Yinkus Omolek 0 Posted October 1, 2021 Share Posted October 1, 2021 Hello house. Please I need your help on how to solve the cyber attack i am facing on my home network. Some months back, my home network was under attack by hackers and they took many thing from me. I now updated and fortified my network with eset internet security. But the shocking thing is that i now have this pop up message of "arp catche poisoning attack' and "duplicate IP adress". I changed my routers and upgraded my pc to another one and still have this arp poising attack. When i go to the internet security "connected home network" interface, i see another pc on my network which is not me and that pc is running linux OS. Also I see a duplicate of my router also with different mac address. Would have loved to attach screen capture but the pc is badly infected as the hackers injected all sort to the pc and am not the administrative user on that pc. Using a friend Pc now as i dont want to transfer virus to this pc. Note: I have formatted the pc twice and got new router. I still dont know the physical link they have to poison the router. I also installed Xarp to see the arp table and i still got the arp poisoning message here and also the app also gave me message that my mac adress is been duplicated which is why when i do "arp -a" on cmd the mac adress is same with my home router. Now i decided to use some command prompt to make the arp static instead of dynamic on CMD but the message i get is "the requested operation requires elevation (Run as administrator)". This confirmed that my pc is been remotely controlled. I later bought a unifi gateway firewall together with the 8-port managed switch but this did not solve the arp poisoning attack Please i need help to solve this problem. Its really disturbing Link to comment Share on other sites More sharing options...
itman 1,786 Posted October 1, 2021 Share Posted October 1, 2021 (edited) Refer to this Eset Knowledge-based article: https://support.eset.com/en/kb2933-arp-icmp-or-dns-cache-poisoning-attack-in-eset-home-products-for-windows The important part to note is the following: Quote Determine if the IP address detected in the notification is a number that falls within the following range (where "x" is 0-255): 172.16.x.x - 172.31.x.x 192.168.x.x 10.x.x.x If the IP address being detected as a threat is not within the safe range listed above, or there are no network peripherals currently in use on your network, the device being detected by the firewall is located on a public network and could be a threat to your system. If the Eset ARP poisoning alerts show IP addresses within one of the above addresses ranges, then it's not a real ARP poisoning attack. Edited October 1, 2021 by itman Link to comment Share on other sites More sharing options...
Administrators Marcos 5,406 Posted October 2, 2021 Administrators Share Posted October 2, 2021 Please provide logs collected with ESET Log Collector. It may be a result of having multiple devices with the same IP address in the network. Link to comment Share on other sites More sharing options...
itman 1,786 Posted October 2, 2021 Share Posted October 2, 2021 (edited) On 10/1/2021 at 1:42 PM, Yinkus Omolek said: When i go to the internet security "connected home network" interface, i see another pc on my network which is not me and that pc is running linux OS. Also I see a duplicate of my router also with different mac address. Later Win 10 versions have a built-in optional feature called "Windows Subsystem for Linux; i.e. WSL. If you did not manually enable this option, it is possible an attacker might have. WSL can be also enabled by running a single command line using PowerShell or via cmd.exe as noted in this Microsoft article: https://docs.microsoft.com/en-us/windows/wsl/install. It has been long theorized that the bash component of this Linux feature could be abused. It is no longer a theoretical abuse and attackers are currently using it: https://www.bleepingcomputer.com/news/security/new-malware-uses-windows-subsystem-for-linux-for-stealthy-attacks/ . Of note: Quote Using WSL to avoid detection The first samples targeting the WSL environment were discovered in early May and continued to appear every two to three weeks until August 22. They act as loaders for the WSL environment and enjoy very low detection on public file scanning services. In any case, the above would be an explanation for what Eset's Connected Home Monitor is displaying in regards to Linux use. Edited October 2, 2021 by itman Link to comment Share on other sites More sharing options...
Most Valued Members Nightowl 206 Posted October 3, 2021 Most Valued Members Share Posted October 3, 2021 On 10/1/2021 at 8:42 PM, Yinkus Omolek said: Hello house. Please I need your help on how to solve the cyber attack i am facing on my home network. Some months back, my home network was under attack by hackers and they took many thing from me. I now updated and fortified my network with eset internet security. But the shocking thing is that i now have this pop up message of "arp catche poisoning attack' and "duplicate IP adress". I changed my routers and upgraded my pc to another one and still have this arp poising attack. When i go to the internet security "connected home network" interface, i see another pc on my network which is not me and that pc is running linux OS. Also I see a duplicate of my router also with different mac address. Would have loved to attach screen capture but the pc is badly infected as the hackers injected all sort to the pc and am not the administrative user on that pc. Using a friend Pc now as i dont want to transfer virus to this pc. Note: I have formatted the pc twice and got new router. I still dont know the physical link they have to poison the router. I also installed Xarp to see the arp table and i still got the arp poisoning message here and also the app also gave me message that my mac adress is been duplicated which is why when i do "arp -a" on cmd the mac adress is same with my home router. Now i decided to use some command prompt to make the arp static instead of dynamic on CMD but the message i get is "the requested operation requires elevation (Run as administrator)". This confirmed that my pc is been remotely controlled. I later bought a unifi gateway firewall together with the 8-port managed switch but this did not solve the arp poisoning attack Please i need help to solve this problem. Its really disturbing If you are formatting your PC completely and they are coming back , then they can be in the UEFI/BIOS but I doubt it , also could be your router is compromised , it doesn't matter that you format the PCs , they will have their way back in by exploiting or using your compromised router to move inside your network You should secure your router and update it with the latest firmware , if it does have a kind of an exploit and doesn't have any updates from the manufacturers then you should buy a new one or atleast flash it with a different firmware like OPEN-WRT - https://openwrt.org/ When you format your PC , you better install an AV like ESET , and update it to latest updates before you try to do other things, See also if there is an infected device inside your network , if yes , the virus could be passing from an infected device in the network. Link to comment Share on other sites More sharing options...
jaypeecee 0 Posted October 3, 2021 Share Posted October 3, 2021 Hi Everyone, This may well be my very first post on the ESET forums. And I've been using ESET for quite a few years! Anyway, here goes... I have also been witnessing 'Duplicate IP addresses on network' and 'ARP cache poisoning attack' on my Windows 10 PC. The IP addresses are in the 192.168.x.x range. I don't wish to detract from the OP's original question but I also thought my query didn't justify a new thread on what appears to be a very similar question. I have also submitted a technical query directly to ESET Technical Support. TIA for any advice. jaypeecee Link to comment Share on other sites More sharing options...
Administrators Marcos 5,406 Posted October 3, 2021 Administrators Share Posted October 3, 2021 1 minute ago, jaypeecee said: I have also been witnessing 'Duplicate IP addresses on network' and 'ARP cache poisoning attack' on my Windows 10 PC. The IP addresses are in the 192.168.x.x range. Please provide logs collected with ESET Log Collector. Resolving the problem with duplicate IP addresses should also resolve the ARP cache poisoning detections. Link to comment Share on other sites More sharing options...
jaypeecee 0 Posted October 3, 2021 Share Posted October 3, 2021 Hi Marcos, I am unable to send the log file as an attachment to my ESET Tech Support Enquiry email. The compressed file size is 55MB but BT Email restricts me to 33MB. What should I do? jaypeecee Link to comment Share on other sites More sharing options...
jaypeecee 0 Posted October 3, 2021 Share Posted October 3, 2021 Hi Marcos, Is it safe to attach the log file here on the forum? jaypeecee Link to comment Share on other sites More sharing options...
Most Valued Members peteyt 396 Posted October 3, 2021 Most Valued Members Share Posted October 3, 2021 11 minutes ago, jaypeecee said: Hi Marcos, Is it safe to attach the log file here on the forum? jaypeecee Any attachments on here can only be viewed/downloaded by Eset staff so if privacy is a concern you will be safe. Not sure what the max size is but if it's too big you can upload it to a file upload site Link to comment Share on other sites More sharing options...
jaypeecee 0 Posted October 3, 2021 Share Posted October 3, 2021 2 minutes ago, peteyt said: Any attachments on here can only be viewed/downloaded by Eset staff so if privacy is a concern you will be safe. Not sure what the max size is but if it's too big you can upload it to a file upload site Hi peteyt, Thanks a lot for the feedback. I should be OK as the max. total size for attachments on here is 100 MB according to the footnote below... jaypeecee Link to comment Share on other sites More sharing options...
jaypeecee 0 Posted October 3, 2021 Share Posted October 3, 2021 53 minutes ago, Marcos said: Please provide logs collected with ESET Log Collector. Resolving the problem with duplicate IP addresses should also resolve the ARP cache poisoning detections. Hi Marcos, Herewith attached log file below... jaypeecee eis_logs.zip Link to comment Share on other sites More sharing options...
Recommended Posts