help Virus attack attempt on dad's pc via his IP adress, is the router at risk and other pcs on that router? Anyway to prevent? All help appreciated!

[SpitfiremkII]

So my dad got a warning message from kaspersky saying someone was trying to get to his computer. He ignored it at first thinking its a small thing but then kaspersky started spamming him with warnings to shut of the computer. He ended up pulling the power and lan cable from his computer isolating it. I am a bit worried for my pc as I am a student and have worked my ass of for over a year to afford the 2000$ rig I am running today and would get crazy mad if someone took control over it. My dad owns a company and so has a lot of customers information is at risk hence why he is getting a new pc to be fully sure to keep that safe. My questions are: Is the router at risk, all pcs in my home are connected to our router via cable, and if so would they be affected? And is there any way to prevent this from happening again or get a hold of the people that did it? (Kaspersky gave my dad an origin IP adress but that's probably just a fake).

 

Thanks a LOT for any type of help as I really need it.

[DemiGod]

Well first of all, I don't know about Kaspersky specifically, but avast likes to spam warning messages, to promote its premium features, for example - Oh My God hackers are going to get you, buy our premium protection because they are breaking right now.

 

 But If it's actually serious warning, there is not much you can do without extensive knowledge, but if you are tech savvy, get Kali Linux, scan your network close all open ports that are not necessary, setup your firewall properly to block and detect malicious connections, keep your software up to date, so you are not succeptable go any exploits, and get some sort of packet sniffer, that will help you detect if someone connects to your network, also if you are very scared you can set up multiple layers of firewall, on the router ( get a good router ) set up another on each pc individually, if the pc is mostly used for company block anything that isn't a must and you should be safe.

[Windows7ge]

If I had to throw a wild guess out there I'd say he clicked on a link in a spam e-mail that installed something in the background. Does the business host any websites on this network? Has any Port Forwarding been done?

 

The problem here is it's hard to say without knowing exactly what it was weather or not other machines on the network are at risk. Worms infect networks which can spread to other clients. Most spyware, malware, virus, or ransomware are usually targeted on a single client but network wide infection is possible.

 

You can run some scans on your computer with your choice of anti-virus/malware/spyware to investigate if something got installed. It's not guaranteed that you'll find it if something is there but it's better than not acting at all.

 

What's important is that he isolated it from the network. If you leave it off the network I would run a series of scans on the HDDs in the system and see what they come up with. Ultimately if he doesn't have anything important on his boot drive nuking the install and re-installing the OS is overwhelmingly the most effective/cost saving option. There is such a thing as firmware level viruses but they're not as common. Buying a while new computer is overkill.

[SpitfiremkII]

4 minutes ago, DemiGod said:

Well first of all, I don't know about Kaspersky specifically, but avast likes to spam warning messages, to promote its premium features, for example - Oh My God hackers are going to get you, buy our premium protection because they are breaking right now.

 

 But If it's actually serious warning, there is not much you can do without extensive knowledge, but if you are tech savvy, get Kali Linux, scan your network close all open ports that are not necessary, setup your firewall properly to block and detect malicious connections, keep your software up to date, so you are not succeptable go any exploits, and get some sort of packet sniffer, that will help you detect if someone connects to your network, also if you are very scared you can set up multiple layers of firewall, on the router ( get a good router ) set up another on each pc individually, if the pc is mostly used for company block anything that isn't a must and you should be safe.

Thanks a LOT, I will read more on this to try and set up some safety networks. Btw he has the premium verision of kaspersky and have been using it for years so it's a serious message.

[SpitfiremkII]

6 minutes ago, Windows7ge said:

If I had to throw a wild guess out there I'd say he clicked on a link in a spam e-mail that installed something in the background. Does the business host any websites on this network? Has any Port Forwarding been done?

 

The problem here is it's hard to say without knowing exactly what it was weather or not other machines on the network are at risk. Worms infect networks which can spread to other clients. Most spyware, malware, virus, or ransomware are usually targeted on a single client but network wide infection is possible.

 

You can run some scans on your computer with your choice of anti-virus/malware/spyware to investigate if something got installed. It's not guaranteed that you'll find it if something is there but it's better than not acting at all.

 

What's important is that he isolated it from the network. If you leave it off the network I would run a series of scans on the HDDs in the system and see what they come up with. Ultimately if he doesn't have anything important on his boot drive nuking the install and re-installing the OS is overwhelmingly the most effective/cost saving option. There is such a thing as firmware level viruses but they're not as common. Buying a while new computer is overkill.

Thing is i formulated it kinda wrong, there is nothing on his pc now and my dad is fully aware of suspicius links and is rxtremely careful. The problem is that someone has found his IP and open ports. Kaspersky was currently blocking them from entering his pc but warned him bc they didn't know if they could keep them away. Wiping the pc wouldn't do anything bc they still have his IP and port information. For him it's better to buy a new pc, if his customers info leaks out the company probobly will shut down. Will scan systems in the network tho.

Thanks anyways.

[Windows7ge]

4 minutes ago, SpitfiremkII said:

Thing is i formulated it kinda wrong, there is nothing on his pc now and my dad is fully aware of suspicius links and is rxtremely careful. The problem is that someone has found his IP and open ports. Kaspersky was currently blocking them from entering his pc but warned him bc they didn't know if they could keep them away. Wiping the pc wouldn't do anything bc they still have his IP and port information. For him it's better to buy a new pc, if his customers info leaks out the company probobly will shut down. Will scan systems in the network tho.

Thanks anyways.

This is where things are still very unknown and can be difficult to situate. The anti-virus didn't give any information as to what the attack was. Or did it?

 

And his IP here is irrelevant. Your router hosts a DHCP server for both IPv4 & IPv6. Unless he setup a Static IP and Port Forwarded his computer his computer's IP is subject to change when the lease expires. What you want to worry about is your Router's public IP. If an attacker is actively targeting you that IP doesn't frequently change (although it can at the whim of your ISP).

 

If the machine doesn't contain anything important power it back on but leave it disconnected from the network. Run Kasparsky, run MalwareBytes anti-malware, run Avast Free-antivirus, if everything comes back with no results it sounds more likely it was either A a fluke or B a failed attack where someone was in the middle of trying to gain access.

 

Does he remote into work? Does he use his computer as a thin client? It's possible the company doesn't use the most secure remote access software.

[SpitfiremkII]

2 hours ago, Windows7ge said:

This is where things are still very unknown and can be difficult to situate. The anti-virus didn't give any information as to what the attack was. Or did it?

 

And his IP here is irrelevant. Your router hosts a DHCP server for both IPv4 & IPv6. Unless he setup a Static IP and Port Forwarded his computer his computer's IP is subject to change when the lease expires. What you want to worry about is your Router's public IP. If an attacker is actively targeting you that IP doesn't frequently change (although it can at the whim of your ISP).

 

If the machine doesn't contain anything important power it back on but leave it disconnected from the network. Run Kasparsky, run MalwareBytes anti-malware, run Avast Free-antivirus, if everything comes back with no results it sounds more likely it was either A a fluke or B a failed attack where someone was in the middle of trying to gain access.

 

Does he remote into work? Does he use his computer as a thin client? It's possible the company doesn't use the most secure remote access software.

Kaspersky did give an IP adress from where the attack was situated from. However that is most likely a fake IP used by the attacker. He does not remote in to work or use his pc as a thin client. He told me the systems in our network keeps their IP for example my pc. He is going to reboot our router wich will give it a new IP adress from our distrubitor and he has already scanned the pc for malware.

 

Thanks for the help!

[Windows7ge]

5 minutes ago, SpitfiremkII said:

Kaspersky did give an IP adress from where the attack was situated from. However that is most likely a fake IP used by the attacker. He does not remote in to work or use his pc as a thin client. He told me the systems in our network keeps their IP for example my pc. He is going to reboot our router wich will give it a new IP adress from our distrubitor and he has already scanned the pc for malware.

 

Thanks for the help!

Ah you had me confused. I though you were referring to your dads IP. Any hacker worth their salt would proxy or otherwise VPN their connection so it's not particularly likely you're going to track it backwards without people who do that for a living.

 

Rebooting the router isn't going to change your Public IP. It doesn't work like that. You'd have to call them and request it be changed.

 

If you don't have any ports open, exposed IoT devices using UPnP, or anyone opening a sketchy e-mail or visiting a sketchy site its unlikely this was a random attack and more likely you were targeted specifically. Where to go from here depends on if it happens again. There's not much you can do right now besides tighten security and possibility see where the attack originated from.

[SpitfiremkII]

20 minutes ago, Windows7ge said:

Ah you had me confused. I though you were referring to your dads IP. Any hacker worth their salt would proxy or otherwise VPN their connection so it's not particularly likely you're going to track it backwards without people who do that for a living.

 

Rebooting the router isn't going to change your Public IP. It doesn't work like that. You'd have to call them and request it be changed.

 

If you don't have any ports open, exposed IoT devices using UPnP, or anyone opening a sketchy e-mail or visiting a sketchy site its unlikely this was a random attack and more likely you were targeted specifically. Where to go from here depends on if it happens again. There's not much you can do right now besides tighten security and possibility see where the attack originated from.

I don't think you misunderstood, I'm just bad at formulating myself. Someone got hold of dads IP addres and was trying to enter an open port wich kaspersky stopped them from doing. He knew that kaspersky woulden't be able to stop them for long so thats why we're trying to prevent it. Kaspersky did give an ip adress from where the attack was created. I never wanted to backtrack their IP as I know how hard that is.

Or maybe I misunderstood you now. 

 

We will try and change our public IP and we'll stand by.

You have been a massive help so thank you!

[Windows7ge]

56 minutes ago, SpitfiremkII said:

I don't think you misunderstood, I'm just bad at formulating myself. Someone got hold of dads IP addres and was trying to enter an open port wich kaspersky stopped them from doing. He knew that kaspersky woulden't be able to stop them for long so thats why we're trying to prevent it. Kaspersky did give an ip adress from where the attack was created. I never wanted to backtrack their IP as I know how hard that is.

Or maybe I misunderstood you now. 

 

We will try and change our public IP and we'll stand by.

You have been a massive help so thank you!

Eh, lost in interpretation.

 

If he has confidential business or customer records on the network it's not unknown for a businesses course of action to be changing their public IP but the issue in you doing so is we still don't know how they got in if there was an attack. So doing so may only put a bandaid on the problem not fix the cause.

 

You can try it if you're really worried but if it happens again you'll know it's not a issue you can just run away from. Does he use a VPN for his business work? Might be something to consider.

[SpitfiremkII]

8 hours ago, Windows7ge said:

Eh, lost in interpretation.

 

If he has confidential business or customer records on the network it's not unknown for a businesses course of action to be changing their public IP but the issue in you doing so is we still don't know how they got in if there was an attack. So doing so may only put a bandaid on the problem not fix the cause.

 

You can try it if you're really worried but if it happens again you'll know it's not a issue you can just run away from. Does he use a VPN for his business work? Might be something to consider.

I will talk to him about the public IP  when he gets home, aswell as suggest a vpn.

Thanks again!

[Mark Kaine]

But that is what bad av like Mcaffe, and, well, of course kasperaski do.

 

this was a port scan, which you can either silently block, or fearmonger the hell out of a customer.

you chose mcaffe/kasperaski.

get a better av, like Windows defender. 

16 hours ago, Windows7ge said:

You can try it if you're really worried but if it happens again

this was 99.99999% an automated port scan, no one got "hold of his ip adress" lol. 

 

 

18 hours ago, Windows7ge said:

Rebooting the router isn't going to change your Public IP. 

Depends on the ISP, but usually it does.

 

can be easily checked with "what is my ip adress.com" or something, or even just speedtest.com. 

 

 

17 hours ago, SpitfiremkII said:

Kaspersky did give an ip adress from where the attack was created

the thing is you can look this ip adress up very easily, but its kinda pointless, so now you would know the bot was in "russia" (most likely) or something. That doesn't give you any advantage because  these bots change ip adress thousands of times a day, and in the end, yes its most likely fake and of no use to you whatsoever.

 

 

 

[Windows7ge]

19 minutes ago, Mark Kaine said:

But that is what bad av like Mcaffe, and, well, of course kasperaski do.

 

this was a port scan, which you can either silently block, or fearmonger the hell out of a customer.

you chose mcaffe/kasperaski.

get a better av, like Windows defender.

 

this was 99.99999% an automated port scan, no one got "hold of his ip adress" lol. 

Although I don't doubt this as a more likely possibility (especially given the broader tech communities opinion of Kasperaski being rather negative) your lack of professionalism here gives us all the reason not to care about your input. Try again when you've matured.

[Mark Kaine]

37 minutes ago, Windows7ge said:

Although I don't doubt this as a more likely possibility (especially given the broader tech communities opinion of Kasperaski being rather negative) your lack of professionalism here gives us all the reason not to care about your input. Try again when you've matured.

well this *is* the most likely scenario here, port scans are a thing that happen all the time, and mcaffee etc are specifically designed to fearmonger their customers, this is indeed known.

 

And my "professionalism" is kinda irrelevant here  (any typos are the fault of this pos samsung keyboard btw), i was just pointing out some illogical stuff ive noticed, and that this sort of port scans are indeed normal and 99% nothing  to worry about, especially when the av already blocked it.

 

i havent even pointed out the worst part yet, that apparently OPs gaming pc is on the same network as his dads business pc? well, oof, thats a way bigger security risk than some automated port scans, and indeed highly unprofessional and should be seriously avoided if the pc hosts sensitive customer data.

 

 

heres some stuff to read up on, they also give some tips for business networks, its indeed a wide and complicated matter.

https://www.fortinet.com/resources/cyberglossary/what-is-port-scan

 

And heres how to change  your "public" ip adress… even though its true this will ultimately depend on the ISP and obviously only works for dynamic ip adresses.

https://www.google.com/amp/s/www.wikihow.com/Acquire-a-New-IP-Address%3famp=1

 

"5 minutes" is a good ballbark, but in my case its more like 5 seconds, after all my ISP didnt buy huge amounts of ip adresses for no reason, gotta make good use of them apparently!