1

Two days ago, I received a call from someone claiming to be from Intel Corporation stating that my IP address may be insecure, and I dumbly let him Remote Access my Windows 8.1(I think) Tablet (Automatically connects to Wi-Fi).

I'm not sure what they did, but I grew suspicious, around 10-30 minutes later, so I turned off the tablet, and evaded their calls (person isn't here right now, call back later, etc); though I did turn it on again to factory reset it, which I think allowed them access to the tablet again since it locked while I was in the middle of doing that; was able to, but haven't use it since, because I'll have to reconnect it to the Wi-Fi -- don't have access to the security key, since I'm not in charge of it, but it's a home network, and can connect by press the switch on the router.

While it was going on, I noticed them doing some stuff, like pinging 32 bytes every sec (command prompt, to an 8.8.8.8, which seems to be a public DNS from google) and checking the performance of the computer (task manager), making/changing the network (noticed the name was changed from my connection name to my computer name), and downloading some stuff(Not positive on the name): UltraViewer, something named Router, and maybe others -- When I researched on this, I happened upon ARP poisoning, which I suspect they did to perform man-in-the-middle.

Can anyone help me with this issue? Reason being, my network admin said they'll check the network but hasn't, and stated he doesn't know what to do when I inquired about my research.

Ps. I don't use the Windows tablet for anything besides browsing the internet (Read web novels & comics, searching for stuff, etc)

PS2. Not sure if it's a home network, but when I checked on a laptop, it seems to be.

B-Dom
  • 21
  • 4
  • Update: Talked to the Admin, and he said resetting for my dad's laptop isn't possible; something about it not having the image I think; as for the router, said didn't know how or it's not possible(?). -- Anyways, connected the tablet to the internet again, but for some reason Windows Update is stuck at checking updates; waited around an hour or two, with no change, so anyone have any recommendations on how to fix this? – B-Dom Oct 05 '16 at 22:05

1 Answers1

2

ARP poisoning is an active attack. They need a presence on your network to maintain it, otherwise the ARP cache will eventually reach a correct state. ARP poisoning would be something they might do to try and attack other hosts on your network, so this should be your primary concern--making sure they are no longer in your network.

Personally, I'd isolate each part of your network, then factory reset things one by one, then reconnect the network, at the end. This would include your router.

If you, understandably, do not want to do that, you should at least check that all computers connected at the time of intrusion had all security patches applied and have no record of intrusion.

returneax
  • 552
  • 2
  • 8
  • Thanks for answering -- So, if I read it right, they are/would not be able to gain access to the network in any way, unless they attacked another host, or the router? Admin said there seemed to have been an attack on another computer, my dad's old laptop, that I think he doesn't turn off. Some more questions: 1. Are there chances of other types of spoofing, like DNS, if my computer was on, but connected with a cable? and 2. If another host were to connect after the attack, is there a chance they'll be infected too? -- Edit: They called again today, though voice was different. – B-Dom Sep 30 '16 at 22:46
  • They shouldn't be able to launch any more privileged attacks without a foothold on the network. Yes, they could have done any number of spoofing attacks- DHCP, DNS, ARP, the list goes on. They could attack anything on the same subnet as your compromised device. If another host connects after the attack, and none of the devices in the network are compromised, then the new host shouldn't be especially at risk. – returneax Sep 30 '16 at 22:49
  • So, there won't be any more attacks, if none of the devices/hosts are compromised? If so, is there any way to check manually (as in not having to download something)? Since they called again, there shouldn't be any, but if there are, I don't think I should try downloading/using some of the things I found (like ShieldsUp and ArpON/Watch/etc) – B-Dom Sep 30 '16 at 22:58
  • You can't know if they succeeded or not. The safest bet is to reset your devices :/ Mind accepting my answer? :) – returneax Sep 30 '16 at 23:32
  • I see, thanks again for the answer; though I might not be able to reset everything. – B-Dom Sep 30 '16 at 23:45
  • My pleasure. I think you're probably OK, unless you have some valuable info on your network. Err, I mean click the check mark by my question hehe. I do this in part for the Internet points ; ))) – returneax Sep 30 '16 at 23:54
  • Oh, oops, :P, new to this site so haven't gotten all the mechanics down. Anyways, will probably have to discuss that with the network admin, though I don't think there are any, I read there could be caches, and we use online banking – B-Dom Oct 01 '16 at 00:06