Router hacked via Port 9999 UDP

[AndreiV]

Your screenshots show that your biggest problem is having a ridiculous number of antimalware programs installed/running.

Choose one and ditch everything else . Apart from that there is nothing unusual to see.

My neighbour runs a PC repair centre , he gets very rich fixing the problems caused by users playing with settings and software they do not understand.

 

[ColinTaylor]

I get that the ports showing are the normal ports. I won't deny that. The "UNKNOWN" is what catches my eye next to port 9999. If someone can use the same Network Scanner to show me that theirs comes up with "UNKNOWN" next to port 9999 then I'll warm up to the idea that it's normal. As it stands, I don't trust it.

As has been already stated port 9999 is Asus' infosvr server. This is only used by Asus on their routers. Just because your scanner doesn't know this (and hence labels it as UNKNOWN) does not mean it's malicious.

# netstat -nlp | grep 9999
udp        0      0 0.0.0.0:9999            0.0.0.0:*                           1501/infosvr

 

[Bobsyouruncle]

Your screenshots show that your biggest problem is having a ridiculous number of antimalware programs installed/running.

Choose one and ditch everything else . Apart from that there is nothing unusual to see.

My neighbour runs a PC repair centre , he gets very rich fixing the problems caused by users playing with settings and software they do not understand.

I've tried to ask for help in the last month or so and I keep getting told "that's normal" when it isn't. The level of experience this hacker has is probably nothing you've ever seen before, and that's the trouble I face. No one has seen this problem before so they pass off what looks normal as normal. I've been fighting this guy for a very long time and I've learnt a lot more about security that I never thought I'd know.

Choosing one and ditching everything else is not a good idea, sir. One scanner is not the same as the next.

 

[Bobsyouruncle]

OK.

 

[AndreiV]

Yes, you keep coming back with the same stories.
You fail to ever show anything that has been "hacked".

You have been given endless help and advice from some of the most experienced people on the planet but you always do the same thing.

You argue , IGNORE all advice, you REFUSE to run the tests asked and provide the log files so people can see any problem.

It is clear that you are messing with software and systems that you have zero knowledge of .

The only hacker I see is the one in your head , sorry if that sounds blunt but the problem is you or caused by you.

 

[Bobsyouruncle]

Yes, you keep coming back with the same stories.
You fail to ever show anything that has been "hacked".

You have been given endless help and advice from some of the most experienced people on the planet but you always do the same thing.

You argue , IGNORE all advice, you REFUSE to run the tests asked and provide the log files so people can see any problem.

It is clear that you are messing with software and systems that you have zero knowledge of .

The only hacker I see is the one in your head , sorry if that sounds blunt but the problem is you or caused by you.

Ok, sir. I succumb. What test would you like me to perform?
What log files would you like?
It's very clear I'm messing with software and systems that I do have knowledge of.

Be my guide and tell me what you want to see.

 

[ColinTaylor]

Ok, sir. I succumb. What test would you like me to perform?

We don't want anything because there's nothing you've provided that suggests there's anything wrong. We can't prove the existence of a problem that doesn't exist.

If you really think there's a problem with your PC then post your information on a PC security site. This forum is for Asus routers, not PC malware.

 

[Bobsyouruncle]

We don't want anything because there's nothing you've provided that suggests there's anything wrong. We can't prove the existence of a problem that doesn't exist.

If you really think there's a problem with your PC then post your information on a PC security site. This forum is for Asus routers, not PC malware.

I apologize for bothering you with my ASUS problem. Unfortunately, other parts of my PC relate to the problem.

Have a great day

 

[cptnoblivious]

I get that the ports showing are the normal ports. I won't deny that. The "UNKNOWN" is what catches my eye next to port 9999. If someone can use the same Network Scanner to show me that theirs comes up with "UNKNOWN" next to port 9999 then I'll warm up to the idea that it's normal. As it stands, I don't trust it.

"I don't trust it" and "I was hacked" are not the same thing.

As well, "prove to me that I wasn't hacked" isn't a reasonable request.

 

[Ripshod]

If I run a port scan on my router I'll see half a dozed 'unknown' ports. All of them though are put there deliberately by asus to serve a purpose. Not a hack.
Your software is saying 'unknown' because they're just that, unknown to the software.

 

[bennor]

Thank you for all of your replies. I won't be addressing all of you individually, but I hope what I do say reaches out to each of you as an answered question.

In January of this year, I found out I was hacked. My PC's, gaming devices, TV's, Cell Phones, anything that connected to the internet was hacked, essentially. Since then, I have analyzed the hackers methods to mitigate his attacks, but he is relentless and keeps getting in. Early on in the year, I detected he was using the Intel Management Engine to gain full access to my computer. I used a Raspberry Pi and 'flashrom' to remove the Management Engine from the BIOS chip with 'me_cleaner'. After that, I tried to work on the browser hijacks so I was going through the registry and modifying everywhere I could find that he had added his strings/extensions. While trying to clean the browser hijacks I was led to my System Certificates in the 'Microsoft Management Console" (MMC). In there, I saw he added rogue certificates and was using many of them to deploy malware on my system alongside browser hijacking certificates. I found I scanner that told me a bunch of certificates were questionable and I ended up deleting all of them. This step had stopped the attacker....for a few. I ended up creating a batch script, full of registry keys, that delete the certificates on a loop. I've been using that for a few months now, and I also bought a TPM 1.2 from China recently, but I don't exactly trust it will do as it is supposed to do with how hacked my system is. The attacker uses Microsoft Signed programs so he doesn't get detected by virus/malware scanners. In the last few days I started to look at my ports. Avast Network Inspector has given me some information on what ports are open for which device is connected. Some of the services have proper names like HTTP, DNS, DHCP, MDNS, etc etc, but some show up as "unknown". I have seen "unknown' show up over the months and it's usually an indicator of something is fracky. My PC showed 10-15 open ports in the 5x,xxx-6x,xxx ranges and the name was "unknown". I started to block them manually through Windows Firewall, but another one opened up immediately. After blocking about 30 of them, I drank another beer, and closed ports 49,152 - 65,535 individually (Excel spread sheet code. I don't trust the 'range' option). This shut down ports and uncovered names of the ports that were previously showing as 'unknown". The attacker compromised my RDC ports, which isn't good from what I read. I already knew he controllled Windows Update and I assume this was how. So, my RDC ports are still open, and I need them to run my system properly, and there are 7 of them open on ports 135, 49664-49669. I also see 'unknown' as a name of a port when an iPhone has been connected, as well as my Firestick shows one or two sometimes. The attacker can see and control any device that is connected to my network that he has hacked. I watched my iPhone tap buttons when I wasn't using it. My Firestick was clicking things that I wasn't doing. He is broadcasting my online device usage over the internet to select people, but could be more. He uses Microsoft Teams, which he hides in the background under disguised processes so I don't find them. I found one recently, "taskhostw.exe" was being used as the disguised app. He was just on my system before my last reboot (I reboot to kick him out and I hope it does til he can port frack me again). I have an indicator of when he's running the program, so I watch for it. Not sure what he uses on Firestick, but he's also streaming what is watched to the people who are attacking me. I am trying to work on closing all these ports to see if it kicks him out. Right now, the closed ports are technically closed, but the Network Inspector still shows them open when I run a scan. However, they change when I do a new scan, but not each time for the Firestick. Most of the time for the PC. Now the router...The router shows DNS, DNS, DHCP, HTTP, MDNS, UNKNOWN, and HTTP as the services open with the ports next to them. The one that alarms me is the "UNKNOWN" name and that is the one that has port 9999 UDP open. I went to the link that was posted above, and I do recognize that the finding could be a false positive......but in my current situation, I can't accept a false positive considering the evidence of other ports and me closing the ports to find changes that were made. A post above said it could be because I connected it through ethernet, which I did. I reset the modem and changed the firmware, but I had it plugged in to my infected PC. I did not try it through WiFi set up. My ISP's router gets hacked in seconds and I'm on my 3rd one. I need to get another one sent. There's a lot more to my story that I will leave out but I've been tracked, followed, baited and set up all through this year. I found two hidden cameras on me and I suspect I have hidden cameras inside and outside my house that I now live in (I moved far away). I built a RF Field Strength Meter, which does work, but it's not the right one to detect the cameras. I ordered new parts to build a new one using a different type of circuit. This is my life right now. I am looking for any help possible, please. I have pictures of the Network Scans which shows the 'Unknown" service with the ports next to it. I will attach pictures after I post this.

(I have contacted ASUS about my motherboard and router. I have only heard back about my motherboard and I assume it wont' be good news for the router either.)

That's a hell of a story. Has it all, including "hidden cameras".

As to the screen captures you posted that appear to be from Avast. They don't necessarily indicate you've been "hacked". The "unknown" port entries simply means the Avast program doesn't know what uses that port so it lists it as unknown.

Perhaps if you haven't done so already you should consider just buying a new non Asus router as a security step.

 

[Tech Junky]

Unknown just means it's not a registered port.

 

[Viktor Jaep]

Thank you for all of your replies. I won't be addressing all of you individually, but I hope what I do say reaches out to each of you as an answered question.

In January of this year, I found out I was hacked. My PC's, gaming devices, TV's, Cell Phones, anything that connected to the internet was hacked, essentially. Since then, I have analyzed the hackers methods to mitigate his attacks, but he is relentless and keeps getting in. Early on in the year, I detected he was using the Intel Management Engine to gain full access to my computer. I used a Raspberry Pi and 'flashrom' to remove the Management Engine from the BIOS chip with 'me_cleaner'. After that, I tried to work on the browser hijacks so I was going through the registry and modifying everywhere I could find that he had added his strings/extensions. While trying to clean the browser hijacks I was led to my System Certificates in the 'Microsoft Management Console" (MMC). In there, I saw he added rogue certificates and was using many of them to deploy malware on my system alongside browser hijacking certificates. I found I scanner that told me a bunch of certificates were questionable and I ended up deleting all of them. This step had stopped the attacker....for a few. I ended up creating a batch script, full of registry keys, that delete the certificates on a loop. I've been using that for a few months now, and I also bought a TPM 1.2 from China recently, but I don't exactly trust it will do as it is supposed to do with how hacked my system is. The attacker uses Microsoft Signed programs so he doesn't get detected by virus/malware scanners. In the last few days I started to look at my ports. Avast Network Inspector has given me some information on what ports are open for which device is connected. Some of the services have proper names like HTTP, DNS, DHCP, MDNS, etc etc, but some show up as "unknown". I have seen "unknown' show up over the months and it's usually an indicator of something is fracky. My PC showed 10-15 open ports in the 5x,xxx-6x,xxx ranges and the name was "unknown". I started to block them manually through Windows Firewall, but another one opened up immediately. After blocking about 30 of them, I drank another beer, and closed ports 49,152 - 65,535 individually (Excel spread sheet code. I don't trust the 'range' option). This shut down ports and uncovered names of the ports that were previously showing as 'unknown". The attacker compromised my RDC ports, which isn't good from what I read. I already knew he controllled Windows Update and I assume this was how. So, my RDC ports are still open, and I need them to run my system properly, and there are 7 of them open on ports 135, 49664-49669. I also see 'unknown' as a name of a port when an iPhone has been connected, as well as my Firestick shows one or two sometimes. The attacker can see and control any device that is connected to my network that he has hacked. I watched my iPhone tap buttons when I wasn't using it. My Firestick was clicking things that I wasn't doing. He is broadcasting my online device usage over the internet to select people, but could be more. He uses Microsoft Teams, which he hides in the background under disguised processes so I don't find them. I found one recently, "taskhostw.exe" was being used as the disguised app. He was just on my system before my last reboot (I reboot to kick him out and I hope it does til he can port frack me again). I have an indicator of when he's running the program, so I watch for it. Not sure what he uses on Firestick, but he's also streaming what is watched to the people who are attacking me. I am trying to work on closing all these ports to see if it kicks him out. Right now, the closed ports are technically closed, but the Network Inspector still shows them open when I run a scan. However, they change when I do a new scan, but not each time for the Firestick. Most of the time for the PC. Now the router...The router shows DNS, DNS, DHCP, HTTP, MDNS, UNKNOWN, and HTTP as the services open with the ports next to them. The one that alarms me is the "UNKNOWN" name and that is the one that has port 9999 UDP open. I went to the link that was posted above, and I do recognize that the finding could be a false positive......but in my current situation, I can't accept a false positive considering the evidence of other ports and me closing the ports to find changes that were made. A post above said it could be because I connected it through ethernet, which I did. I reset the modem and changed the firmware, but I had it plugged in to my infected PC. I did not try it through WiFi set up. My ISP's router gets hacked in seconds and I'm on my 3rd one. I need to get another one sent. There's a lot more to my story that I will leave out but I've been tracked, followed, baited and set up all through this year. I found two hidden cameras on me and I suspect I have hidden cameras inside and outside my house that I now live in (I moved far away). I built a RF Field Strength Meter, which does work, but it's not the right one to detect the cameras. I ordered new parts to build a new one using a different type of circuit. This is my life right now. I am looking for any help possible, please. I have pictures of the Network Scans which shows the 'Unknown" service with the ports next to it. I will attach pictures after I post this.

(I have contacted ASUS about my motherboard and router. I have only heard back about my motherboard and I assume it wont' be good news for the router either.)

If you truly feel like you have uncovered hidden cameras that you (or some ex or investigator didn't place), and hackers continue to relentlessly pursue you even after you already moved "far away", then why haven't you involved the FBI? They can help. They have the tools to see exactly who is looking at your environment, believe me. However, I think you're going a little far saying that they hacked every single device in your home... why go through all that effort. I doubt Russia is budgeting a few $MIL for a nation-state team to keep relentlessly hacking all your devices and maintaining a presence there no matter what roadblocks you put up.

Ports are opened continuously by windows, linux, you name it... they choose a lot of the upper ports to communicate and do their thing. You keep shutting them down, and they will just keep opening them back up just so they can continue to function. Only the main standard ports are given names, but the other tens of thousands of ports that are randomly used for everything are going to come back as "unknown".

Why in the world are you using Avast? Probably one of the worst and most compromised AV package on the market. It's a risk just having this installed on your PC.

You seem to have jumped through a lot of hoops, like moving away, knowing you are being tracked/followed/baited, having built an RF shield strength meter... but since cost/time don't seem to matter, why don't you just do this:

1.) Buy a commercial-grade firewall/router
2.) Install a decent IDS/IPS solution (many times can be purchased/enabled on a commercial firewall)
3.) Install EDR on all your devices. Crowdstrike... SentinelOne are both great.
4.) Harden a Windows Server to use as your daily driver (There's lots of NIST guides out there, but here's an example)
5.) Learn and understand how to monitor and validate actual attacks coming across your firewall. Go take a security class. Get your security+ or a CEH cert.
6.) Try a different OS... give ChromeOS a shot, or Mac, if you feel Windows is so easily compromised.

Again, these extreme measures are only recommended for extreme cases like yours, and money becomes no option in cases like these. But truly, as @AndreiV noted above, I really have the feeling your are chasing your own tail and seeing ghosts here. Wish you the best of luck.

 

[AndreiV]

Choosing one and ditching everything else is not a good idea, sir. One scanner is not the same as the next.

Really ?

You have installed :


Zemana Antimalware

Hitman Pro

Avast One

WinPatrol (Scotty Dog in the systray ) a defunct program that closed in 2017.

Ghostery

Glasswire

A Malware folder and 2 other AV/AM app shortcuts on screen partially obscured.

-----

And yet you claim to be hacked , your approach, which will do nothing but cause system issues hasn't worked too well for you so far.

 

[AndreiV]

That's a hell of a story. Has it all, including "hidden cameras".

Yes indeed , even more so when you read 2 of the previous editions (and there were a lot more previously each with a different fairy tale attached.)

Router hacked via Port 9999 UDP

Hello, I have a hacker in my RT-AC86U router using any firmware. Currently I'm using Merlin's firmware from Summer, and the hacker has access to the router while it's offline, but connected to my PC. My PC is also hacked, and I'm trying to figure that out too. Factory resets and firmware...

www.snbforums.com

 

[Viktor Jaep]

Really ?

You have installed :


Zemana Antimalware

Hitman Pro

Avast One

WinPatrol (Scotty Dog in the systray ) a defunct program that closed in 2017.

Ghostery

Glasswire

A Malware folder and 2 other AV/AM app shortcuts on screen partially obscured.

-----

And yet you claim to be hacked , your approach, which will do nothing but cause system issues hasn't worked too well for you so far.

With so many experimental tools like this, you have to wonder what other kinds of payloads get installed on his system with these unsigned installers... <sigh>

 

[thiggins]

Forum regulars. Once again, these threads only continue because many of you respond.

 

[Bobsyouruncle]

Thanks for all of your replies.
I have a year long story of what has happened, and I can't tell you everything. You would be impressed by what I have done/uncovered along the way.
My story only makes sense if told from start to finish, I understand that. I'm trying to get help on targeted devices and the general consensus is that 'nothing is happening' or 'you're fine' or 'that's normal'. If you take this approach to everything, you're f*cked. You will always be hacked and never know it or know how to try help yourself.
It was a mistake to come here and ask for help from people who have not been hacked in the way I have. I would delete this thread if I could.

There is a major vulnerability in computer systems/cell phones/gaming devices etc and I know quite a bit about it. I hope you don't get attacked like I have.

Have a great day.


Malware Programs:
Avast was installed to use the Network Inspector and It's being used as the Virus scanner too. Honestly, it's picked up more than Windows Defender. Windows Security App has been compromissed, but I won't bore you with those details.
Zemana Antimalware caught files/folders that had malware in them which was related to my browsers being hijacked.
Hitman Pro was installed to scan for anything other scanners missed. Once installed and scanned, it was removed. It's not on my system.
WinPatrol is a great program that tells me when parts of my computer change and it gives me the option to accept or reject the change. When the attacker changed something, I got notified. I don't see why this would be bad.
Glasswire was used to check my network activity. The attacker uses Microsoft Teams to watch everything I do. He installs it in the background and hides everything from me so I don't find it. Glasswire didn't help me find anything, and it has since been removed. "See 'Teams' folder on my desktop"
Ghostery, I have never heard of before. I don't know where you see that either. Also, I use Pi-hole for my network ad-blocker. I wouldn't say anything bad about Pi-hole....
Malware folder consists of two text files which hold Pi-hole block lists.
There are no partially obscured icons that pertain to AV/AM.
You shouldn't assume anything until you ask questions. The correct approach would have been to ask if I still have all these programs installed and why did I use them. Get facts before you want to drill me. Check the dates on the photos.


Please do not respond. This thread is now dead.