Guest login hack attempt 4625 (I want to know the attacker's ip ..

It seems that there is a malicious developer living around here. My Google Map location on my phone has been changing, and I feel like my router is being hacked. However, the Korean company KT does not pay much attention to router security and has forcibly blocked the ability to change DNS settings. Therefore, I have to use an unsecured DNS. Even though it seems like it is possible to change the DNS settings, in reality, it is forcibly blocked. I received a response from the customer center. Anyway, the attack has stopped for two days now since I posted this message.(This is a story about spoofing.)

Also, something else happened. I posted my used item for sale in the community yesterday, and my Chrome Map location suspiciously changed again. Anyway,(samsung smartphone) I did have a blue screen(PC) today, but there were no other issues.

I added advanced auditing, including login auditing. I also discontinued an unused corporate mobile communication service because there was suspicious access on the mobile side.
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dcsvc" /v "DelayedAutoStart" /t REG_DWORD /d 0 /f
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dcsvc" /v "Start" /t REG_DWORD /d 4 /f
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DoSvc" /v "DelayedAutoStart" /t REG_DWORD /d 0 /f
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DoSvc" /v "Start" /t REG_DWORD /d 4 /f

error (Sync account settings error when disabled) 2 must be enabled.
REM REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CDPUserSvc" /v "Start" /t REG_DWORD /d 4 /f

(I didn't need this service because I'm a home, not a company. There was a log related to this...
It was very difficult to find this.)
MDM service not used and not installed
And mount.. power related services
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Enrollments

auditpol /set /subcategory:"{0CCE9215-69AE-11D9-BED3-505054503030}" /success:enable /failure:enable
auditpol /set /subcategory:"{0CCE9216-69AE-11D9-BED3-505054503030}" /success:enable /failure:enable
auditpol /set /subcategory:"{0CCE9217-69AE-11D9-BED3-505054503030}" /success:enable /failure:enable
auditpol /set /subcategory:"{0CCE921B-69AE-11D9-BED3-505054503030}" /success:enable /failure:enable
auditpol /set /subcategory:"{0CCE921C-69AE-11D9-BED3-505054503030}" /success:enable /failure:enable
auditpol /set /subcategory:"{0CCE9243-69AE-11D9-BED3-505054503030}" /success:enable /failure:enable
auditpol /set /subcategory:"{0CCE9220-69AE-11D9-BED3-505054503030}" /success:enable /failure:enable
(This is the content added for advanced auditing related to login)

I don't speak English, so I'm using Google Translate, so please understand.

Google Translate does not understand Korean well.

Thanks to everyone who took an interest in my question paper.
:)

net user guest /active:no
:)

Today, I think I found something. My mother's phone is an older Galaxy model, and the router is a KT (a Korean telecommunications company) router. For one KT router, it provides a public IP function as a default setting instead of a private IP. I didn't set anything separately, but my mother's phone was registered under the router's name. Suspicious, right?
(Easy to understand.. My mother's phone is written as the router itself. In the terminal name.. Wow)

So, I changed the default public IP value of the router to a private IP function, and then Chrome's location started displaying correctly. I suspect that a hacker may have used my mother's phone as a router and maintained it to receive feedback from their own location. Korean telecommunication routers are notoriously vulnerable.

The government does not monitor the telecommunication companies. They do not supervise them and are not interested even if the companies force consumers to use malicious DNS. Also, those supervisory officials often retire and then get employed by the same telecommunication companies they had been monitoring (you can guess what's going on without me saying it, right?) Anyway, that's the situation.

Anyway, there might be cases like this. Finally, everything seems to be back to normal, but in the past, my mother's phone was hacked and the antivirus program was deleted remotely. The password was sent via text, and all of this happened when everyone was asleep.

Anyway, this is my scenario, but fortunately, the GPS location is now functioning normally. Unfortunately, I have no choice but to use the telecommunications company's router, and there have been several cases where the mainboard caught fire due to overheating. Thank you to those who are interested. There might not be cases like this in other countries, but I wanted to share this information. Koreans are not interested in security-related topics, and even in online communities, no one responds to these issues. It's unfortunate.


This is a discussion about DNS-related issues in Korean language. (T^T)
KT, a South Korean telecommunications company, gave a vague response. They basically said that the change cannot be made, so just deal with it. It was a confusing and unclear response.

I am from South Korea. You are correct in what you say. Although I wrote a long message, I deleted it. Even YouTube is not free from the influence of neighboring superpowers, and the people who manage YouTube are also subject to the influence of these powerful countries.

Setup: Windows 10 | Quad9

I think as i have found over the years of cleaning Malware & helping people all over the world that you will probably never find out who penetrated your device ! But it will not be the last or was it the first of all the computers i have cleaned ! Good Luck !!!