Paypal acct accessed by someone from outside the country

[VirtualLarry]

Got a message to change my password when I logged in to Paypal.

So I did a web search for "paypal hacked", and found Brian Kreb's article.

Debating if I should close my Paypal account.

I found a way to enable 2FA, which I've done.

My concern is that one (or more!) of my PCs, routers, LAN, NAS units, etc., has been compromised.

I lost internet the other night briefly, and when I walked into the room with my FIOS router, the power LED was flashing green, like it had soft-rebooted. I didn't have a power outage. I'm wondering if Verizon (or a rogue entity???) flashed my router's firmware?

And my main G4400 PC, updated itself to Win10 1607 a few weeks ago, from 1511, without my involvement, but when I saw the machine, it appeared to have IIS installed, and I had never installed that.

 

[John Connor]

Sounds definitely like you have been hacked. You always, always need to make sure the router firmware is updated. Change your PayPal password and flash the firmware to the router. Make sure you don't have any open ports at shields up.

 

[VirtualLarry]

I have two routers. My "outer" router is a FIOS Rev. I. My "inner" router, I just recently deployed, it's an AC68 running the newest Tomato.

Verizon controls the outer router, I let them do their thing. I keep my "inner" router updated.

 

[TheRyuu]

There was a 2FA bypass[1][2] but it's since been fixed. I doubt that was the issue though considering it was never publicly disclosed until it was fixed but you never know.

[1] https://henryhoggard.co.uk/blog/Paypal-2FA-Bypass
[2] https://news.ycombinator.com/item?id=12772181 (HN discussion)

 

[John Connor]

I have two routers. My "outer" router is a FIOS Rev. I. My "inner" router, I just recently deployed, it's an AC68 running the newest Tomato.

Verizon controls the outer router, I let them do their thing. I keep my "inner" router updated.

Like I said, also check out shields up and make sure there isn't a port open that shouldn't be. Or use a VPN that allows all 65 thousand + ports and Nmap your own network.

 

[VirtualLarry]

I did check ShieldsUp, and the results weren't good. Thought I was p0wn3d.

Then I finally came across this, which describes what I'm seeing.

https://www.dslreports.com/forum/r28941325-Inconsistent-GRC-Port-Scanning-results

 

[John Connor]

Please fix that. You should see nothing but green.

 

[VirtualLarry]

No, GRC's "optimization" for bulk port scanning is borked with that config. Well, something is.

If you scan "service ports", all come up Stealth. As do all of the Red (Open) ports, when you click on them, and click "Scan this port" (individually). They all come up Stealth.

Edit: Is there an alternate port-scanner that I can use? I have a backup internet connection that I can scan the primary with.

http://www.whatsmyip.org/port-scanner/server/

Shows "timed out" for all of them.

 

[Elixer]

I lost internet the other night briefly, and when I walked into the room with my FIOS router, the power LED was flashing green, like it had soft-rebooted. I didn't have a power outage. I'm wondering if Verizon (or a rogue entity???) flashed my router's firmware?

The router's log should show if it was flashed or not, do you have the ability to SSH into the router and see what is running?

Oh, forgot to mention that you can also wipe the NVRAM settings on the verizon router as well, and that should get you back into a clean state.

And my main G4400 PC, updated itself to Win10 1607 a few weeks ago, from 1511, without my involvement, but when I saw the machine, it appeared to have IIS installed, and I had never installed that.

What does inetmgr show when you run it?

 

[VirtualLarry]

What does inetmgr show when you run it?

Opened a Command Prompt, and it said something about "inetmgr" not being an internal or external command. I typed it into the Windows Search box, and it didn't come up with anything either.

What service runs IIS? I can't find it in Services (local) , Standard. Nothing under "I" or "Windows".

 

[John Connor]

Is there an alternate port-scanner that I can use?

Use a VPN that allows all 65 thousand + ports which some VPN providers call "P2P Optimized" and scan your WAN IP address with Nmap. It will take a few hours.

 

[John Connor]

I forgot about this online service. https://pentest-tools.com/network-vulnerability-scanning/tcp-port-scanner-online-nmap

 

[Elixer]

Opened a Command Prompt, and it said something about "inetmgr" not being an internal or external command. I typed it into the Windows Search box, and it didn't come up with anything either.

What service runs IIS? I can't find it in Services (local) , Standard. Nothing under "I" or "Windows".

If IIS is running, then inetmgr should have shown you info about IIS.
I guess IIS isn't installed or perhaps they deleted C:\Windows\System32\inetsrv\InetMgr.exe?
Is W3SVC (World Wide Web Publishing Service) running?

 

[VirtualLarry]

Hmm, World Wide Web Publishing Service was set to Automatic, and was Running.

I did a search of C-colon for inetmgr,. there were some inetmgr.exe and inetmgr6.exe and .dlls in WinSxs.

I tried copying inetmgr.exe and .dll to \System32, but then it said it couldn't run them, that they weren't for my version of Windows. ?

 

[XavierMace]

Are you still sharing your internet with your neighbor?

 

[Elixer]

Hmm, World Wide Web Publishing Service was set to Automatic, and was Running.

I did a search of C-colon for inetmgr,. there were some inetmgr.exe and inetmgr6.exe and .dlls in WinSxs.

I tried copying inetmgr.exe and .dll to \System32, but then it said it couldn't run them, that they weren't for my version of Windows. ?

There is no good reason that should be running, if you didn't actually install the module.

At this point, I would clean install the OS.

 

[VirtualLarry]

Are you still sharing your internet with your neighbor?

Haven't ever shared my internet since I moved into this place.

Edit: Ok, I clean-installed Win10 1607 on a factory-fresh Intel 256GB M.2 SSD.

Edit: I thought I had an epiphany, and installed the Intel LAN drivers, off my mobo maker's site, but that didn't appear to install IIS.

Edit: I Installed Intel RST too, in case that installed IIS, but it didn't.

Looks like somehow, I was 0wn3d, at the same time the Anniv. update installed, or shortly thereafter. Very strange.

I'm not ruling out physical trespass, but if they did that, why would they do something that could be detected as obvious, like installing IIS? I assume that they were using my PC as some sort of relay or proxy.

I surf the internet on this PC, but nothing at all "shady". No pr0n, no "movie sites", nothing that would intentionally pop up a malicious ad. Not that that couldn't have been a vector, it could have. Heck, the ads on this very forum could have done it.

Edit: Does IIS allow setting up an auto-web-proxy for browsers? Just wondering if they were sucking down my internet and sending it out to some server somewhere.

Edit: I haven't had Flash Player or Java or Acrobat Reader installed, for months and months on my PCs. So that couldn't have been the vector, I don't think.

Except... Skype uses Flash Player to show ads, and it's built-in.

 

[VirtualLarry]

I just updated the firmware on my four NAS units, and changed their passwords to something non-default, just in case somehow, someone from the outside can connect to them. I'm generally careful to disable "Cloud" services on these devices, but who knows what they might add with firmware updates.

 

[JEDIYoda]

There is no good reason that should be running, if you didn't actually install the module.

At this point, I would clean install the OS.

That`s no always the answer