Guest login hack attempt 4625 (I want to know the attacker's ip ..

Page 2 of 2 FirstFirst 12

  1. Posts : 42
    windows10
    Thread Starter
       #11

    It seems that there is a malicious developer living around here. My Google Map location on my phone has been changing, and I feel like my router is being hacked. However, the Korean company KT does not pay much attention to router security and has forcibly blocked the ability to change DNS settings. Therefore, I have to use an unsecured DNS. Even though it seems like it is possible to change the DNS settings, in reality, it is forcibly blocked. I received a response from the customer center. Anyway, the attack has stopped for two days now since I posted this message.(This is a story about spoofing.)

    Also, something else happened. I posted my used item for sale in the community yesterday, and my Chrome Map location suspiciously changed again. Anyway,(samsung smartphone) I did have a blue screen(PC) today, but there were no other issues.

    I added advanced auditing, including login auditing. I also discontinued an unused corporate mobile communication service because there was suspicious access on the mobile side.
    REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dcsvc" /v "DelayedAutoStart" /t REG_DWORD /d 0 /f
    REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dcsvc" /v "Start" /t REG_DWORD /d 4 /f
    REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DoSvc" /v "DelayedAutoStart" /t REG_DWORD /d 0 /f
    REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DoSvc" /v "Start" /t REG_DWORD /d 4 /f

    error (Sync account settings error when disabled) 2 must be enabled.
    REM REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CDPUserSvc" /v "Start" /t REG_DWORD /d 4 /f

    (I didn't need this service because I'm a home, not a company. There was a log related to this...
    It was very difficult to find this.)
    MDM service not used and not installed
    And mount.. power related services
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Enrollments

    auditpol /set /subcategory:"{0CCE9215-69AE-11D9-BED3-505054503030}" /success:enable /failure:enable
    auditpol /set /subcategory:"{0CCE9216-69AE-11D9-BED3-505054503030}" /success:enable /failure:enable
    auditpol /set /subcategory:"{0CCE9217-69AE-11D9-BED3-505054503030}" /success:enable /failure:enable
    auditpol /set /subcategory:"{0CCE921B-69AE-11D9-BED3-505054503030}" /success:enable /failure:enable
    auditpol /set /subcategory:"{0CCE921C-69AE-11D9-BED3-505054503030}" /success:enable /failure:enable
    auditpol /set /subcategory:"{0CCE9243-69AE-11D9-BED3-505054503030}" /success:enable /failure:enable
    auditpol /set /subcategory:"{0CCE9220-69AE-11D9-BED3-505054503030}" /success:enable /failure:enable
    (This is the content added for advanced auditing related to login)

    I don't speak English, so I'm using Google Translate, so please understand.

    Google Translate does not understand Korean well.

    Thanks to everyone who took an interest in my question paper.
    :)
    Last edited by krdondon; 01 Apr 2023 at 13:40.
      My Computer


  2. Posts : 890
    10 Pro/11 Pro Dual Boot
       #12

    krdondon said:
    It seems that there is a malicious developer living around here. My Google Map location on my phone has been changing, and I feel like my router is being hacked. However, the Korean company KT does not pay much attention to router security and has forcibly blocked the ability to change DNS settings. Therefore, I have to use an unsecured DNS. Even though it seems like it is possible to change the DNS settings, in reality, it is forcibly blocked. I received a response from the customer center. Anyway, the attack has stopped for two days now since I posted this message.(This is a story about spoofing.)

    Also, something else happened. I posted my used item for sale in the community yesterday, and my Chrome Map location suspiciously changed again. Anyway,(samsung smartphone) I did have a blue screen(PC) today, but there were no other issues.

    I added advanced auditing, including login auditing. I also discontinued an unused corporate mobile communication service because there was suspicious access on the mobile side.
    REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dcsvc" /v "DelayedAutoStart" /t REG_DWORD /d 0 /f
    REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dcsvc" /v "Start" /t REG_DWORD /d 4 /f
    REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DoSvc" /v "DelayedAutoStart" /t REG_DWORD /d 0 /f
    REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DoSvc" /v "Start" /t REG_DWORD /d 4 /f
    REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CDPUserSvc" /v "Start" /t REG_DWORD /d 4 /f
    (I didn't need this service because I'm a home, not a company. There was a log related to this...
    It was very difficult to find this.)
    MDM service not used and not installed
    And mount.. power related services
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Enrollments

    auditpol /set /subcategory:"{0CCE9215-69AE-11D9-BED3-505054503030}" /success:enable /failure:enable
    auditpol /set /subcategory:"{0CCE9216-69AE-11D9-BED3-505054503030}" /success:enable /failure:enable
    auditpol /set /subcategory:"{0CCE9217-69AE-11D9-BED3-505054503030}" /success:enable /failure:enable
    auditpol /set /subcategory:"{0CCE921B-69AE-11D9-BED3-505054503030}" /success:enable /failure:enable
    auditpol /set /subcategory:"{0CCE921C-69AE-11D9-BED3-505054503030}" /success:enable /failure:enable
    auditpol /set /subcategory:"{0CCE9243-69AE-11D9-BED3-505054503030}" /success:enable /failure:enable
    auditpol /set /subcategory:"{0CCE9220-69AE-11D9-BED3-505054503030}" /success:enable /failure:enable
    (This is the content added for advanced auditing related to login)

    I don't speak English, so I'm using Google Translate, so please understand.

    Google Translate does not understand Korean well.

    Thanks to everyone who took an interest in my question paper.
    :)
    how does someone hacking your pc affect your gps lock on your cell phone and posting on a webpage stops it?

    my 2 cents? weak passwords or passwords reused on multiple sites or even a RAT (remote access trojan)
      My Computers


  3. Posts : 1,211
    Windows 10
       #13

    1. Open local security policy and disable the guest account by policy.

    Local Policies > Security options

    Policy: Accounts: Guest account status > Disabled

    2. Open Computer Management and disable the actual guest account.

    System Tools > Local Users and Groups > Users > Right click the Guest account, properties

    Disable the Guest Account, you can also disable all other account except for the one you use currently even like Administrator etc but to be safe make a restore point before just in case.

    Power off your Router for 10 minutes so your External IP changes.

    Guest account is common in hacking as it usually does not have a password and they can get into a local machine pretty easy through guest account.
    Obviously this person is trying to do this if you have failed attempts and you are certain that these attempts are not coming from within your lan at your knowledge.

    By that i mean from your knowledge in terms of it could still be a lan side attack but know the guest attempts are not you.

    - - - Updated - - -

    Obviously a local example but this can be done remotely.



    - - - Updated - - -

    You also want to look at Dcom and com like closing some ports 135, 139, 445, 539 on your router realistically your whole router should be "closed" but you would have to set this up and know what services you require to the outside world it takes some engineering and planing. There is also some services and features of Dcom you want to turn off like remote access which you can do in computer managment.

    - - - Updated - - -

    Also read through this it details the vulnerably of having a guest account active on your computer.

    https://learn.microsoft.com/en-us/wi...account-status
      My Computer


  4. Posts : 42
    windows10
    Thread Starter
       #14

    net user guest /active:no
    :)

    Today, I think I found something. My mother's phone is an older Galaxy model, and the router is a KT (a Korean telecommunications company) router. For one KT router, it provides a public IP function as a default setting instead of a private IP. I didn't set anything separately, but my mother's phone was registered under the router's name. Suspicious, right?
    (Easy to understand.. My mother's phone is written as the router itself. In the terminal name.. Wow)

    So, I changed the default public IP value of the router to a private IP function, and then Chrome's location started displaying correctly. I suspect that a hacker may have used my mother's phone as a router and maintained it to receive feedback from their own location. Korean telecommunication routers are notoriously vulnerable.

    The government does not monitor the telecommunication companies. They do not supervise them and are not interested even if the companies force consumers to use malicious DNS. Also, those supervisory officials often retire and then get employed by the same telecommunication companies they had been monitoring (you can guess what's going on without me saying it, right?) Anyway, that's the situation.

    Anyway, there might be cases like this. Finally, everything seems to be back to normal, but in the past, my mother's phone was hacked and the antivirus program was deleted remotely. The password was sent via text, and all of this happened when everyone was asleep.

    Anyway, this is my scenario, but fortunately, the GPS location is now functioning normally. Unfortunately, I have no choice but to use the telecommunications company's router, and there have been several cases where the mainboard caught fire due to overheating. Thank you to those who are interested. There might not be cases like this in other countries, but I wanted to share this information. Koreans are not interested in security-related topics, and even in online communities, no one responds to these issues. It's unfortunate.

    Guest login hack attempt 4625 (I want to know the attacker's ip ..-22.png
    This is a discussion about DNS-related issues in Korean language. (T^T)
    KT, a South Korean telecommunications company, gave a vague response. They basically said that the change cannot be made, so just deal with it. It was a confusing and unclear response.
    Last edited by krdondon; 02 Apr 2023 at 20:43.
      My Computer


  5. Posts : 1,211
    Windows 10
       #15

    Are you in north Korea or south Korea? if you are in north Korea then it would not surprise me that you are going through this stuff as north seems like a tyrant being a dictatorship and there will be much hacking and monitoring going on from people in power even across south Korea.

    Even just in general i guess even if you in south Korea they will be doing it too just Korea as a whole will be monitored because of the North you and China are two places that have these issues with tech and internet.
      My Computer


  6. Posts : 42
    windows10
    Thread Starter
       #16

    I am from South Korea. You are correct in what you say. Although I wrote a long message, I deleted it. Even YouTube is not free from the influence of neighboring superpowers, and the people who manage YouTube are also subject to the influence of these powerful countries.
    Last edited by krdondon; 03 Apr 2023 at 11:40.
      My Computer


  7. Posts : 5,452
    Windows 11 Home
       #17
      My Computer


  8. Posts : 352
    Windows 11 Home (x64) Version 23H2
       #18

    I think as i have found over the years of cleaning Malware & helping people all over the world that you will probably never find out who penetrated your device ! But it will not be the last or was it the first of all the computers i have cleaned ! Good Luck !!!
      My Computer


 

  Related Discussions
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 18:59.
Find Us




Windows 10 Forums