Hughesnet Community

Hacked Router

cancel
Showing results for 
Search instead for 
Did you mean: 
Catherine108
Freshman

Hacked Router

A very clever hack indeed. I noticed all my admin info and settings were changing. Considering I'm the only one that accesses the router this concerned me. What I figured out is the hacker is spoofing my wifi. They are using a mac address very close to the Hughesnet address. Hughesnets addressed mac address is 00:80:ae:66:f4:e8. The hacker mac address is 0a:80:ae:66:f4:e8. So, it mirrors my address perfectly. I can't block it because it doesn't show up on HN admin page. When I try to block the address using mac filtering it only blocks it for a few seconds, then it reappears. I tried changing my wifi to undiscoverable. I got the 2.4 to change then I seemed to be blocked when changing the 5.0. Now the hacker has disabled my 2.4 and I can't change the settings. I'm basically locked out of my own router. Called HN, but not much help there. I have screenshots of the hackers intrusion. I'd like to share it with you. Lastly, when you search their mac address it show it doesn't exist in the cyber world. Again, a very clever way to take over my router. Please help.
30 REPLIES 30
maratsade
Distinguished Professor IV

The Hughesnet reps (@Liz, @Amanda, @Jorge, @Hal) will be here tomorrow (approximately 9-5). In the meantime, I'm tagging other people who may be able to help you:  @GabeU, @MarkJFine, @BirdDog, @C0RR0SIVE.

 

 

If the person is hacking the MAC address, and disabled the Wifi, you'll have to go in with an ethernet cable somehow. Just know that the MAC for ethernet is different than the Wifi on your computer.

 

If that's still not good, you'll have to reset the router to factory settings (I think it's using the red reset button above the top ehternet connector, but it's very sensitive and could reset more than it's supposed to depending upon how long it's held in. Do some research before doing this and use at your own risk).

 

Once you've reset it, you'll want to disable Wifi completely and use ethernet so you can re-configure it (including new, secure wifi and admin passwords) without the hacker getting involved. Once you're confident it's configured properly with new passwords, you can put the Wifi back on.

 

You may want to set a new set of MAC addresses to Allow access, but it seems like that's not going to do much.


* Disclaimer: I am a HughesNet customer and not a HughesNet employee. All of my comments are my own and do not necessarily represent HughesNet in any way.
C0RR0SIVE
Associate Professor

Seeing as this has to be a local event, contact your local police department if the have a cybercrimes department.  The police stations that have such departments take events like this very seriously and will usually investigate and look into things.

On the more likely chance that your local police department doesn't have this, I recomend connecting directly to your HT2000w, disable all 4 Wifi Radios, disable WPS, and then reconfigure everything including the wireless administration password before enabling any of the wireless radios...

Can you share those screenshots with us?  You can upload and post them by clicking the button "Photos" above when doing a reply.

Amanda
Moderator

Hi Catherine,

 

I'd like to investigate this with you and see what is going on, however I cannot reach the modem remotely. Do you have the HughesNet Wi-Fi modem powered on? If not, please do so and reply back so that I can take a look.

 

Thank you,

Amanda

Yes. Router is on 24/7.
Amanda
Moderator

Catherine,

 

I was able to get to your HughesNet modem and see many configuration issues that would definitely have caused connectivity loss. I do not see any signs of intrusion, but we can monitor this together. I will need to reset your modem to it's factory settings to get all your original configurations back. Please let me know when is a good time to do this for you.

 

Thank you,

Amanda

 

 .. deleted

 

You can't see any intrusions from your side. However, i can see on my end. I'm using Net analyzer. What Im seeing is your HN mac address is being cloned, spoofed, what ever you want to call it. So, when you're looking for an intrution your not going to see it. Look at the mac address I provided. Oa:80:ae:66:f4:e8. Does this look familiar to you? HN"s mac address is 00:80:ae:66:f4:e8. Because of this I wasnt able to block it with your available resorces I have on my HN admin side of it. It's mirroring HN. It's also a hidden address. I was able to block it for a couple of minutes this morning. It always returns. The hacker has also blocked most of my ports. I shared that screenshot with you already. So, conclusion is I've been highjacked. All 30G of my data is already gone in less than 8 days. A few days ago I purchased a 20G token. My wife and I were gone all day. When we returned all 20G was gone. Maybe exchanging my motem for another one would be a way to force the hacker to start over. Then you can monitor the router and see how they are accomplishing the DNS highjacking. Let me know. Thanks for your help.
JT-Hughes
Sophomore

 

 

deleted   

__________

 

I have too many screenshots to upload on your site. I could send them to via a Dropbox link. Let me know. Thanks.

 the following line was added:

(  this is in reference to all the private messages being sent..  I didn't use the QUOTE fcn,  so it is out of context )

 

____________________________________________________________

 

 

This is all relevant, useful and possibly helpful information...

Is it not possible to eliminate anything identifying and or sensitiv

so that the rest of the community could learn and potentially

resolve their issues as well ???    

 

( not intended to be a rhetorical question, but seems to often be..  is this not a community environment )

C0RR0SIVE
Associate Professor

@JT-Hughes
Your issue is totally seperate, also, please edit your post and remove your SAN in those pictures, that's private information which can cause issues.
The fact your HT2000w is giving 2.1.1 as a state code indicates either a coaxial cable problem or the out door transmitter has failed.  This will require a truck roll to repair, however, before that, make sure the cable is snug at both ends.

@Catherine108
Just to set a few things straight...

1: The HT2000w it self doesn't have the ability nor offer the option to block ports.

2: A Mac being similar means nothing, it's not spoofed. When someone refers to Mac Spoofing, they are talking about taking another MAC address in it's entirity and using that on another machine on the same network, in order to grab the IP address of another machine to stay hidden.  In most cases, your computer will warn you the moment it detects another machine on the same network with the same IP address.  That is about the ONLY sign of there being a spoofed address on your network.

 

3: Spoofing the address of the HT2000w it self, would do nothing, it wouldn't grant someone access.

4: There IS a hidden network on the HT2000w that appears once in a while, it WILL have a similar MAC address to the HT2000w.  This network appears when the HT2000w is doing a scan for a Hughesnet Wifi Booster, and is used specifically in conjunction with that device.  Yes, this network MAC is 0A:80:AE:XX:XX:XX
35963555_1905401069499454_1628410101222080512_n.png5

 

5: DNS Hijacking is a totally different animal, this tends to occur when you have malware on your own devices, which you must remove.  MalwareBytes tends to be pretty good at doing this.  

appreciate the knowledgeable reply.

what is the course of action to take when 8 gigs gone when I have not loaded much more than a handful of pages ( text  pages )   

C0RR0SIVE
Associate Professor

 

 

why does nobody ever ask about logs.. 

 

 

 
maratsade
Distinguished Professor IV

"why does nobody ever ask about logs..  i know precious little about all the #$%^..,

but when i looked at the logs ..   seems to me there is everything and more to find

plenty of dirt...     in plain english.."

 

Why don't you provide the logs, then?

GabeU
Distinguished Professor IV


@JT-Hughes wrote:

ahh,  you mean like when there is a missing byte at the end or something 

of that nature...   if only,   i doubt that would add up to the likes of 6 - 8 gigs in 

4 days..

If retransmission issues were not a possible cause Corrosive wouldn't have suggested it as a possibility.   He's very knowledgeable of the system.  

 


@JT-Hughes wrote: 

why does nobody ever ask about logs..  


If the reps need to view any logs they will do so remotely.  They don't need to ask for them.