A victim of prolonged hacks, intimidation and disruption

[Leo Martin Lim]

Hi guys,

I have been a victim of prolonged hacking, intimidation, disruption for 3 years... this is personal hacks. the hacker(s) always tries to disrupt what i am doing.
so here's the latest hack.
below is the print out of netstat with "display listening server sockets" from my asus RT-AX56U.
the first 2 lines with yellow font are very suspicous open ports. from what i understand it's not by asus-merlin.
i have tried factory reset, update firware, and asus firmware restoration utility. it was still there. after i reported to asus via "feedback button" it was gone for a couple days.
and it came back later. i also tried to port scan from my mobile to router, those ports ware not opened.

on the device/computer site, in this case macbook air, my wifi usage is being disrupted constantly on daily basis. it's like your current connection in your prefered network being clicked and becomes deactivated in your menu bar. (not wifi button). i have to click my ssid again to get connected. this drives me nuts after awhile.

i recently moved to mac, thinking that it's a safe platform. sigh....
on windows things are worse... they can BSOD your computer and restart without any SSD/HDD to boot. also manipulate your touchpad/trackpad becomes erratic.
i need help...

thank you,
Martin.

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 192.168.50.1:49152 0.0.0.0:* LISTEN
tcp 0 0 192.168.50.1:49152 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:5152 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:18017 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:47753 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:7788 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:80 0.0.0.0:* LISTEN
tcp 0 0 127.0.1.1:53 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN
tcp 0 0 192.168.50.1:53 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:8888 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:8443 0.0.0.0:* LISTEN
tcp 0 0 192.168.50.1:8443 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:5916 0.0.0.0:* LISTEN
udp 12480 0 127.0.0.1:45064 0.0.0.0:*
udp 0 0 0.0.0.0:9999 0.0.0.0:*
udp 0 0 127.0.0.1:42000 0.0.0.0:*
udp 0 0 0.0.0.0:46354 0.0.0.0:*
udp 0 0 127.0.0.1:52000 0.0.0.0:*
udp 0 0 127.0.0.1:42032 0.0.0.0:*
udp 0 0 127.0.1.1:53 0.0.0.0:*
udp 0 0 127.0.0.1:53 0.0.0.0:*
udp 0 0 192.168.50.1:53 0.0.0.0:*
udp 0 0 0.0.0.0:67 0.0.0.0:*
udp 0 0 0.0.0.0:18018 0.0.0.0:*
udp 0 0 0.0.0.0:7788 0.0.0.0:*
udp 0 0 0.0.0.0:1900 0.0.0.0:*
udp 0 0 0.0.0.0:1900 0.0.0.0:*
udp 0 0 127.0.0.1:38000 0.0.0.0:*
udp 0 0 0.0.0.0:59000 0.0.0.0:*
udp 0 0 127.0.0.1:37000 0.0.0.0:*
udp 0 0 127.0.0.1:58000 0.0.0.0:*
udp 0 0 127.0.0.1:59032 0.0.0.0:*
udp 0 0 127.0.0.1:47000 0.0.0.0:*
udp 0 0 127.0.0.1:47032 0.0.0.0:*
udp 0 0 127.0.0.1:45000 0.0.0.0:*
udp 0 0 127.0.0.1:45032 0.0.0.0:*
udp 0 0 0.0.0.0:5353 0.0.0.0:*
udp 0 0 127.0.0.1:43000 0.0.0.0:*
udp 0 0 127.0.0.1:61689 0.0.0.0:*
raw 0 0 0.0.0.0:2 0.0.0.0:* 2
raw 0 0 ::%2032824:58 ::%542280:* 58
Active UNIX domain sockets (only servers)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ACC ] STREAM LISTENING 3082 /var/run/protect_srv_socket
unix 2 [ ACC ] STREAM LISTENING 7197 /var/conf_serv_sock
unix 2 [ ACC ] STREAM LISTENING 5953 /var/run/cfgmnt_ipc_socket
unix 2 [ ACC ] STREAM LISTENING 3148 /var/run/bsd_ipc_socket
unix 2 [ ACC ] STREAM LISTENING 1868 /var/run/lldpd.socket
unix 2 [ ACC ] STREAM LISTENING 3155 /var/run/wlcnt_socket
unix 2 [ ACC ] STREAM LISTENING 6283 /var/run/rast_internal_ipc_socket
unix 2 [ ACC ] STREAM LISTENING 2699 /var/run/avahi-daemon/socket
unix 2 [ ACC ] STREAM LISTENING 3480 /var/run/amas_lib_socket
unix 2 [ ACC ] STREAM LISTENING 2741 /var/run/nt_actMail_socket
unix 2 [ ACC ] STREAM LISTENING 695 /tmp/ps_sock
unix 2 [ ACC ] STREAM LISTENING 6102 /var/run/rast_ipc_socket
unix 2 [ ACC ] STREAM LISTENING 1002 /var/run/netool_socket
unix 2 [ ACC ] STREAM LISTENING 1020 /var/run/nt_center_socket

 

[ColinTaylor]

What firmware version are you running?

SSH into the router and post the output of netstat -nlp Also post the output of ps w

 

[Leo Martin Lim]

Hi Colin,

thanks for replying...

i'm using merlin firmware ver 386.3_2, the current one.
here goes the attachment for "netstat -nlp" and "ps w" results.


regards,
===Martin

 

[ColinTaylor]

I can't see anything wrong or unusual running on your router. The two processes you highlighted are for hostapd which is the WiFi service, one for each band. I think you'll have to look elsewhere for the source of your problems.

Have you looked at the router's System Log for the time the problem occurs? Maybe something on the router is crashing and then recovering.

 

[cptnoblivious]

So, open ports on the router = hack?

Is Upnp enabled?

 

[Leo Martin Lim]

but why hostapd uses port 49152, it wasn't using 49152 specifically before.
also, port 1900 was used by hostapd, twice by pid 7181 and 7175. is this normal as well?
i tried to enable UPnP just now (i turned off usually) and miniupnpd open another port 1900. so there are 3 identical port listed there.

yes i think there maybe other source of the problem. i just remember port 49152 was not there before. for other ports and processes i am not sure...

weird thing also happened when i tried to ssh to router the first time, i can't get in, it timed out. abit strange.
also a while ago they can make some parts in asus router admin page disappear/become erratic.
for example, traffic classification tab become erratic, also web history become blank, statistic in traffic analyser was blank also. (all those was already turned on and worked well prior).
i have to use asus firmware restoration app to make them normal again... however this 49152 port problem i cant make it back to normal. it persists somehow...

any suggestion how to proceed? i also suspect my mac already hacked and in conjunction with the router and possibly other devices that are connected to router.

thanks,
Martin.

 

[ColinTaylor]

49152 is the first available address in the ephemeral port range. When the wireless system is started or restarted it's likely that a different port number will be used.

As it stands there is nothing to suggest any issue with your router. I would look for issues with your PC or other devices on the LAN.

You can check for any nefarious port forwarding behaviour by looking at System Log - Port Forwarding.

 

[Thirteen]

on the device/computer site, in this case macbook air, my wifi usage is being disrupted constantly on daily basis. it's like your current connection in your prefered network being clicked and becomes deactivated in your menu bar. (not wifi button). i have to click my ssid again to get connected. this drives me nuts after awhile.

This happens on my iMac. I think it's more of a macOS bug that doesn't respect the "automatically rejoin this network" setting. That's just a guess though.

 

[Leo Martin Lim]

Colin or anyone,

I got one more question regarding the router, if i netstat on router,
there are some connections from router to akamai server, sometimes to level 3 server (momentarily, usually after reboot).
why and what are these conns for? i don't think my devices used them.

in this attachment there are some conn to 1.1.1.1 which my DoT DNS server, these, i understand.

thanks.

 

[ColinTaylor]

They are caused by the router checking to see if there is a new firmware available or updates to AiProtection.

 

[Leo Martin Lim]

EDIT : i just removed /Users/.../known_host file and relogin, it is ok now. but.....

guys,

just now i can't ssh to my router... i gave me this message...
something is definitely is happening here...


leomartinlim@Leos-Air ~ % ssh 192.168.50.1 -l zojirushi
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ED25519 key sent by the remote host is
SHA256:ct7hcITuz2XpLlduE0JDopXm8tUpZmN4CWGCj1un3vo.
Please contact your system administrator.
Add correct host key in /Users/leomartinlim/.ssh/known_hosts to get rid of this message.
Offending ED25519 key in /Users/leomartinlim/.ssh/known_hosts:1
Host key for 192.168.50.1 has changed and you have requested strict checking.
Host key verification failed.
leomartinlim@Leos-Air ~ %

 

[AndreiV]

Google search

Best answer : How to fix: "WARNING: REMOTE HOST IDENTIFICATION

 

[ColinTaylor]

just now i can't ssh to my router... i gave me this message...

You will get that message if you have reset the router since last logging in to it.

 

[airgap]

may be we should create/have a pinned "read before post about you're been hacked" in the security section.

People write here they are hacked and if you dig a bit deeper it most of the cases they are not hacked.

Do we even have truely confirmed hacked victims here? I mean they report it here - someone gone through the logs etc. and confirmed that is a 100% proven hack?

May a bit more information would help the people to read first and get some hints if they might got hackend or not and that might help them to be calm.

 

[Leo Martin Lim]

You will get that message if you have reset the router since last logging in to it.

yes i understand that. but i did not reset/reboot the router at all... also when i run "ps w" i saw 2 instances of ssh connection to 192.168.50.1. i killed the first one (not the one i am connected to). and after i logged out and reconnect again i got connection refused. so i went to web ui and turned off ssh and back it on again. then it worked again.

anyway, there are many small things like this happening where they are not supposed to. (i am not expert, but at least i got some sense whats going on) they are trying to disrupt what i am doing. it has been 3 years, it is long list what has been done to me, i journaled it. i have some screenshots too. but i dont want to expand the trouble/conversation, just want to focus on this particular router hack. as i mentioned earlier, i got worse hack when i was on windows laptop before.

as for the port 49152 hack, i understand it is dynamic port assignment in windows. i remember clearly the router did not have port 49152 open twice when it was brand new. and now it can NOT be removed/reset even with asus restoration utility. hacker had put them permanently somehow. also port 1900 was opened twice as well (permanently) even though i had check all upnp, media sharing, windows smb etc are all OFF.

anyway, i had swapped the ax56u router with my old tplink back for a couple of days... it has been quiet for now. not sure, if previous ssid disconnection was initiated from the ax56u router or my macbook. i am looking for someone to look into it.

look, i was looking for some preliminary evidence of my trouble/hack that i can report to police, maybe some ip address??? i don't know what i should be looking for. it is hard for me to find expert in my country.

i am sorry for you guys that may be i wasted your time...

Martin.

 

[ColinTaylor]

also when i run "ps w" i saw 2 instances of ssh connection to 192.168.50.1. i killed the first one (not the one i am connected to). and after i logged out and reconnect again i got connection refused. so i went to web ui and turned off ssh and back it on again. then it worked again.

That's perfectly normal. You killed the parent ssh server process which is why you couldn't log back in until you restarted it.

EDIT:

as for the port 49152 hack, i understand it is dynamic port assignment in windows. i remember clearly the router did not have port 49152 open twice when it was brand new. and now it can NOT be removed/reset even with asus restoration utility. hacker had put them permanently somehow. also port 1900 was opened twice as well (permanently) even though i had check all upnp, media sharing, windows smb etc are all OFF.

I have just checked this on my router and the port 49152 and 1900 entries are not hacks. They are created when WPS is enabled. If I remember correctly WPS is enabled by default.

So there is nothing to suggest your router has been hacked.

 

[airgap]

i am sorry for you guys that may be i wasted your time...

It's not about "wasting" time. We want to help. At least most of the people who are giving you response and participate in the whole security topic.

I justed wanted to make a general point. Not specifically you just everyone one who writes in the security section about being hackend but in fact they are not.

To help people to help them in the first place there could be a Q/A or guide for users with hints and tips to figure out if they are hacked and if they tried everything and still are unsure and need answers all are welcome to post and ask for help. That is the beauty of the forum. You will get help and the help is more effective and precise if we know whats going on if you provide details and gone through the Q/A or guide first.

Just look in the security section for your self how many people claim being hacked but most of the time there is no real proof of an hack. Even there was a user from Korea who was making almost a James Bond story of being target by "big influential people" who hack him everytime he buys a new router etc. may be he deleted his theread already hahahaha

I don't want to make fun of any REAL victim of hack attacks but there has to be some sort of real factual proof of hacks not just random accusations by expressing port numbers etc.

Have a nice one

 

[Leo Martin Lim]

That's perfectly normal. You killed the parent ssh server process which is why you couldn't log back in until you restarted it.

EDIT:

I have just checked this on my router and the port 49152 and 1900 entries are not hacks. They are created when WPS is enabled. If I remember correctly WPS is enabled by default.

So there is nothing to suggest your router has been hacked.

yes, my bad. i didn't know WPS would create open port.

anyway, i want to share 2 screenshots that may show i maybe HACKED or STRANGE thing was happening.
This is my printer Brother MFC-J200 ink jet, It was talking to amazon servers for several hours, before i discovered it. I never saw my printer directly connected to internet this way nor did i ever set my printer in anyway to connect to internet. i 'factory reset' the printer later and it went back to normal.
this happened recently ( acouple week prior)

i also had video showing logs of av bitdefender on one laptop catching hacking attempt from my other laptop. this was back in june.

anyway thanks very much for everyone that had replied to my post.

 

[airgap]

There was an epic Windows fail to its printer spooler service few weaks ago. May be you were or still are a victim of that? Just throwing a glow stick in the dark - may be it's normal for your printer? May be it does it from time to time and you never paid attention to it?

It would be great if you sniff the traffic with wireshark / tcpdump or something which captures traffic. Probably it would give more clue about the "talking" to amazon.

 

[Leo Martin Lim]

There was an epic Windows fail to its printer spooler service few weaks ago. May be you were or still are a victim of that? Just throwing a glow stick in the dark - may be it's normal for your printer? May be it does it from time to time and you never paid attention to it?

It would be great if you sniff the traffic with wireshark / tcpdump or something which captures traffic. Probably it would give more clue about the "talking" to amazon.

No, never had this problem before. my wifi extender at other time, was doing the same thing too.

at one time in 2018, i discovered the hacker can see my screen as well, it's like they have hidden remote desktop in my windows laptop. i was writing some senteces with big letter in MS word to the hacker asking them what they want. suddenly all the words that i typed was gone/deleted and there was a rectangular crude window flashing and a flashing notification i couldnt read. <--- happened in 1 or 2 seconds. then i knew they can see my screen as well... but i checked in task manager, there was nothing unusual. i also used many AV bitdefender, kaspersky, avira,avast, mcafee, norton etc.... none detected anything. except one AV did detect it... "unsual app/program reside in virtual memory" or something like that. it was adaware antivirus. fileless malware???

i forgot to sniff those traffic, i was too hurry. somehow (looking at that constant traffic from printer), i was afraid being being blackmailed doing DDOS/hacking/whatever to amazon servers.