Help identifying hacks and hackers

I have not posted on here in so long but I could really use the help of this board right now. I'm having a really hard time functioning under these circumstances.

Who is either a good hacker or understands network and mobile security?

I have had every device, account, etc hacked persistently over the last couple months.

No matter what I do, the problems keep coming back. I've switched phones, carriers, computers, internet providers, email accounts, antivirus and security software, etc. Switched pws, added 2 factor, security questions.

Whomever is responsible is collecting video, audio, keystrokes, network activity, etc. Using every possible channel to access including bluetooth, nfc, etc

This is someone close to me and I need to identify who. They have access to everything in my life and my business.

Thanks so much in advance!

a reply to: freakjive
Question #1. Why don't you just report to the police?
Question #2. Why do people choose to suffer?

originally posted by: freakjive
I have had every device, account, etc hacked persistently over the last couple months.

What do you mean when you say "hacked"? This could mean a bunch of different things. Can you be specific about the symptoms you've been having?

originally posted by: freakjive
Whomever is responsible is collecting video, audio, keystrokes, network activity, etc. Using every possible channel to access including bluetooth, nfc, etc

How do you know they are doing these things?

originally posted by: freakjive
This is someone close to me and I need to identify who. They have access to everything in my life and my business.

Can you think of anyone who would have motive to go to such lengths?

a reply to: JedemDasSeine


I have contacted the police numerous times. The way things work here in St. Louis (this started when I moved here) are convoluted and the police do not either a: understand the technology or b: give a damn because there is constant domestic violence and shootings.

a reply to: freakjive
Holy sh#t. The plot thickens.

I wish I could help you. I have the same problems, but I know who it is. A very clever ex husband who insisted on getting on my laptop and putting something in which he swore was only to allow him to 'help me' once I left. I literally yelled at him and tried to push him off, but he was too big and too stubborn to stop.

It has been anything but help. I do know that it is very easy for hackers to get through via cell phones than it is home computers. Cell phones tend to leave things open (Facebook, etc), so you don't have to sign in every time.

I have changed all my passwords and have done my best to try and find the ways to lock out remote access. I use Linux, and I don't know a darn thing about this stuff, so I'm going to take my laptop to a computer place, have them wipe off everything and start fresh.

As for my phone, I don't use it for anything on the internet, and since all passwords have been changed, a lot of the activity has decreased.

I would suggest that you NEVER use your phone for internet access or bill pay, for starters. Change all passwords and make sure there is nothing on your computer that allows for remote access. Perhaps a clean wipe and a fresh start is best.

a reply to: trollz


I mean that someone is persistently gaining access to my accounts and technology. This seems really out there but there are devices close to me besides my phone/computer that are capturing events. When I have been able to isolate and read the transcriptions, these are things happening inside my home or office when no other technology is present.

I noticed strange behaviors first with my spouses MacBook pro. I enabled the view to see hidden and system files back in early February and caught files that were encrypted being sent from my computer that were nothing to do with any technology that I use. (I own a digital marketing company.) I think the first methods were using PDF files and PNG images that had hidden information in them. I also noticed there we're additional databases on my computer that had nothing to do with the technologies I use. The emails/sms, etc are passed through a database for decryption is some scenarios. I reformatted the machine and ended up with the same problems directly after. Likely a rootkit planted in the firmware. Same thing that happens with my phone.

One scenario is there was a guy that my spouse knew previous to me that was VP of development of a cloud computing company for healthcare. He would understand this technology and would have had direct access to this computer previously. It might have gone undetected for as long as she had the machine, had I not enabled the view.

The other scenario that seems feasible is for the mobile versions of this things is my spouses father was a programmer for att and was directly involved with the first text messaging applications. I stayed with them when I started my business here in STL for a couple weeks while I waited on our home to be ready and connected directly to his network.

The motive would be for the first scenario that she didn't want anything to do with the guy and he was doing what he could to stalk/collect info, etc. He then gained access to my business information and contracts, etc. He was easy to locate online until I started investigating this thoroughly and then most traces of him disappeared quickly.

The motive for the second scenario is that my spouse and I were having some difficulties in our relationship after having a son together and we decided to move to St. Louis (sorry STL previously) to get away from some of the distractions that were happening in our previous home city. She's originally from STL and we would have some resources to assist with child care, support, etc. I lost both my parents last year and the rest of my family is scattered throughout the country. The word custody came up during our initial disagreements and maybe making a case against me? (seems like a poor way to do it, since its all illegal and would not be admissible in court).

There are other possible scenarios that I can list later if necessary. The point is that I am very sure that these things are happening and that I need to find a way to figure out whom is involved. If for no other reason than to get it to desist.

My business was thriving for the first month or so upon moving here and that has been put to a direct stop, as I cannot perform tasks for my clients ethically knowing that there information will likely be compromised.

This is having a very direct effect on my relationship, as it's possible that she could be a component of this as well and my trust levels have diminished with nearly anyone close to me.

originally posted by: FissionSurplus
I'm going to take my laptop to a computer place, have them wipe off everything and start fresh.

Don't take it to a computer place, that's totally unnecessary.
There's tons of programs that do this. DBAN is one, and you can download it HERE. Just burn that to a cd or install it on a flash drive and run it. It will wipe everything from your hard drive. You'll of course need to reinstall your Linux operating system afterwards.

a reply to: freakjive

Interesting!

It could be that there is a dropper program or URL that you have revisited. These programs re-infect you by re-downloading the malwares.

It is also possible that the dropper could be in a bootkit, meaning that it will survive logical formatting. To get rid of that would require deletion of all partition and boot areas on your drives.

You do seem to be a bit savvy about hacking. Have you used TOR, Freenet or I2P? These are often used to connect anonymously to deep web sites.

What evidence do you have that you are being surveilled? Surely Bluetooth and NFC require close proximity (NFC requiring millimetre proximity). Have you detected stored logs or sniffed data that you suspect?

a reply to: freakjive

Additional information:

We had an ATT router that was delivered via mail to our new address in STL. I caught a spoofed network one night by accident. I later logged into the router and looked at the log files to see that the DNS had been hijacked. Someone essentially created additional network layers and was capturing everything that happened when on WiFi.

This was before I did any real investigating so I chalked it up to poor security on the ATT router. We ordered cable internet from Spectrum/Charter and I was asked by my spouse if we just wanted to use their router. Foolishly I said no, order one from online and I'll handle the security.

I set that up and then not long after I noticed similar events happening. I took a couple day trip back home and while I was there I did some investigation and found some of these audio transcription files on my phone and then did more digging.

She uses amazon to order things quite a bit. Amazon has a whole host of sellers that sell products. They're not directly from Amazon most the time. Anyway...the router that was sent to our house seemed to be a normal TP Link router. It was an Archer model router preprogrammed to capture events and also had a hidden camera within it.
Before we all say it was her (I still think its a good possibility she's involved and that's the hardest thing in the world to deal with.) Our network had been compromised and so we were being directed to whatever sites we wanted and I've found what appears to be a normal consumer site that sells this same router nefariously without identifying that it has the hidden accessories.

a reply to: chr0naut


I did very light web development for years before realizing I just wasn't very good at it and I made great money in the digital marketing arena.

I have never really explored the other items you have brought up. I never really had too much interest in any of this until it began affecting my daily life.


The persons involved have a way to delete the log files or have them hidden so deep that I cannot locate them in most cases. When I have been able to, I cannot identify whom they are being sent to. There are strings that do not make any sense to me and I do not have the proper authentication or decryption method.

a reply to: freakjive

Here in New Zealand we have some of the gangs that give members a "free" mobile phone (which of course is compromised).

Once the user begins to use their 'phone for various banking and social media, the accounts are compromised by keylogging and so the gang can watch what the member does. They can also empty bank accounts and otherwise mess with the member, even if the compromised 'phone is discarded.

If the 'entry point' is discarded, the gangs then begin to try and compromise any new machines, as a priority.

If your data is valuable enough, you could call in someone to secure your systems. Ensure they are qualified to do the job. They should be able to show you CISSP or similar qualifications.

The other thing that you could do is to build a honeypot device (or virtual machine), with some network forensics tools on it, like Wireshark (Ethereal). You could then begin logging and could identify the IP addresses that data is being sent to. Another thing is to create a static image of the device, against which you can compare, to look for changes which may indicate the type and manner of compromise/s.

originally posted by: freakjive
When I have been able to isolate and read the transcriptions, these are things happening inside my home or office when no other technology is present.

Conversations and events are being captured even when no technology is present? Is... your home bugged?

originally posted by: freakjive
I think the first methods were using PDF files and PNG images that had hidden information in them.

Not sure if this little tidbit will be helpful to you or not, but this is called steganography - basically when you hide a file within an image or any other kind of file.

originally posted by: freakjive
Likely a rootkit planted in the firmware.

Have you tried setting up a secure system and accessing accounts only through that to see if they still became compromised? For example, you could buy a cheap laptop you've never used before, put a Linux OS on it, go to some public wifi somewhere and change all of your passwords, and ONLY access the accounts that way.

originally posted by: freakjive
One scenario is there was a guy that my spouse knew previous to me that was VP of development of a cloud computing company for healthcare. He would understand this technology and would have had direct access to this computer previously.

The motive would be for the first scenario that she didn't want anything to do with the guy and he was doing what he could to stalk/collect info, etc. He then gained access to my business information and contracts, etc. He was easy to locate online until I started investigating this thoroughly and then most traces of him disappeared quickly.

Would he stand to profit from stealing any of your company's work or information?
You already know he's been using technology to stalk her, so he sounds like a prime suspect to me... Especially if he tried to ghost himself as soon as you started looking into him.

Look into hiring a cyber investigator / forensics person.

a reply to: chr0naut

I would love to know more about the building of a honeypot device. Could I use an old Android phone that I have to do this?


I would even consider doing this with the laptop that I'm currently using in order to do this. Can I use this laptop concurrently while running the other software without mucking it up?

I had a similar experience with my home network. I had a prime suspect who was effectively a career path competitor, and for a week, always seemed to know the keywords on my screen. He had worked for a past employer, had lived 1/2 mile from where I lived back then and even asked me for an apartment room to stay with my current employer. Very awkward situation since there are very few if any jobs in a 100 mile radius.

That led me to do research in this area. It is possible to view someones computer screen remotely using either Windows Remote Administration, applications like TeamViewer and AMT/vPro for professional workstations as well as ChromeCasting, GoogleCasting, SSDP and other services.

downloadeu5.teamviewer.com...

Without a firewall, your PC is at complete mercy to every exploit, hack, remote login, attempt to file share/print, virus, worm and botnet. Get a wifi router/firewall if you don't already have one. Check your PC for viruses/malware using a free
Virus Scanner. Install ZoneAlarm and set it up to block everything.

Change the password on the wifi/router - it is still the default password? There's actually a list of default passwords for all routers. You can visit 192.168.1.1 or whatever number it on your own home network to check. Does it allow inbound port connections? If you don't, you'll find all sorts of random login attempts using every possible port hitting your PC (telnet/ssh/windows).

Download "wireshark" for your home network and run it on a laptop or desktop system using a live Linux USB stick/CD.
On my systems, I started off by disabling all unnecessary applications/ports. For Linux, this was things like ntp, IPv6, cups, avahi, and even using /etc/hosts to block the various multicasts that get sent out. For Windows, I use the WIndows Firewall to block entire ranges of IP addresses starting with Windows applications, Windows Telemetry, Visual Studio Telemetry, and any other website that was being accessed even though a blank webpage was being viewed

(Firefox does some weird stuff with Amazon and Facebook involving webpage pre-caching, as well as sending out Multicast packets for video streaming). This acts as a hook allowing other devices like smartTV's to pick up a video stream, where you can stream the screen of your desktop/laptop/tablet/smartphone to a SmartTV/Roku. Every device and web browser seems to send out SSDP multicast packets.

I did all of this and more until when using wireshark on a couple of PC's, there was little or no traffic going between the outside world and my PC via the router/firewall. Those ports at the back of a wif/router/firewall form the equivalent of a communal hallway in an apartment block. Running wireshark is like setting up a CCTV system to monitor this area.

So there wasn't any other traffic that the usual "Whois xx.yy.zz.ww, please tell 192.168.1.1?" for the whole time, except at around 9pm when suddenly there were six attempts to connect to my PC. Then nothing happened for another few hours until about 1am, when there was another attempt. Next day, at our standup meeting, my prime suspect seemed very nervous with eyes rapidly darting from side to side.

These days, I get occasional "connection request from port xxxxx on the wifi router to 239.255.255.250, port 1900) blocked" at these times, along with a UUID inside it. There are too non-periodic to be something local.

a reply to: freakjive

Just read an article that relates to Flexispy, apparently a tool has been released to fix it called Flexikiller. Not sure if it is related to your problems but worth checking out.

Story (article) here

a reply to: chr0naut


Quick question. I do not know anything about the protocols but I'm curious why this LiteonTe is showing up? I've been worried about a lot of things inside my home.

a reply to: corblimeyguvnor


Thanks, I'll check that out.

originally posted by: freakjive
a reply to: chr0naut

I would love to know more about the building of a honeypot device. Could I use an old Android phone that I have to do this?


I would even consider doing this with the laptop that I'm currently using in order to do this. Can I use this laptop concurrently while running the other software without mucking it up?

Yeah a virtual machine is a computer within a computer. It is easier (& cheaper) to do on a PC than 'droid (which would require lots of RAM, fast CPU and $$ proprietary software). You could, of course, build an Android VM/emulation that runs on a PC but just a straight Windows VM on a Windows PC is probably easiest.

First step is to get all your tools ready. Download Wireshark, Windiff, Windows (get it direct from Microsoft (or just download a forensics virtual appliance from somewhere) and then download one of the free hypervisors available (I'd suggest the VirtualBox one).

When you download, try & get compressed files (zips & iso's) for preference because executables can potentially be infected 'on the fly' & you want to ensure the honeypot starts 'clean'.

Disconnect your host PC from any network connections, install the hypervisor and then install your client OS. Then install the apps. Do all this without network connection.

Then stop your VM and make a copy of the VM container files. Then fire up the VM again. Set wireshark to log and then reconnect to the network/s.

You should be able to do all the usual stuff you would do on the 'net through the VM. When you think you've been infected, close the logging, disconnect the network and shut down the VM.

You can attach (read only) the virtual drive you backed up previously to the VM, as an extra drive. You can then use windiff to compare the system drive and the backed up one & look for differfences.

You can also go through the Wireshark log looking for outgoing IP addresses carrying data.

If you need to know more about any of this there is online helps for just about everything.

Have fun!

originally posted by: freakjive
a reply to: chr0naut


Quick question. I do not know anything about the protocols but I'm curious why this LiteonTe is showing up? I've been worried about a lot of things inside my home.

The 192.168.1.2 IP identifies that this device is within your local LAN (not on the Internet).

You could try going to the LiteOn website to look at their networkable products as a guide to what it may be.