Abuse email from ISP

[Wheemer1]

So far skynet has 0 outbound blocks. Looks like I may not get remote access. They are refusing and it's causing a huge mess. Damn little hackers.

 

[DJones]

So far skynet has 0 outbound blocks. Looks like I may not get remote access. They are refusing and it's causing a huge mess. Damn little hackers.

Yeah. Fixing this is probably going to be more involved then doing this remotely, unfortunate if you can’t get in. You might get lucky anti-virus cleaning it, but would personally fully reinstall.

The windows license key should be tied to the hardware / email account the pcs use. I assume the computers are accessible physically. If the files are accessible backup what you can, and do a full recovery either downloaded via the uefi troubleshooter from the cloud or with a usb disk that contains the windows installation.

 

[Wheemer1]

I am a days drive including a seven hours ferry ride away, so I can't be on site. If I was there I would be wringing necks. All hell would be breaking loose. Their computers would likely have been alit with accelerant by now.

EDIT: They would have certainly been formatted, that's for sure.

 

[DJones]

I am a days drive including a seven hours fairy ride away, so I can't be on site. If I was there I would be wringing necks. All hell would be breaking loose. Their computers would likely have been alit with accelerant by now.

Ah understandable. So reinstalling is pretty much out of the question without at least someone there to guide. Doing that remotely would be tough off hand. I’d just focus on monitoring the logs over the next few days.

But i don’t know how this 911 socks proxy works and its ability to be detected, so let’s consider that it might work like a VPN that’s encrypted. A providers tunnel will send to a trusted server then forward that data to its destination. If that first link in the chain is “good” the community blocklists will ignore that outgoing connection leaving you with no bad logs. This is possibly the reason AIprotection can’t see it, but the ISP can using deep packet inspection on systems much more advanced. If what the hacker is doing is only on the system you’ll see nothing if he’s using your internet you might get some hits outgoing if it acts as an exit node.

So it’s a difficult position.

 

[NXIL]

I've got the GT-AX6000 setup with the latest merlin firmware on my sisters house. I have enabled AiProtect which I had thought would stop outbound "attacks".

No. Need to get rid of malware on the teenager's computers.

MALWARE FAMILY: 911-socks5-proxy:

Guidance on the 911 S5 Residential Proxy Service

www.ic3.gov

No SOCKS, No Shoes, No Malware Proxy Services! – Krebs on Security

krebsonsecurity.com

Socks5Systemz proxy service delivered via PrivateLoader and Amadey

Threat actors infected +10K devices worldwide with 'PrivateLoader' and 'Amadey' loaders to recruit them into the proxy botnet 'Socks5Systemz.'

securityaffairs.com

From this link, it hints that 911-socks can be associated with installing TOR?

https://www.reddit.com/r/tails/comments/vtxjzi/should_i_use_911re_with_socks5

I think that is a really bad thing. No teen should have TOR installed. Sorry.

How can I use the features of this router to help determine the machine responsible?

Possibly but: You need a good antivirus/security software program running on EACH machine, and I would install that AFTER a clean install of Windows on each of those machines.

Bitdefender or Kaspersky: Kaspersky has that Russian association which is a negative for many, so Bitdefender. A five pack is often on sale on Amazon or Newegg.

Amazon.com

www.amazon.com

Any help would be appreciated as they say they are going to terminate our account as this problem is affecting the network.

You said this is the fourth warning?

"I am running a debian server at her location also for home assistant."

Who is the admin for this debian server? How often is it updated and maintained?

"But before it has to get that involved I I should perhaps format some pcs. There's only really 5 pcs running windows"

In my opinion they all need a bare metal clean install.

"I am at least going to have to gain remote access to them to run some tests and uninstall any sketchy software..."

Malware writers are very good. Doubt you are going to find the sketchy software.

"We bought the router to solve the problem so I hope we can find some solution. The ISP has already warned us 4 times."

Router wasn't the weak link. Teenagers: weak link, and their computers.

If the teens give permission for things to install, they can install, router can't prevent that.

I agree with Tech9:

"You have days long project reformatting and reinstalling 5x Windows PCs alone. It is a client, it is most likely a PC, try to catch which one is contacting this IP and how often. The more changes and blockers you introduce in the mix the more you mask the problem and make it harder for you to diagnose."

Get some frosty beverages, a phone or iPad to browse while things process.

Oh; important files are already backed up, in more than one place? Hashtag teens: I doubt it!

""Well so far it's just adguard and skynet. The AiProtect stuff is all turned on as well."

That's not going to solve this problem.

"What software should I run on the pcs, I am gaining remote access soon one pc at a time, they are giving me whatever time I need to clean the pc."

Up to date patched Windows, fully activated.

Bitdefender or Kaspersky.

"So far skynet has 0 outbound blocks. Looks like I may not get remote access. They are refusing and it's causing a huge mess. Damn little hackers."

Who is refusing? Teens or malware writers?

"I am a days drive including a seven hours fairy ride away, so I can't be on site."

A fairy ride: jeez, that is complicated! I hope they will stock plenty of fairy dust!

A ferry ride? Time for dramamine! Or even better: scopolomine patches

If you can't get there: zoom call to teens and have them do the reinstall of windows?

Reinstall Windows - Microsoft Support

Learn how to reinstall Windows on your PC and how activation works after it's installed.

support.microsoft.com

Good time for them to learn about drivers and the whole windows system.

Driver install order I prefer:

• Windows, reboot
• Chipset driver, reboot (Intel or AMD)
• Graphics driver, reboot (Nivida or AMD or Intel)
• Then ethernet, wireless ethernet, sound, mouse, KB, etc.
• Then antivirus/security software, bitdefender is what I would recommend
• Then problems like word/games/etc
• Then restore the BACKED UP DATA files that ideally are backed up on a regular basis in more than one place.

Going to take hours. Good.

If they have TOR on system, or Torrent programs (you probably know this but these are very different, and I do not think TOR for a teen is a good idea at all.)

Please let us know how it goes!!!

 

[DJones]

Going to second that if TOR is installed by them or someone else it doesn’t belong on their computer. Now before anyone gets paranoid TOR has legitimate uses, however it also has negative connotations with being a part of the scary “Dark Web” It’s just another tool like any VPN. What it’s used for and who’s using makes all the difference. Would I recommend them not use TOR or a VPN no, unless they fully understand the risks involved using the general internet.

 

[dosborne]

I am a days drive including a seven hours fairy ride away, so I can't be on site.

If the fairies are too slow for transport, you may want to take a ferry instead