[HELP!] Having serious attacks, need to have some sort of router logging

[iamdarkyoshi]

So our mediaserver has been compromised, either by an outside attacker or a local virus. It has since been shutdown.

 

Now, my parents have had their bank account and/or amazon account hacked, and we JUST changed the password. I know that this attack was very unlikely to have been done by any attacks to our local network, but something is seriously wrong here and my dad wants a log of everything that goes in and out of the router. But DD-WRT's "logs" are just current IP addresses being sent/received, with no timestamps, and it does not keep an actual log of this. 

 

We want something that can log web addresses/ip addresses, when and where they are accessed. How can I do this with DD-WRT? Should I setup a PC with a second NIC and make a router out of it? I would like to just use the current router to do this, and if it needs to spit its logs onto a flash drive, it does have a USB port.

[thekeemo]

1. scan ALL systems for malware including mobile devices

2. Change your IP

3. Change router username/pw

[iamdarkyoshi]

1 minute ago, thekeemo said:

1. scan ALL systems for malware including mobile devices

2. Change your IP

3. Change router username/pw

1. Done

2. Not sure if Charter is open on sundays

3. Done (it was changed by me to something really obscure anyway)

[thekeemo]

3 minutes ago, iamdarkyoshi said:

1. Done

2. Not sure if Charter is open on sundays

3. Done (it was changed by me to something really obscure anyway)

Can you not change it yourself by turning your router off for a while or are you on broadband? I know my ISP is open 24/7 anyway. Also setup a firewall and disable all port forwards.

[Hyp3rdrive]

Do you have a firewall setup?

[iamdarkyoshi]

11 minutes ago, thekeemo said:

Can you not change it yourself by turning your router off for a while or are you on broadband? I know my ISP is open 24/7 anyway. Also setup a firewall and disable all port forwards.

I have tried power cycling our modem, and I never got it to change our IP address. It must change at regular intervals.

 

We do have several port forwards, definitely going to disable those.

9 minutes ago, ZAIN-TECH said:

Do you have a firewall setup?

 

"firewall"

[Byte]

Port forwards do introduce security risks.

 

You should be able to force your WAN IP to change by spoofing your router's MAC address, which usually will get you a new lease from the ISP's DHCP server.

 

This can be done from "Setup" and then "MAC Address Clone" on dd-wrt's web interface.

[iamdarkyoshi]

1 minute ago, Byte said:

Port forwards do introduce security risks.

 

You should be able to force your WAN IP to change by spoofing your router's MAC address, which usually will get you a new lease from the ISP's DHCP server.

 

This can be done from "Setup" and then "MAC Address Clone" on dd-wrt's web interface.

We did have port forwarding so we could watch plex from outside our network. Guess since the mediaserver is fucked, no sense having it enabled still

[Hyp3rdrive]

Use their website and see if they are open on Sundays https://www.charter.com/browse/content/store-locations-adp#/search

[Byte]

2 minutes ago, iamdarkyoshi said:

We did have port forwarding so we could watch plex from outside our network. Guess since the mediaserver is fucked, no sense having it enabled still

It's possible that was the entry point into your LAN. Have you considered using a firewall on the mediaserver to block everything except certain IP(s) such as a VPN and then use that when you want to connect from outside the network?

 

This can be done easily with iptables on Linux, for example. Windows can also do this with the built-in firewall.

[iamdarkyoshi]

1 minute ago, Byte said:

It's possible that was the entry point into your LAN. Have you considered using a firewall on the mediaserver to block everything except certain IP(s) such as a VPN and then use that when you want to connect from outside the network?

 

This can be done easily with iptables on Linux, for example. Windows can also do this with the built-in firewall.

Thats a thought. The mediaserver had SO many networking issues (along with like any other issue that could exist) so we kinda were like

"ITS FINALLY WORKING, SO DONT TOUCH IT"

[beavo451]

Just now, valdyrgramr said:

It's a dead option through a lot of big US ISPs like Charter, Time Warner, and Comcast.  The force IPs on you, and the only option to change the modem or router or whatever.  Or, calling them and having them do it.  

LOL. Yeah they "force" an IP on you.

 

Anyways, there are several ways to change your IP address as they are normally assigned via DHCP.

 

1. If your router has the option, you can force a DHCP lease renewal. This may or may not change the IP.

2. Disconnect and wait for the DHCP lease to expire on its own. The time this takes depends on the ISP.

3. Call the ISP as ask for them to release the DHCP lease and it should auto renew with a different IP.

[Hyp3rdrive]

Is your router set as NAT? Or does each device have a public ip?

[iamdarkyoshi]

1 minute ago, ZAIN-TECH said:

Is your router set as NAT? Or does each device have a public ip?

Where would I find this? I am a networking n00b  

[beavo451]

3 minutes ago, iamdarkyoshi said:

Thats a thought. The mediaserver had SO many networking issues (along with like any other issue that could exist) so we kinda were like

"ITS FINALLY WORKING, SO DONT TOUCH IT"

A media server is not a complex thing to set up. What is your configuration? You may have opened up a bunch of security vulnerabilities in your efforts to get it to work.

[iamdarkyoshi]

1 minute ago, beavo451 said:

A media server is not a complex thing to set up. What is your configuration? You may have opened up a bunch of security vulnerabilities in your efforts to get it to work.

Every reboot, no services would start and my dad had to write a batch script to do something to the network card to make it go online after a reboot. It had been previously shared at my dads work by a "less tech savy user" so its riddled with crap. But it has photoshop and powerdirector on it...

[Hyp3rdrive]

I do not use the DD-WRT, you can check this link http://boards.portforward.com/viewtopic.php?t=19176

[beavo451]

4 minutes ago, valdyrgramr said:

Well, what I meant is that they try to keep you to the one that was assigned for various reasons.  It's not like you can't ask them to renew, as you said.  But, you can't use that old ip config trick anymore.  There's more to it now, and you need the ISP, usually/not always, to get involved.

Funny. Never had a problem calling them up and cycling my IP address. The ISPs have way more to worry about than making sure you have the same IP every time. Heck, when I had TWC, my IP address changed every so often on its own.

[Hyp3rdrive]

and the USB port seems to be there to share a USB storage device.

[Hyp3rdrive]

Usually ISPs are 24/7, I called my ISP at 6:00 AM and they answered

[Hyp3rdrive]

1 minute ago, valdyrgramr said:

It depends on where you live and manages the place.  Where I live they will only do it if you have a good reason like Yoshi has.  If you do it because you wanna get un ip banned then Comcast and others will hang up on you.

I know

[kevink817]

Were you using any sort of Dynamic DNS to access your Plex media server from the internet? If so, and it's still active, it's basically gives someone an internet roadmap to your router no matter what your external IP address is.

 

Also, check your router to see if there is a 'release/renew' option somewhere in the WAN/Internet Provider settings, or possibly on the status page for your WAN port. That can be used to request a new IP from your ISP's DHCP server.

[iamdarkyoshi]

29 minutes ago, kevink817 said:

Were you using any sort of Dynamic DNS to access your Plex media server from the internet? If so, and it's still active, it's basically gives someone an internet roadmap to your router no matter what your external IP address is.

 

Also, check your router to see if there is a 'release/renew' option somewhere in the WAN/Internet Provider settings, or possibly on the status page for your WAN port. That can be used to request a new IP from your ISP's DHCP server.

We have had our IP changed, I flashed the tomato firmware on my router, and disabled my AP. The AP was able to achive 30mbit/s speeds in my backyard, and it was upstairs in the front of the house. The router cannot manage this, but a firmware change boosted throughput majorly. Anyway, I am going to be formatting the mediaserver soon and putting some restrictions on the router