LOL!
Josh Luthman Office: 937-552-2340 Direct: 937-552-2343 1100 Wayne St Suite 1337 Troy, OH 45373 On Fri, Apr 22, 2016 at 5:00 PM, That One Guy /sarcasm < [email protected]> wrote: > I have considered the fact that sometimes wiring is bad in homes, yes. > > On Fri, Apr 22, 2016 at 3:55 PM, Mathew Howard <[email protected]> > wrote: > >> Have you considered burning his house down? >> >> On Fri, Apr 22, 2016 at 3:18 PM, That One Guy /sarcasm < >> [email protected]> wrote: >> >>> So this guys still at it, hes tried contacing rise multiple times, they >>> wont help, blah blah blah, wants us to help. >>> >>> I did my due diligence, I called rise, told them we have a numbskul. I >>> asked them if they were serving malicious content over unsecured wifi, he >>> assured me they werent, something about bad juju and all, I told him sorry >>> for calling, and im not a rat fink snitch but I need this custome roff my >>> back so ill just point him to the FCC complaint form so they can tell him >>> to get bent. >>> >>> I sent him the consumer complaint link with the FCC and told him its not >>> our place to get involved. >>> >>> I assume this will end up resulting in him complaining every two days on >>> that form about us too >>> >>> Im no snitch btw >>> >>> On Mon, Apr 11, 2016 at 5:49 PM, Bill Prince <[email protected]> >>> wrote: >>> >>>> Flo is your customer? >>>> >>>> bp >>>> <part15sbs{at}gmail{dot}com> >>>> >>>> >>>> On 4/11/2016 2:38 PM, Ken Hohhof wrote: >>>> >>>> I think some of my customers were in a recent Progressive commercial: >>>> http://lifelanes.progressive.com/park-ranger-mark/ >>>> >>>> >>>> >>>> *From:* That One Guy /sarcasm <[email protected]> >>>> *Sent:* Monday, April 11, 2016 4:21 PM >>>> *To:* [email protected] >>>> *Subject:* Re: [AFMUG] interesting malware, and checking an air router >>>> >>>> I feel bad for the poor Rise Broadband guy he talks to, hes convinced >>>> their ESSIDs have infected him >>>> >>>> On Sun, Apr 10, 2016 at 9:52 PM, That One Guy /sarcasm < >>>> <[email protected]>[email protected]> wrote: >>>> >>>>> stupid malware, i would have been a real good bad guy, i need to learn >>>>> to code so i can hacksnphreaks stuff >>>>> >>>>> On Sun, Apr 10, 2016 at 9:46 PM, Josh Reynolds < >>>>> <[email protected]>[email protected]> wrote: >>>>> >>>>>> Correct >>>>>> On Apr 10, 2016 9:43 PM, "That One Guy /sarcasm" < >>>>>> [email protected]> wrote: >>>>>> >>>>>>> no real way to do that remotely is there with no one holding the >>>>>>> reset and a layer 2 connection? >>>>>>> >>>>>>> On Sun, Apr 10, 2016 at 9:39 PM, Josh Reynolds < >>>>>>> <[email protected]>[email protected]> wrote: >>>>>>> >>>>>>>> No. TFTP flash recreates the flash filesystem. HTTP upgrade does >>>>>>>> not. >>>>>>>> On Apr 10, 2016 9:38 PM, "That One Guy /sarcasm" < >>>>>>>> <[email protected]>[email protected]> wrote: >>>>>>>> >>>>>>>>> if it happens to be crumped, and i http it a firmware, it should >>>>>>>>> still overwrite the funtime hatred shouldnt it? >>>>>>>>> >>>>>>>>> On Sun, Apr 10, 2016 at 9:34 PM, Josh Reynolds < >>>>>>>>> <[email protected]>[email protected]> wrote: >>>>>>>>> >>>>>>>>>> Nope. Just TFTP flash it to the newest stable firmware. >>>>>>>>>> On Apr 10, 2016 9:02 PM, "That One Guy /sarcasm" < >>>>>>>>>> <[email protected]>[email protected]> wrote: >>>>>>>>>> >>>>>>>>>>> Is there somethin ng to run against this air router to check it? >>>>>>>>>>> On Apr 10, 2016 7:53 PM, "Josh Reynolds" < >>>>>>>>>>> <[email protected]>[email protected]> wrote: >>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> <http://m.theregister.co.uk/2014/07/29/antivirus_blood_splattered_as_biz_warned_audit_or_die/> >>>>>>>>>>>> http://m.theregister.co.uk/2014/07/29/antivirus_blood_splattered_as_biz_warned_audit_or_die/ >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> <http://arstechnica.com/security/2015/09/security-wares-like-kaspersky-av-can-make-you-more-vulnerable-to-attacks/> >>>>>>>>>>>> http://arstechnica.com/security/2015/09/security-wares-like-kaspersky-av-can-make-you-more-vulnerable-to-attacks/ >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> <https://books.google.com/books?id=wqV1CgAAQBAJ&pg=PA183&lpg=PA183&dq=antivirus+attack+surface&source=bl&ots=HF7hnyj7sN&sig=Ski6OAQaLdD4MeIDGJRfuNoaZiE&hl=en&sa=X&ved=0ahUKEwjsgP7nroXMAhUjk4MKHb19DQ0Q6AEIKzAE#v=onepage&q=antivirus%20attack%20surface&f=false> >>>>>>>>>>>> https://books.google.com/books?id=wqV1CgAAQBAJ&pg=PA183&lpg=PA183&dq=antivirus+attack+surface&source=bl&ots=HF7hnyj7sN&sig=Ski6OAQaLdD4MeIDGJRfuNoaZiE&hl=en&sa=X&ved=0ahUKEwjsgP7nroXMAhUjk4MKHb19DQ0Q6AEIKzAE#v=onepage&q=antivirus%20attack%20surface&f=false >>>>>>>>>>>> On Apr 10, 2016 6:21 PM, "That One Guy /sarcasm" < >>>>>>>>>>>> <[email protected]>[email protected]> wrote: >>>>>>>>>>>> >>>>>>>>>>>>> Josh, >>>>>>>>>>>>> >>>>>>>>>>>>> Can you expand that? >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> The following is the last communication, note this started as >>>>>>>>>>>>> a slowness complaint. >>>>>>>>>>>>> >>>>>>>>>>>>> Hi. I had a couple questions regarding the wireless router >>>>>>>>>>>>> that you provide with my service. Since I don't have access to >>>>>>>>>>>>> the device, >>>>>>>>>>>>> could you turn off broadcasting of the SSID please? The reason >>>>>>>>>>>>> for this >>>>>>>>>>>>> request due to a very damaging virus/malware that hit my home >>>>>>>>>>>>> network >>>>>>>>>>>>> extremely hard.gained access to my networks through the wireless >>>>>>>>>>>>> connection >>>>>>>>>>>>> and my phone, which then took out every thing else connected. The >>>>>>>>>>>>> Wi-Fi >>>>>>>>>>>>> that caused the issue ended up as "OPEN" and not longer secure. >>>>>>>>>>>>> Since there >>>>>>>>>>>>> is such massive distances between any of us our her I would only >>>>>>>>>>>>> see that >>>>>>>>>>>>> specific SSID on days when everthing allowed to to travel just a >>>>>>>>>>>>> litter bit >>>>>>>>>>>>> further. And when I did see it over the last 1.5 years, but it >>>>>>>>>>>>> was always >>>>>>>>>>>>> "Secured". Anyway... the story is much longer but A. can you hide >>>>>>>>>>>>> the SSID >>>>>>>>>>>>> and possibly change it to something else? This way I know it has >>>>>>>>>>>>> a little >>>>>>>>>>>>> extra protection. But please let me know the the SSID. Do you by >>>>>>>>>>>>> chance >>>>>>>>>>>>> know of an SSID near me of: ISPSTUFF360? It's Mac address is >>>>>>>>>>>>> 00:60:ld:f1:91:be. It came back as a Lucent Technologies device. >>>>>>>>>>>>> Also.. I >>>>>>>>>>>>> was not simply taken out of service by 1 "Open" device...I was >>>>>>>>>>>>> taken out by >>>>>>>>>>>>> 2 ! The second one that is also broadcasting as "Open is similar >>>>>>>>>>>>> in name. . >>>>>>>>>>>>> It\s SSID is ISPSTUFF1000. I have it's mac address somewhere in >>>>>>>>>>>>> the middle >>>>>>>>>>>>> of all this mess, but its the same I believe. It also resolved by >>>>>>>>>>>>> MAC >>>>>>>>>>>>> address to a Lucent Technologies Devic. From what discovered from >>>>>>>>>>>>> once I >>>>>>>>>>>>> had a change to finish up replacing the hard drive in my laptop, >>>>>>>>>>>>> ending up >>>>>>>>>>>>> with corruption in the bios as well, replacing a drive in my >>>>>>>>>>>>> Workstations >>>>>>>>>>>>> as it would not ever respond to restoration software. And so much >>>>>>>>>>>>> figging >>>>>>>>>>>>> time to install everything. I had to be safe and reset my phone, >>>>>>>>>>>>> my tablet >>>>>>>>>>>>> pc and and my FLAC file of over 119gb of my entire music >>>>>>>>>>>>> collection. Not >>>>>>>>>>>>> to. I still dont feel comfortable given how destructive it was. I >>>>>>>>>>>>> immediately had to spend our upon hour callng banks, and Website, >>>>>>>>>>>>> and >>>>>>>>>>>>> anyting that I accessed online to change my logins and >>>>>>>>>>>>> passwords.. It even >>>>>>>>>>>>> appears to have left it's mark on the Direct TV DVR as well. So I >>>>>>>>>>>>> have >>>>>>>>>>>>> already spent more $ than I had to spare but I most definately >>>>>>>>>>>>> dont trust >>>>>>>>>>>>> any of the devices anylonger. Especially since the 2 devices are >>>>>>>>>>>>> still >>>>>>>>>>>>> broadcasting as I send this. Kevin >>>>>>>>>>>>> >>>>>>>>>>>>> On Sun, Apr 10, 2016 at 3:59 PM, Josh Reynolds < >>>>>>>>>>>>> <[email protected]>[email protected]> wrote: >>>>>>>>>>>>> >>>>>>>>>>>>>> FYI antimalware/antivirus and adblock are the newest attack >>>>>>>>>>>>>> vectors. :) >>>>>>>>>>>>>> >>>>>>>>>>>>>> Pretty easy way to get persistent malware on machines now. >>>>>>>>>>>>>> On Apr 10, 2016 3:57 PM, "That One Guy /sarcasm" < >>>>>>>>>>>>>> <[email protected]>[email protected]> wrote: >>>>>>>>>>>>>> >>>>>>>>>>>>>>> Im a worst case scenario artist. My concern is the customer >>>>>>>>>>>>>>> will talk to our customer service, theyll tell him we will >>>>>>>>>>>>>>> replace his >>>>>>>>>>>>>>> router. He will bring it in, get a replacement. Its been >>>>>>>>>>>>>>> "infected" and >>>>>>>>>>>>>>> will hit our Achilles heel. Customer service will drop it in >>>>>>>>>>>>>>> the returns >>>>>>>>>>>>>>> bin. It will get taken abk and connected to the machine thats >>>>>>>>>>>>>>> used to dump >>>>>>>>>>>>>>> the file, it will "infect" that machine, that machine will >>>>>>>>>>>>>>> infect the >>>>>>>>>>>>>>> Customer service network. A tech will pick up the router and >>>>>>>>>>>>>>> install it at >>>>>>>>>>>>>>> another POP. infecting that POP. he will also bring his laptop >>>>>>>>>>>>>>> back and >>>>>>>>>>>>>>> connect it to my network. My machine has no real antimalware >>>>>>>>>>>>>>> and he will >>>>>>>>>>>>>>> infect it across that network. My machine has all the keys to >>>>>>>>>>>>>>> the castle. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> the reality is they guy probably had slow wifi in his >>>>>>>>>>>>>>> detached garage 1500 feet from his house, and his buddy mike >>>>>>>>>>>>>>> said he must >>>>>>>>>>>>>>> be infected with some really nasty virus because his portable >>>>>>>>>>>>>>> version of >>>>>>>>>>>>>>> AVG from 2010 cant find it so it must be direct from anonymous. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> On Sun, Apr 10, 2016 at 3:37 PM, Josh Reynolds < >>>>>>>>>>>>>>> <[email protected]>[email protected]> wrote: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Cross platform malware is a Thing now, and has been for >>>>>>>>>>>>>>>> several years. It's fortunately not very prevalent yet. >>>>>>>>>>>>>>>> On Apr 10, 2016 3:36 PM, "Bill Prince" < >>>>>>>>>>>>>>>> <[email protected]>[email protected]> wrote: >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> I don't believe it. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> We have a friend that comes to some outrageous conclusions >>>>>>>>>>>>>>>>> with scant information, and practically zero technical >>>>>>>>>>>>>>>>> knowledge. Yet when >>>>>>>>>>>>>>>>> he explains something, he sounds perfectly reasonable with >>>>>>>>>>>>>>>>> impeccable >>>>>>>>>>>>>>>>> logic. It just never is. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> bp >>>>>>>>>>>>>>>>> <part15sbs{at}gmail{dot}com> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> On 4/10/2016 1:29 PM, That One Guy /sarcasm wrote: >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> So we have this customer who experienced a ferocious >>>>>>>>>>>>>>>>> malware, still waiting on more details from the customer, its >>>>>>>>>>>>>>>>> very >>>>>>>>>>>>>>>>> interesting because it crossed multiple platforms. multiple >>>>>>>>>>>>>>>>> cell phones, a >>>>>>>>>>>>>>>>> satellite DVR, a PC etc. Im not sure how he verified >>>>>>>>>>>>>>>>> infection, but he did >>>>>>>>>>>>>>>>> have to factory his phones, his PC he said required a hard >>>>>>>>>>>>>>>>> drive >>>>>>>>>>>>>>>>> replacement (not sure what or who decided this) not sure how >>>>>>>>>>>>>>>>> the satellite >>>>>>>>>>>>>>>>> DVR was mitigated. He thinks it came from a Rise Broadband >>>>>>>>>>>>>>>>> (formerly >>>>>>>>>>>>>>>>> Prairie Inet ESSID (I doubt this, the ESSIDs prairie inet >>>>>>>>>>>>>>>>> ran were open, >>>>>>>>>>>>>>>>> with other security for the access) >>>>>>>>>>>>>>>>> With it being as cross platform as it was im wondering how >>>>>>>>>>>>>>>>> i would check the air router we provide to see if it got hit >>>>>>>>>>>>>>>>> as well. All >>>>>>>>>>>>>>>>> we do is a dump file on the current firmware that sets a >>>>>>>>>>>>>>>>> password, ensures >>>>>>>>>>>>>>>>> 443 is open, sets a DMZ to an IP out of the DHCP scope, and >>>>>>>>>>>>>>>>> we manually set >>>>>>>>>>>>>>>>> the ESSID with WPA2, the key being the MAC on the label ( it >>>>>>>>>>>>>>>>> think this is >>>>>>>>>>>>>>>>> the WLAN) (we disable snmp, telnet, but leave ssh open), we >>>>>>>>>>>>>>>>> also turn off >>>>>>>>>>>>>>>>> CDP and the ubnt discovery >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Im hoping he has some good info on what this actually was, >>>>>>>>>>>>>>>>> and its not just a case of his buddy jim telling him all this. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Anybody know of something in the wild capable of hitting >>>>>>>>>>>>>>>>> all these devices across a network (wired/wireless) >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Im asking about the airrrouter in particular, considering >>>>>>>>>>>>>>>>> if it were impacted, that could be a mess at the POP since >>>>>>>>>>>>>>>>> most customer >>>>>>>>>>>>>>>>> NAT are in the same subnet, with duplicate configs >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> -- >>>>>>>>>>>>>>>>> If you only see yourself as part of the team but you don't >>>>>>>>>>>>>>>>> see your team as part of yourself you have already failed as >>>>>>>>>>>>>>>>> part of the >>>>>>>>>>>>>>>>> team. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> -- >>>>>>>>>>>>>>> If you only see yourself as part of the team but you don't >>>>>>>>>>>>>>> see your team as part of yourself you have already failed as >>>>>>>>>>>>>>> part of the >>>>>>>>>>>>>>> team. >>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> -- >>>>>>>>>>>>> If you only see yourself as part of the team but you don't see >>>>>>>>>>>>> your team as part of yourself you have already failed as part of >>>>>>>>>>>>> the team. >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> If you only see yourself as part of the team but you don't see >>>>>>>>> your team as part of yourself you have already failed as part of the >>>>>>>>> team. >>>>>>>>> >>>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> If you only see yourself as part of the team but you don't see your >>>>>>> team as part of yourself you have already failed as part of the team. >>>>>>> >>>>>> >>>>> >>>>> >>>>> -- >>>>> If you only see yourself as part of the team but you don't see your >>>>> team as part of yourself you have already failed as part of the team. >>>>> >>>> >>>> >>>> >>>> -- >>>> If you only see yourself as part of the team but you don't see your >>>> team as part of yourself you have already failed as part of the team. >>>> >>>> >>>> >>> >>> >>> -- >>> If you only see yourself as part of the team but you don't see your team >>> as part of yourself you have already failed as part of the team. >>> >> >> > > > -- > If you only see yourself as part of the team but you don't see your team > as part of yourself you have already failed as part of the team. >
