Need Help With Network Virus/Exploit

Hi.

I am having issues with my network being hijacked. I am aware of this as when I log into my email web interface, I get the last login information and it does not match my ISP server or my DNS settings (through my ISP) when I am connected through my TP-Link Archer c3200 WiFi Router.

As you can see from the 2 screenshots attached; one shows the correct information when I hard line directly to my ISP provided Fiber gateway (MY IP.utopia.xmission.net), the second shows the address I am being re-directed through when I am connected to my router (e221DOTmailoutDOTekwinDOTtwelvehorsesDOTcom).

I get the same result from any computer or device attached to my router (as far as being redirected). This lets me know that the redirect is coming through my router as one of those devices is my phone and it shows the proper IP info when not using the router. I only get redirected through the suspicious IP/URL when connected to my router.

I do have another router I can try to see if its my current router as well as let me factory reset it. I thought Id come here also as this is not the average style of virus/exploit.

Does anyone know of this URL ‘twelvehorsesDOTcom’? I cant find anything other than the WHOIS which also shows they have another URL out of Denmark I think ‘twelvehorsesDOTde’.

How do I get things under control, as I dont believe its coming from my Avast protected devices being infected?

Note: Replaced part of the suspicious URL characters with DOT so others dont accidentally click or copy to a illicit URL site.

I have tried resetting the router as well as re-applying its firmware. I a also working through their support and my ISP’s as this is very odd. So far no one knows why I would be getting the last known login location as the ‘twelvehorses’ bit (no pun intended but funny).

I can find info through like LinkedIn and a couple of other social sites yet the website given is an HTTP website and not an HTTPS website; which strikes even further concern. When I tried to go to the website, nothing at all loads either (did through InPrivate browsing on a device not connected to my network).

Does anyone know about this twelvehorses company/URL?

I’m assuming this thread and your other one are seperate from each other? >> https://forum.avast.com/index.php?topic=230202.msg1524178#msg1524178

Follow the instructions here please >> https://forum.avast.com/index.php?topic=194892.0

Edit;
https://exchange.xforce.ibmcloud.com/url/http:~2F~2Fe221.mailout.ekwin.twelvehorses.com

Registrar Name 1&1 IONOS SE
Are you German? Because that belongs to a German ISP

https://www.google.com/search?q=1%261+IONOS+SE&rlz=1C1CHBF_enCA859CA859&oq=1%261+IONOS+SE&aqs=chrome..69i57j0l5.351j0j7&sourceid=chrome&ie=UTF-8

Yes they are separate issues…

No, I am not in Germany. I am in the United States and I am not using any VPN.

I will run the scans but the info and checking I have already done state that the issue is within my router, not any of my machines. Please re-read the OP.

Again, I will do these tests on both the PC’s but they cant be done on my phone which shows the same issue only when connected to my router. If it was on my machines then changing to a direct connection to the gateway and removing the router shouldn’t affect the outcome occurring.

I have ran the logs.

I did want to clarify that this is not about the DEEPTEEP virus I already know is infecting my friends machine as it is in the installed apps/programs list.

Here are the results pertaining to this separate occurrence, not the DEEPTEEP virus.

MB shows no infections and I am guessing the log of FRST also shows the same. I already know the infection is not on my machines because it also happens on my phone when I connect my phone to the router.

But here are the results anyhow… I am needing something to dig very deep into my router as that’s where the exploit is occurring and where I get redirected through ‘twlevehorses’.

I know its complicated and doesn’t make sense and the details sound like something that cant happen as far as we know, but at a time BIOS virus, DNS changers, and rootkits were viewed as impossible too.

I look forward to some extensive diagnosing of this. Enjoy :smiley:

A little bit off topic… but still kind of on topic.

If Bleeping Computer were ever attacked and compromised, a hacker could easily replace the Farbar Recovery Scan Tool with an illicit version and it would be sometime before anyone became the wiser as it is not digitally signed by a publisher.

This has happened on GitHub but the persons had a valid cert so when it was replaced it was easy to know since Windows gave a warning that the illicit version was not signed. I hope that whoever is the creator of the Farbar Recovery Scan Tool understands this and backs up their tool by getting it a valid certificate.

Again… these tools make a person nervous who gets things like this.

I mean - CCleaner was attacked, and replaced, and it wasn’t noticed until Talos (Cisco) stepped in. (I’d also note that Avast! owns Piriform, the developers of CCleaner.)

Farbar (the creator) is active on G2G if you’d like to report your concerns. >> http://www.geekstogo.com/forum/user/329828-farbar/ It’s also worth noting that digital certs aren’t the only way of verifying a programs authenticity. (Though, to be fair, Farbar doesn’t post hashes of his program either…)

I will PM Sass Drake.

Edit: Sass Drake >> https://community.tp-link.com/us/home/forum/topic/174352

I am not overly concerned, yet its a good thing to have a valid cert these days so that users know the software they downloaded is by the author/publisher and not some illicit replacement version.

With that said…


So I did some further testing which most assuredly point to my TP-Link C3200 router being exploited with something odd and unknown.

I switched to another router I have that is also TP-Link and now I am getting the correct info as far as the last login location. Then I went back to the suspect router and sure enough, I’m back to ‘twelvehorses’ as my last location. You can see in the screenshot what the new router reported (which is correct minus my public IP blanked out) and then what happens when I go back to the old router.

I know Avast is mainly device protection. I know Avast doesn’t do support for TP-Link routers. Yet my confidence in Avast and the support here on the forums is why I am asking for more help to figure out how this exploit is even happening when ‘tracert’ and tools that show my IP address report things as they should yet when connected to the C3200 I also get the strange last login location.

I believe a concerted effort will end up with the best results. Something is going on and I’d like to help TP-Link uncover it as well as let Avast help for their own ‘street cred’.

So… where do we go from here?

EDIT: Just wanted to add that the C1200 router was set up with the exact same protocols as the C3200; IE DDOS protection, WPA protection, Manual DNS, etc.

To address your concerns about users knowing a genuine author from an illict one, many (and I do mean MANY) would not know any form of difference between a signed piece and unsigned. And even when Microsoft alerts them, they typically hit “Yes”/“OK”/“Ignore Warning” anyways. If they don’t, they relaunch the program, and end up hitting “Yes”/“OK”/“Ignore Warning” because of the need to install. The average user is not educated enough to know that.

Why are you implementing DDoS protection? It is extremely unlikely that you will be DDoS’d off the internet for general usage. WPA (and given the lack of specification, I’m assuming you’re using WPA1 here) is vulnerable (on TKIP). WPA1 was designed as a stop gap measure to WEP attacks. Switch to WPA2 (AES) with a secure passphrase.

aircrack article >> http://dl.aircrack-ng.org/breakingwepandwpa.pdf
Aruba Article >> https://community.arubanetworks.com/t5/Community-Tribal-Knowledge-Base/TKIP-Vulnerabilities/ta-p/25384

Factory Settings >> https://www.tp-link.com/ca/support/faq/497/?utm_medium=select-local

Given your concern about a compromised router, I’d be opting for a hardware reset then through the management console.

Sass Drake will likely check your FRST logs tomorrow.

Ive had issues in the past. I get kinda ‘noisy’ in social media influencing and activism. Probably why Im dealing with this unique exploit on my router right now.

Im pretty up to date on things. Of course I use WPA2. Also hide my SSID to help protect against neighborhood leeching… here in my neighborhood its a big thing too. I learned a lot working in ISMO (Information Services Management Office) for the USMC and so I know how to lock things down pretty well, even past what is probably needed but it never affects my throughput or connectivity.

The University I live close to has one of the best IT departments in the US. A couple years ago the sophomores from UVU beat MIT graduate students in a hackathon, so I’m just say’n there is a lot of knowledge in and around my neighborhood. Plus, people can get tools to hack WPA2 without even having to go ‘darkweb’ these days and if they usually only go for networks they can see unless they are a super black hat type of person.

Im super stoked for the new WiFi6 gen of routers for their advances on protecting wifi traffic.

I know, I know… with all dat I should be also VPN but I get a Gig fiber here and VPN usually slows that down to at least half as most just aren’t set up for a full Gig down AND up stream. That’s part of why I lock my router down so much so not using a VPN isn’t that big a deal. Plus my provider, XMission, does a good job at protecting their customers.

Also, I am not a typical user who just hits accept or allow without knowing why.

I have also done a full factory reset on the c3200 as well as a 30/30/30 reset for the fun of it (even though that’s mainly a Netgear and D-Link issue for 3rd party DDWRT and Tomato… never done any of that though). Soon as I got back up, my internet went live then dropped then back on and sure enough I was back to the 12 horsies issue :stuck_out_tongue:

I really do want to nail this exploit down though and I would love, if we do, to give Avast community props in it all for the help.

Next to my ISP, Avast is the next best business model I know of. They are no XMission, but they are above most the rest.


Off topic, here is a video of the CEO of XMission at an OpenWest conference on security and user protection if you want to read about a top notch company!

https://www.youtube.com/watch?v=tl3muxsiSP0

Edit: I meant to address WPA2 hacking. It’s very, very difficult to break WPA2 (AES). The only way I’m aware of is running dictionary/bruteforce/Social Engineering (Evil Twin) attacks on it. Alternatives do exist (KRACK attack), but to my knowledge, only affect Linux and Android devices.

======================================================================

Well, looking at twelvehorses(dot)com’s source code, reveals sedoparking(dot)com.


'src="//sedoparking.com/frmpark/'
                            + window.location.host + '/'
                            + 'IONOSParkingUS'
                            + '/park.js">'

  • Where window.location.host is “twelvehorses.com
    // is the short form of hxxps://sedoparking.com/frmpark/

The fully constructed URL is hxxp://sedoparking.com/frmpark/twelvehorses.com/IONOSParkingUS/park.js


    var google_afd_request = {"client":"ca-dp-sedo89_3ph","drid":"as-drid-2638193593145307","domain_name":"twelvehorses.com","session_token":"create"};
    var setup = {
        domain : 'twelvehorses.com',
        registrar : 'IONOSParkingUS',
    };    function google_afd_ad_request_done( google_afd_response ) {

        if( typeof(google_afd_response.session_token) == 'undefined' ){
           google_afd_response.session_token = '';
        }

        loadContentFrame( google_afd_response.session_token );
    }

    document.write(
        '<script type="text/javascript" language="JavaScript" ' +
        'src="http://pagead2.googlesyndication.com/apps/domainpark/show_afd_ads.js"><\/script>' );

    function loadContentFrame( session_token ){

        var contentFrame = document.createElement('iframe');
        contentFrame.setAttribute( 'src',
                'http://sedoparking.com/search/registrar.php'+
                '?domain=' + setup.domain +
                '&rpv=2' +
                '&registrar=' + setup.registrar +
                '&gst=' + session_token +
                '&ref=' + document.referrer +
                ''
        );

        contentFrame.setAttribute('name', 'regpark' );
        
       
        contentFrame.setAttribute('frameBorder', '0' );

        var contentContainer = document.getElementById("partner");
        if( typeof(contentContainer) == 'undefined' ){
            contentContainer = document.createElement('div');
            contentContainer.setAttribute('id', 'partner');
        }

        contentContainer.appendChild( contentFrame );
    }

It’s currently 1:30AM here, and I don’t feel like firing KALI VM’s up and running Burpsuite, so I cheated.


hxxp://sedoparking.com/search/registrar.php?domain=twelvehorses.com&rpv=2&registrar=IONOSParkingUSIONOSParkingUS&gst=X&ref=X

That reveals that twelvehorses(dot)com is a parked domain.

Read the little splurge about “Parked Domains”


<div class="row marketing">
        <h4 class="col-xs-12">What Is Domain Parking?</h4>
        <div class="col-xs-7">
            <p>
                Domain Parking is a simple way to earn money from your domains'
                natural traffic. If you have registered domain names, but they
                are not currently being used, then domain parking is a great way
                to put those domains to work, earning you revenue.
            </p>
            <p>
                You can make money without even lifting a finger! The idle
                domain is used to display relevant advertisements -every time a
                consumer clicks on one of the advertisements, you earn money.
            </p>

What’s interesting is that I cannot get the e221.* domain to actually resolve.

A ping nmap scan of twelvehorses(dot)com reveals ports 80, 81, 443


nmap -p- -v twelvehorses.com

Port 81 is atypical… Try it? Oh, it’s a login screen. Scan it. *Note: Scanning domains may or may not be legal depending on your location. DO NOT RUN THESE SCANS. AGGRESSIVE SCANNING MAY CRASH DOMAINS!!


nmap -sC -sV -p T:81 -T5 -A -v --script vuln twelvehorses.com

Not much there >>


Starting Nmap 7.70 ( https://nmap.org ) at 2019-10-27 01:44 Atlantic Daylight Time

NSE: Loaded 145 scripts for scanning.

NSE: Script Pre-scanning.

Initiating NSE at 01:44

NSE Timing: About 50.00% done; ETC: 01:45 (0:00:31 remaining)

Completed NSE at 01:45, 34.01s elapsed

Initiating NSE at 01:45

Completed NSE at 01:45, 0.00s elapsed

Pre-scan script results:

| broadcast-avahi-dos: 

|   Discovered hosts:

|     224.0.0.251

|   After NULL UDP avahi packet DoS (CVE-2011-1002).

|_  Hosts are all up (not vulnerable).

Initiating Ping Scan at 01:45

Scanning twelvehorses.com (74.208.236.207) [4 ports]

Completed Ping Scan at 01:45, 0.96s elapsed (1 total hosts)

Initiating Parallel DNS resolution of 1 host. at 01:45

Completed Parallel DNS resolution of 1 host. at 01:45, 0.21s elapsed

Initiating SYN Stealth Scan at 01:45

Scanning twelvehorses.com (74.208.236.207) [1 port]

Discovered open port 81/tcp on 74.208.236.207

Completed SYN Stealth Scan at 01:45, 0.05s elapsed (1 total ports)

Initiating Service scan at 01:45

Scanning 1 service on twelvehorses.com (74.208.236.207)

Completed Service scan at 01:45, 6.11s elapsed (1 service on 1 host)

Initiating OS detection (try #1) against twelvehorses.com (74.208.236.207)

Retrying OS detection (try #2) against twelvehorses.com (74.208.236.207)

Initiating Traceroute at 01:45

Completed Traceroute at 01:45, 0.07s elapsed

Initiating Parallel DNS resolution of 14 hosts. at 01:45

Completed Parallel DNS resolution of 14 hosts. at 01:45, 0.25s elapsed

NSE: Script scanning 74.208.236.207.

Initiating NSE at 01:45

Completed NSE at 01:47, 113.01s elapsed

Initiating NSE at 01:47

Completed NSE at 01:47, 0.00s elapsed

Nmap scan report for twelvehorses.com (74.208.236.207)

Host is up (0.048s latency).

rDNS record for 74.208.236.207: 74-208-236-207.elastic-ssl.ui-r.com



PORT   STATE SERVICE VERSION

81/tcp open  http    nginx

|_http-csrf: Couldn't find any CSRF vulnerabilities.

|_http-dombased-xss: Couldn't find any DOM based XSS.

|_http-iis-webdav-vuln: Could not determine vulnerability, since root folder is password protected

| http-server-header: 

|   Apache

|_  nginx

|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.

Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port

Device type: general purpose|media device|specialized|storage-misc

Running (JUST GUESSING): Linux 3.X|4.X (91%), Netgem embedded (89%), Crestron 2-Series (87%), HP embedded (85%), Oracle VM Server 3.X (85%)

OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 cpe:/h:netgem:n7700 cpe:/o:crestron:2_series cpe:/h:hp:p2000_g3 cpe:/o:oracle:vm_server:3.4.2 cpe:/o:linux:linux_kernel:4.1

Aggressive OS guesses: Linux 3.10 - 4.11 (91%), Linux 3.2 - 4.9 (91%), Netgem N7700 set-top box (89%), Linux 3.18 (87%), Crestron XPanel control system (87%), Linux 3.16 (86%), Linux 3.13 or 4.2 (85%), HP P2000 G3 NAS device (85%), Oracle VM Server 3.4.2 (Linux 4.1) (85%)

No exact OS matches for host (test conditions non-ideal).

Uptime guess: 8.374 days (since Fri Oct 18 16:49:32 2019)

Network Distance: 14 hops

TCP Sequence Prediction: Difficulty=262 (Good luck!)

IP ID Sequence Generation: All zeros

<Traceroute Removed>

Basically, twelvehorses.com is a parked domain. I have zero idea what it should be pointing to, but it’s not currently pointing to anything I can find. I’ve also DM’d polonus, who happens to know a shit load more then I do regarding domains.

WOW! That is a ton of great stuff!

Thanks for all your help!!!

I run a web hosting company, or trying to get one off the ground at least, so I am fully aware of what a parked domain is. 12 Horses is not one of the domains I handle either. I dont know why my router would be pointing to a parked domain unless its part of something maybe unknown right now as far as exploitation goes. Maybe they park it and watch IP traffic to intercept.

Again, I dunno I just know this is very odd in the way my ISP reports it vs regular tools and ‘tracert’ commands. It wouldn’t be the first time I was hit with an unknown variant/exploitation.

As I stated before, it wasn’t that long ago that things like BIOS hijacking (which Dell now has a service to protect from), non-click DNS changers (Operation Ghost Click https://www.fbi.gov/news/stories/international-cyber-ring-that-infected-millions-of-computers-dismantled ), and other such things were called impossible.

“A thing is only impossible until someone does it.” - Patrick Stewart as Captain Pickard. In todays cyber-exploitation world that happens quicker than we are keeping up with.

Maybe Polunus will be able to add some more helpful info too or dig past what most normally think isn’t possible.

If this can help TP-Link, then all the better!

Website scan fail: https://sitecheck.sucuri.net/results/twelvehorses.com
See: https://toolbar.netcraft.com/site_report?url=http://twelvehorses.com
See: https://www.shodan.io/host/74.208.236.207
Going to look here: Link: hxtps://galtmedical.com/wp-json/; rel=“https://api.w.org/
with an Outdated Word Press version, update a.s.a.p.
User Enumeration
The first two user ID’s were tested to determine if user enumeration is possible.

ID User Login
1 galtadmin galtadmin
2 LeAnne Williams beacon
It is recommended to rename the admin user account to reduce the chance of brute force attacks occurring. As this will reduce the chance of automated password attackers gaining access. However it is important to understand that if the author archives are enabled it is usually possible to enumerate all users within a WordPress installation.

Only the first two user ID’s were tested with this scan, try the advanced membership options for detailed enumeration of users, themes and plugins.
Back to IP relations:
See malware coming from that IP address: https://www.virustotal.com/gui/ip-address/74.208.236.207/relations

See last DNS records → https://www.virustotal.com/gui/domain/twelvehorses.com/details

Finally getting at the nitty gritty here: https://www.virustotal.com/gui/domain/twelvehorses.com/relations
Infested:
hxtp://twelvehorses.com/mm/Clickthrough/23317062/27021558/23333143/uBn6_sdjVJ8Dmr08mYuLuACBQH4A/*http:/www.tesco.ie/register/unsubscribe.asp see also the communicating flle detections there.

Domain health report: https://mxtoolbox.com/domain/twelvehorses.com/
Waits for some action from the website admin and the hosting staff.

polonus (3rd party cold reconnaissance website security analyst and website error-hunter)

I don’t see anything malicious in FRST logs. Can you check configured TP Link hostname?

Man…

I think all the work you super awesome people have been doing has causes some alarm with who ever is behind it.

I went to answer Saas Drake’s question and tried to log into my router just to insure I was giving the correct information but it wouldn’t let me log in. I kept getting ‘500 Internal Server Error’ (see screenshot 1) page, yet last night I had no issues logging into it from this device.

In an effort to make sure I was using the correct Default Gateway IP, I did a config /all form a CMD and it was correct. I tried again using the copied/paste IP from the ipconfig results just in case my fingers were being weird on me. Still the sever error.

I did a full reset on the router to factory defaults by using the reset button on the back of the router and tried to log in through LAN cable with 192.168.0.1 and still got the error. Checked ipconfig /all again. And it was the correct default gateway.

Used a 2nd offline computer to log in and it let me log in finally so I logged out and tried the first computer and once again the Internal server error.

Hooked back up to the 2nd computer, logged in and set up my normal custom settings without changing anything from what it was before. Now I can log in from the first computer again.

Very odd… I think we are on to something :-X

So you are saying this website is illicit/malicous then, correct?

I assume you are talking about my router host name I assign? It is ‘Wilkinsons’. I attached a screenshot of the router page. Note, I had to freshly reset my router and set it all back up as well I had to use a different computer. That is explained in my post above this one.

Anyhow, If I am reading Polunus correctly and the site is infected then something is defintly going on.


My next question is how would they be re-directing me and only my ISP’s webmail server detecting the ‘twelvehorses’ IP and all other tools (What Is My IP, etc) show the information that normally would show? Did I stumble acorss a whole new type of re-direct or exploitation method?

Is it possible my router FW has been flashed and I am only using a shell FW settings page, meanwhile underneath the exploited FW is running using a weird VPN setup? How would I be able to even check for that and still how would it be fooling all attempts to detect like ‘what is my ip’ site and such?

That is like they are sending me through them but not through them.

While we think about this, I am attempting to find out just how my ISP webmail server queries the last known location as it seems to be on top of everything in detecting the malicious URL.

EDIT: Just wanted to add my ISP’s webmail server is still detecting the weird 12 horses IP as my last login location using the router, even after resetting again.

What is that networking setup (from ipconfig /all)?

Your DHCP and Gateway are pointed to an IP in Egypt.

Yes. That is the ipconfig /all ran through a command prompt.

The IP you are looking at is my LAN side gateway IP of my router not my actual fiber gateway from my ISP. So its one I set up. It is not my public IP.

That keeps confusing people but it is nothing to be concerned over as its only on the LAN side of the router (the IP address range used for my local ‘in-house’ network). It has nothing to do with any outbound WAN side traffic.

I change it from the default 192.168.0.1 to the one currently showing in the picture (the other router that worked fine had the same setting so that is not the cause of what is happening). Its just an extra security measure most dont take and has no effect on WAN side traffic.

It should not have denied me from connecting either, like it was. Now its allowing me to log in after the factory reset and then resetting all my personal settings.

When I search my public IP it comes up what it should be and this is why this weird re-direct that XMission is detecting is so suspicious in that it doesn’t match with ‘What Is My IP’.

It will be very helpful when I can get the exact way XMission webmail server is querying my last login location. Maybe the query they use is something different than ‘What Is My IP’ and will show a better way to track the re-direct.

WHEW!!!

So in contacting my ISP today, I got someone who did more checking into things than the last agent I was working with.

As it turns out, the webmail server was doing a basic IP check then using a reverse domain lookup to verify. 12 horses was a very old client which they let go, probably due to 12 horses being malicious in their activities. The IP they had been assigned via static IP had just not been cleared out of the naming system on XMission’s side :stuck_out_tongue: .

When the webmail server did the IP check and reverse domain check it then probably noted the old record on XMission server that hadn’t been fully audited and that’s why it gave me the 12 horses. As well, ICANN may still hold old records which may have also attributed to the bad reverse domain lookup results.

They assigned my router MAC a different IP in the DHCP assignments (reserved DHCP) and I got a different last known login location using the same router.

They thanked me for helping them see they needed some further auditing on some of the older IP ranges they have used. I wish I could have gotten this agent from the start but hey… we did uncover a domain somehow doing something illicit 8) ! It’s also weird that I had the issues logging into the router after Polunus and Alan did their extensive checking in the 12 horses domain… even after fully resetting the router… but that is something I will just qualify as a ‘murphyism’ I guess :stuck_out_tongue: .

I am very relieved to know I wasn’t dealing with some new NextGen exploit and ended up a target, yet after @Polunus research on the parked domain showing it is infected, that might be something Avast would want to either further investigate or report to ICANN.

Either way… THANK YOU TO ALL WHO WORKED ON THIS.

Thank-you for the update.

Glad to hear the issue has been resolved with your ISP. I still think that networking setup is wack, but oh well. (A 10.* or 172.16.. → 172.32.. network would serve a better purpose).