What's new

Router hacked via Port 9999 UDP

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Status
Not open for further replies.

Bobsyouruncle

Occasional Visitor
Hello,

I have a hacker in my RT-AC86U router using any firmware. Currently I'm using Merlin's firmware from Summer, and the hacker has access to the router while it's offline, but connected to my PC. My PC is also hacked, and I'm trying to figure that out too. Factory resets and firmware updates do not clear the vulnerability.

Is there something I can do?
 
Is there something I can do?
Probably tell us exactly what you are seeing, and why you believe the router is hacked. Sorry to sound sceptical...
 
Port 9999 has been known about for years.
Blackhat Hackers can’t make use of this flaw of the internet but they can control the routers if:

* They manage to get into a device connected to the routers
* They manage to connect to the LAN in one way or another
* They manage to get to any local computer that already has the malware on it.

Worry about your pc first.
 
My PC is also hacked
Start there first. Clean your PC's (all of them) before reconnecting the PC back to the local network. Then once you have a verifiable clean PC, perform a hard factory reset on the router, download the latest firmware to that verified clean PC and flash it to the router from the clean PC. Do not connect anything else to the router other than the verified clean PC. Make sure to configure the router with strong passwords (that are different from previously used passwords on the router) and do not enable remote access of any sort (SSH or GUI access). Then set the network back up one device at a time and see if the malware begins to spread again from something you missed.
 
Port 9999 is used internally by the router for a legitimate service (infosvr). If you think you have been hacked just because port 9999 is being used then you are mistaken.

Probably tell us exactly what you are seeing, and why you believe the router is hacked. Sorry to sound sceptical...
As @Crimliar said, why do you think your router is hacked?
 
Last edited:
Port 9999 is used internally by the router for a legitimate service (infosvr). If you think you have been hacked just because port 9999 is being used then you are mistaken.


At @Crimliar said, why do you think your router is hacked?

I have an strong feeling of Déjà vu .................

How many times has this thread started in the last 3 years ?

 

Similar but it's usually a new member, first post and then endless nonsense about:

"It's my neighbour / professor at university/ government/ business rivals looking through my windows etc. "

No matter what help and advice is offered the problem never gets fixed ........... hmmm.

If the PC is hacked , then there are plenty of tools available that will identify and fix the problem.
 
Besides, the vulnerability with 9999udp was fixed way back in 2015 - yet apparently it still appears in databases and is still being brought up on malware scans.
CVE-2014-9583
 
Last edited:
Besides, the vulnerability with 9999udp was fixed way back in 2015 - yet apparently it still appears in databases and is still being brought up on malware scans.

Indeed it was . Maybe time to by more shares in Bacofoil.
 
:eek:
 
Just 2 previous iterations from lala land :



 
Thank you for all of your replies. I won't be addressing all of you individually, but I hope what I do say reaches out to each of you as an answered question.

In January of this year, I found out I was hacked. My PC's, gaming devices, TV's, Cell Phones, anything that connected to the internet was hacked, essentially. Since then, I have analyzed the hackers methods to mitigate his attacks, but he is relentless and keeps getting in. Early on in the year, I detected he was using the Intel Management Engine to gain full access to my computer. I used a Raspberry Pi and 'flashrom' to remove the Management Engine from the BIOS chip with 'me_cleaner'. After that, I tried to work on the browser hijacks so I was going through the registry and modifying everywhere I could find that he had added his strings/extensions. While trying to clean the browser hijacks I was led to my System Certificates in the 'Microsoft Management Console" (MMC). In there, I saw he added rogue certificates and was using many of them to deploy malware on my system alongside browser hijacking certificates. I found I scanner that told me a bunch of certificates were questionable and I ended up deleting all of them. This step had stopped the attacker....for a few. I ended up creating a batch script, full of registry keys, that delete the certificates on a loop. I've been using that for a few months now, and I also bought a TPM 1.2 from China recently, but I don't exactly trust it will do as it is supposed to do with how hacked my system is. The attacker uses Microsoft Signed programs so he doesn't get detected by virus/malware scanners. In the last few days I started to look at my ports. Avast Network Inspector has given me some information on what ports are open for which device is connected. Some of the services have proper names like HTTP, DNS, DHCP, MDNS, etc etc, but some show up as "unknown". I have seen "unknown' show up over the months and it's usually an indicator of something is fracky. My PC showed 10-15 open ports in the 5x,xxx-6x,xxx ranges and the name was "unknown". I started to block them manually through Windows Firewall, but another one opened up immediately. After blocking about 30 of them, I drank another beer, and closed ports 49,152 - 65,535 individually (Excel spread sheet code. I don't trust the 'range' option). This shut down ports and uncovered names of the ports that were previously showing as 'unknown". The attacker compromised my RDC ports, which isn't good from what I read. I already knew he controllled Windows Update and I assume this was how. So, my RDC ports are still open, and I need them to run my system properly, and there are 7 of them open on ports 135, 49664-49669. I also see 'unknown' as a name of a port when an iPhone has been connected, as well as my Firestick shows one or two sometimes. The attacker can see and control any device that is connected to my network that he has hacked. I watched my iPhone tap buttons when I wasn't using it. My Firestick was clicking things that I wasn't doing. He is broadcasting my online device usage over the internet to select people, but could be more. He uses Microsoft Teams, which he hides in the background under disguised processes so I don't find them. I found one recently, "taskhostw.exe" was being used as the disguised app. He was just on my system before my last reboot (I reboot to kick him out and I hope it does til he can port frack me again). I have an indicator of when he's running the program, so I watch for it. Not sure what he uses on Firestick, but he's also streaming what is watched to the people who are attacking me. I am trying to work on closing all these ports to see if it kicks him out. Right now, the closed ports are technically closed, but the Network Inspector still shows them open when I run a scan. However, they change when I do a new scan, but not each time for the Firestick. Most of the time for the PC. Now the router...The router shows DNS, DNS, DHCP, HTTP, MDNS, UNKNOWN, and HTTP as the services open with the ports next to them. The one that alarms me is the "UNKNOWN" name and that is the one that has port 9999 UDP open. I went to the link that was posted above, and I do recognize that the finding could be a false positive......but in my current situation, I can't accept a false positive considering the evidence of other ports and me closing the ports to find changes that were made. A post above said it could be because I connected it through ethernet, which I did. I reset the modem and changed the firmware, but I had it plugged in to my infected PC. I did not try it through WiFi set up. My ISP's router gets hacked in seconds and I'm on my 3rd one. I need to get another one sent. There's a lot more to my story that I will leave out but I've been tracked, followed, baited and set up all through this year. I found two hidden cameras on me and I suspect I have hidden cameras inside and outside my house that I now live in (I moved far away). I built a RF Field Strength Meter, which does work, but it's not the right one to detect the cameras. I ordered new parts to build a new one using a different type of circuit. This is my life right now. I am looking for any help possible, please. I have pictures of the Network Scans which shows the 'Unknown" service with the ports next to it. I will attach pictures after I post this.

(I have contacted ASUS about my motherboard and router. I have only heard back about my motherboard and I assume it wont' be good news for the router either.)
 
The scans are of my PC, Router and Firestick. You can see that the RDC ports showed up as a name after I closed the ports.
 

Attachments

  • 9999.png
    9999.png
    15.2 KB · Views: 177
  • Avast PC - 02.png
    Avast PC - 02.png
    102.4 KB · Views: 171
  • Avast PC - 03.png
    Avast PC - 03.png
    264.1 KB · Views: 145
  • Avast PC - 04.png
    Avast PC - 04.png
    286.5 KB · Views: 140
  • Avast PC - 05.png
    Avast PC - 05.png
    222.5 KB · Views: 139
One from the iPhone that was connected.
I noticed I made an error calling RPC ports RDC. I've been playing around with TCP/UDP ports a lot so...my mistake.
 

Attachments

  • iPhone.png
    iPhone.png
    154.8 KB · Views: 112
The ports shown on your router are the normal ports that should be there. There is nothing wrong with your router.
I get that the ports showing are the normal ports. I won't deny that. The "UNKNOWN" is what catches my eye next to port 9999. If someone can use the same Network Scanner to show me that theirs comes up with "UNKNOWN" next to port 9999 then I'll warm up to the idea that it's normal. As it stands, I don't trust it.
 
Status
Not open for further replies.

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top