevangelist
  • Probably Bot
  • *****
  • Posts: 33990
  • malware fighter
Re: Need Help With Network Virus/Exploit
« Reply #12 on: October 27, 2019, 12:54:34 PM »
Website scan fail: https://sitecheck.sucuri.net/results/twelvehorses.com
See: https://toolbar.netcraft.com/site_report?url=http://twelvehorses.com
See: https://www.shodan.io/host/74.208.236.207
Going to look here: Link: <hxtps://galtmedical.com/wp-json/>; rel="https://api.w.org/"
with an Outdated Word Press version, update a.s.a.p.
User Enumeration
  The first two user ID's were tested to determine if user enumeration is possible.

ID   User   Login
1   galtadmin   galtadmin
2   LeAnne Williams   beacon
It is recommended to rename the admin user account to reduce the chance of brute force attacks occurring. As this will reduce the chance of automated password attackers gaining access. However it is important to understand that if the author archives are enabled it is usually possible to enumerate all users within a WordPress installation.

 Only the first two user ID's were tested with this scan, try the advanced membership options for detailed enumeration of users, themes and plugins.
Back to IP relations:
See malware coming from that IP address: https://www.virustotal.com/gui/ip-address/74.208.236.207/relations

See last DNS records -> https://www.virustotal.com/gui/domain/twelvehorses.com/details

Finally getting at the nitty gritty herehttps://www.virustotal.com/gui/domain/twelvehorses.com/relations
Infested:
hxtp://twelvehorses.com/mm/Clickthrough/23317062/27021558/23333143/uBn6_sdjVJ8Dmr08mYuLuACBQH4A/*http:/www.tesco.ie/register/unsubscribe.asp  see also the communicating flle detections there.

Domain health report: https://mxtoolbox.com/domain/twelvehorses.com/
Waits for some action from the website admin and the hosting staff.

polonus (3rd party cold reconnaissance website security analyst and website error-hunter)
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Sass Drake

  • MyCity AMF R2
  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 820
Re: Need Help With Network Virus/Exploit
« Reply #13 on: October 27, 2019, 07:00:21 PM »
I don't see anything malicious in FRST logs. Can you check configured TP Link hostname?

Offline SkilletSkool

  • Jr. Member
  • **
  • Posts: 50
Re: Need Help With Network Virus/Exploit
« Reply #14 on: October 27, 2019, 11:21:22 PM »
Man...

I think all the work you super awesome people have been doing has causes some alarm with who ever is behind it.

I went to answer Saas Drake's question and tried to log into my router just to insure I was giving the correct information but it wouldn't let me log in.  I kept getting '500 Internal Server Error' (see screenshot 1) page, yet last night I had no issues logging into it from this device.

In an effort to make sure I was using the correct Default Gateway IP, I did a config /all form a CMD and it was correct.  I tried again using the copied/paste IP from the ipconfig results just in case my fingers were being weird on me.  Still the sever error.

I did a full reset on the router to factory defaults by using the reset button on the back of the router and tried to log in through LAN cable with 192.168.0.1 and still got the error.  Checked ipconfig /all again.  And it was the correct default gateway.

Used a 2nd offline computer to log in and it let me log in finally so I logged out and tried the first computer and once again the Internal server error.

Hooked back up to the 2nd computer, logged in and set up my normal custom settings without changing anything from what it was before.  Now I can log in from the first computer again.

Very odd.... I think we are on to something  :-X
« Last Edit: October 27, 2019, 11:33:13 PM by SkilletSkool »