SRX1173942386ID - Please help as I had a firewall intrusion with ,multiple Kernel.intrusions...

8

8kin08

Please help as I had a firewall intrusion and my laptop was compromised.

On the 7th of March 2012, I noticed on my HP Pavillion Dv7 31111ea Win 7 64bit Home Edition, with Kasperspy running, (and one USB error on my PC that I can not find the answer to driver wise, yet my USB devices work), that something strange happened.

I opened up an excel word document (Word 2007) that acted like a shared file, and asked me if I wanted to open up as a read only or notify the user. I was alone in the house with only my laptop, so I chose read only of course. I then went straight to the router, wired up to it, and looked at the system security settings I was on WPA plus noticed in the securitylogfiles a kernel.intrusion with ip addresses.
Mar 7 21:46:19 (none) user.alert kernel: Intrusion -> IN=ppp_0_38_1 OUT= MAC= SRC=90.219.105.13 DST=90.219.115.91 [J1] LEN=52 TOS=0x00 PREC=0x00 TTL=59 ID=43132 DF PROTO=TCP SPT=22124 DPT=135 WINDOW=60352 RES=0x00 SYN URGP=0
[J1]SKY
Mar 7 22:10:48 (none) user.alert kernel: Intrusion -> IN=ppp_0_38_1 OUT= MAC= SRC=64.90.38.32 [J1] DST=90.219.115.91 LEN=48 TOS=0x00 PREC=0x00 TTL=116 ID=28487 PROTO=TCP SPT=10184 DPT=22 WINDOW=65535 RES=0x00 SYN URGP=0
[J1]USA DREAMSERVERS.CON
Mar 7 22:13:09 (none) user.alert kernel: Intrusion -> IN=ppp_0_38_1 OUT= MAC= SRC=218.26.223.200 [J1] DST=90.219.115.91 LEN=40 TOS=0x00 PREC=0x00 TTL=105 ID=256 PROTO=TCP SPT=6000 DPT=1433 WINDOW=16384 RES=0x00 SYN URGP=0
[J1]CHINA INTRENT.CX

Mar 7 23:26:03 (none) user.alert kernel: Intrusion -> IN=ppp_0_38_1 OUT= MAC= SRC=109.108.128.188 [J1] DST=90.219.115.91 LEN=60 TOS=0x00 PREC=0x00 TTL=58 ID=38642 DF PROTO=TCP SPT=54638 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0
[J1]UKFAST.NET

Mar 7 23:58:26 (none) user.alert kernel: Intrusion -> IN=ppp_0_38_1 OUT= MAC= SRC=90.149.138.16 [J1] DST=90.219.115.91 LEN=60 TOS=0x00 PREC=0x00 TTL=53 ID=3991 DF PROTO=TCP SPT=1849 DPT=23 WINDOW=5840 RES=0x00 SYN URGP=0
[J1]NORWAY NEXTGENTEL.COM
So I reset the router to factory defaults, yet still had the kernel.intrusions. So the SSID and Network ID were defaulted to what is written on the router box itself. I tried to change the password, yet it said another Administrator was in the and I could not perform the actions. I then left the router console password and username as default as I could not change them. I eventually got in, and changed the WPA SSID and Network ID so that I felt more secure.

I also have a USB device that is not recognized in the BIOS and no drivers in Windows update nor the HP website fixes it for my laptop version above.

I then did a full scan full my System With Kasperspy latest licensed version, and it found nothing. I then upgraded to ESET Licensed latest version and found 8 threats, and cleaned 4-6 if I remember. So I downloaded MalwareBytes and ran it, and it said nothing.

So I thought that I had solved the problem.

But on the on the 16th of March 2012, I found that things looked weird with the internet wireless connection, so I rang my Broadband Provider "Sky Broadband" and spoke to the Technical Support who were definitely at a good level, to help. However they talked me through all of the settings e.t.c. to configure the router and I could only get online via the Cable. I was on the phone with them for 2 hours, and when we reset the router, I looked again at the Router Console (Sagem Router) in the security settings, and again I found that immediately there was a kernel.intrusion from different ip addresses.
Mar 16 21:36:11 (none) user.alert kernel: Intrusion -> IN=ppp_0_38_1 OUT= MAC= SRC=190.95.87.211 DST=90.213.11.252 LEN=48 TOS=0x00 PREC=0x00 TTL=112 ID=26093 DF PROTO=TCP SPT=54344 DPT=5900 WINDOW=65535 RES=0x00 SYN URGP=0
Mar 16 21:36:14 (none) user.alert kernel:p Intrusion -> IN=ppp_0_38_1 OUT= MAC SRC=190.95.87.211 DST=90.213.11.252 LEN=48 TOS=0x00 PREC=0x00 TTL=112 ID=26194 DF PROTO=TCP SPT=54344 DPT=5900 WINDOW=65535 RES=0x00 SYN URGP=0
Even after I changed the SSID and Network ID, there were still kernel.intrusions. SO I ask myself "What is going on?" "How on earth?"
ANYWAY Thought I had locked it down..

Then on the Saturday March 17th 2012 at 14:30:00 my Password on my laptop (For me as user name "John" with administrator rights) changed! I could not then access my Laptop.

So I went into cmd prompt and unlocked a username and changed my password, and got in.

This was all very disturbing, as my Antivirus and firewall did not notice an intrusion. I had windows firewall on, and the ESET, (previously also Kasperspy firewall) ON.

Anyway I took my laptop to my Brother's house who works for A Large Server and Software Company, and he managed to regain my access rights to files and folders, and did a full sweep for viruses, and other potential threats lower down than I knew of. Nothing else seemed to be there at a certain level, so we then connected to his wireless internet (he has his network pretty locked down as he is a networking whizz). We logged in via my laptop wireless, and then after we shut down access to the internet, his Router Password changed, and he could not access it, until he reset it while not connected to the internet(which I had not done to mine!)!

What is going on! (The Conclusion is that something is up with my Laptop!)

Okay so I decided to remove the Hard Drive. So now I take my 2.5 500gb SATA 2 hard drive out of the Laptop, and stick it in a cloning device, and do that, so that I can give it to someone to do a full low level scan. As there is something on there that I am not capable immediately of working out what it is.

Within the BIOS version InsideH20 the date keeps reverting back to 2009/01/01, and when in windows the Date is the same as the date I disconnected the Laptop from the Router, and turned the router off on the 19th of March 2012, and headed to my brothers with Router and Laptop (it is now the 26th of March 2012 and I started to reinstall the Windows yesterday the 25th of March 2012). When I Change the settings within Windows and ensure that they are not internet driven in the advanced section, they still do not hold on reboot, nor does the BIOS.

So I removed the bios battery to reset it, and again reset the times to correct times, and also within windows, and it still sees the date of the 19th of March 2012 at 17:37, again that time I unplugged the router from the wall.


Even on reboot, again Bios goes back to 2009/01/01. So I reinstalled windows to see, formatted drive fully, and again same problem. All the drivers do not load up also, including Networking, which I thought a little strange as WIn 7 64 Bit Ultimate Service Pack 1 should have all the drivers necessary for this HP Pavilion Entertainment Dv7 31111ea laptop. So i thought I would update BIOS, and hope to solve issue, so re flashed the BIOS from F.1A to F.1D the latest version for this HP Laptop. Again reinstalled windows, and again did not find all the drivers, and again there was still the USB problem undetected, and still the time keeps defaulting back to the above in both BIOS and Windows. I have a brand new BIOS battery to put in in a minute. Stile the date reverts back to the 19th of March 2012 at 17:37... I am going to stick a new battery in now..

My main problem is that I am pretty clued up with computers, and am having some problems, perhaps some low level programming on hardware or on the low level system OS. Technically I cannot seem to get it right, however even visiting 3 Laptop specialists in London they did not know what it was other than suggesting it was a virus. However if it is not visible via a Virus checker, and does not prompt that there is a firewall intrusion, when this is set on, how is this safe for any user in the world?

Total intrusion undetectable is not something which I or anyone would be interested. It is like someone walking into your house, rifling through your things copying your passwords, and bank details, while you are not looking, and are unaware of. It is very very intrusive. I have run Trend Micro Housecall on the system and still nothing. Yet it did this to my brothers Router after all of these precautions. What is it? And can you help?

I have a number of files I can upload of screenshots, which are about 23 megs worth, the Laptop itself, and also a bootable cloned copy of the Hard Drive should you be interested in finding out a solution?

I have a couple of initial questions for my mind:-
  1. Is the ip address 64.4.34.53:443 Is this normal? (I did a lookup at www.ip-lookup.net and it referred me back to your address.)
  2. Why are those ip addresses in the Router System Security logs pointing to the USA, China and Chilli, (which I checked out using the www.ip-lookup.net)?
  3. Most are internet companies and are they compromised also without knowing, or what is their relationship?
I will be going to the police with my HD, but I wanted a neutral perspective of this intrusion if it is that. I have not seen any theft from my accounts as of yet, however I do not know what or of which password or account or username and password, license keys, that they have got a hold of, nor do I know "when" they might do this. I have had to change all my passwords for everything but am pretty nervous that I may have missed one or two.

Please please can you help me understand what might be going on here?

Continue reading...
 
Back
Top Bottom