[SOLVED] Unnerved about being hacked

[jeffpass]

I'm in downstate Illinois and ended up chatting with a persona on Facebook for some time- who hid his picture, and most of his information.
He appeared to be very computer tech savvy and intelligent, but extremely paranoid. As time went on he got weirder and we ceased talking.

We have dropped off communication in February, but since then I've discovered in the last couple days, that he has hacked into several Facebook accounts used at my home, and has had open connections out of Chicago for months. He's actually been spying on my Facebook activity and messaging ALL THIS TIME. I killed one of the sessions and he flipped out, and locked the account and destroyed it.
So as you can see, I'm a bit shaken by the experience.

I know he lives in Oak Park, and his IP address starts with 107.77.173. I could see him connected in through Security---> Logon Sessions

However my question - and this is REALLY freaking me out- is this.
I have some computer experience myself, and have played around with some networking in the past.

My ISP is AT&T out of Springfield, Illinois and in the past, I would run this website:

https://dnsleaktest.com

When I ran this (last year, was the last time I remember) I used to get a number of Springfield, Illinois servers that said AT&T

However, now when I run the website Leak Test now, I get just one:

108.162.217.15 None Cloudflare Chicago, United States

• The servers identified above receive a request to resolve a domain name (e.g. www.eff.org) to an IP address everytime you enter a website address in your browser.
• The owners of the servers above have the ability to associate your personal IP address with the names of all the sites you connect to and store this data indefinitely. This does not mean that they do log or store it indefinitely but they may and you need to trust whatever their policy says.
• If you are connected to a VPN service and ANY of the servers listed above are not provided by the VPN service then you have a DNS leak and are choosing to trust the owners of the above servers with your private data.

What happened to AT&T?
Perhaps its just late and I'm paranoid/flipping out myself. But surely this stalker/creepo hasn't somehow routed my Internet activity through a server of his own?
I know he has a large computer in his basement. Or is that just completely unrealistic, lol.
Would this 108.162.217.15 address, have anything to do with AT&T?

I can't reach anyone there of course, they're closed.
I'd appreciate any responses on this tonight if any opinions. Thanks!!!

 

[helpstar]

108.162.217.15 is cloudfare, pretty normal

run malwarebytes on your computer

 

[bill001g]

Cloudflare is actually one of the companies that is trying to prevent other people from snooping on you.

It is the one of the few that supports fully encrypted DNS. ISP, especially att on the mobile, collect data on sites being visited. Since HTTPS fully encrypts the traffic they have gone to spying on the DNS requests. Firefox and chrome now support running the DNS over a form of https so now they can't spy on that. This even prevents things like the parental control and firewall filters in your router from seeing what being accessed so it is very strong. ATT has been complaining trying to get government agencies to prevent it so it must work very well.

That is not to say cloudflare being a us company does not collect data for the government but it keeps the data out of corporations like google and att etc.

Of course it also prevents your so called hackers but they generally do not have direct access to the data stream to even attempt to look at it.

I would not be too concerned about cloudflare hacking you. Most other people who claim to be hackers only know what they see on tv. Modern hacking does not attempt to breach the software it attacks the weak link, the people in front of the computer. They attempt to hack the person into giving them information.

As suggested run malware bytes or some other scanners. Look to see if you have installed any software like teamviewer or remote desktop.

 

[jeffpass]

>

108.162.217.15 is cloudfare, pretty normal>>>

Thanks, whew.

I'm not worried about Cloudfare or other companies, I don't have anything worth anyone's time lol. Why this antisocial/paranoid person has been watching my Facebook activity is beyond my comprehension, but they most definitely have, and were reacting immediately to my Facebook PM's. Many months after we stopped talking and also won't respond.
To clarify (it was late last night when I posted) my relative and I were discussing him online and he PM messaged me in Facebook "you should leave this guy alone, I think he may be dangerous."
I told him to change his password since he hadn't in years. The guy then hacked into HIS account that night, changed the name of my relative's account to "None of Your business (??!)", and locked him out of it. Nobody at Facebook could be reached of course. It now says he can recover his account, but they want his drivers license and birth certificate and he sure as hell isn't giving Facebook that, lol.

>>As suggested run malware bytes or some other scanners. Look to see if you have installed any software like teamviewer or remote desktop.>>>

Many years ago I worked in IT tech support and we used PC Anywhere all the time- so I've always been somewhat leery about people using remote desktop on me. But I always thought they needed your direct IP address to do it. How can I scan for these?

As far as malwarebytes, I have Linux Mint, not Windows.
These two posts were in the Linux Mint forums (below). They seem to be saying I shouldn't have to worry about remote desktop hacking/viewing with Linux. If that's not true, what's used to scan for it?

>>>>>

Post by jimallyn » Thu May 21, 2015 1:58 am

In the 13 years I have been running Linux on my computers, I have never gotten any sort of malware infection on any of my computers. Nor has any Linux user that I know.





Post by Pjotr » Thu May 21, 2015 4:25 am

Both antivirus and antimalware are absolutely unnecessary in desktop Linux. They're even potentially harmful, because of false positives.

>>>>>>>>

 

[USAFRet]

These two posts were in the Linux Mint forums (below). They seem to be saying I shouldn't have to worry about remote desktop hacking/viewing with Linux. If that's not true, what's used to scan for it?

Yes, we all know about the total imperviousness of Linux.

Myth Busting: Is Linux Immune to Viruses? - Linux.com

In a word, “no.” Any computer that is attached to a network is not immune to viruses. But, as with everything else, it’s relative. If you compare the vulnerability of Linux to Windows, you can understand why so many say Linux is immune. But before we get into any myth busting, let’s examine just...

www.linux.com

Lilocked Ransomware Infects Thousands of Linux Servers to Encrypt Files

A new family of ransomware called Lilocked (or Lilu) infected thousands of web servers and encrypted their files.

securityintelligence.com

"Lilocked Ransomware Infects Thousands of Linux Servers to Encrypt Files"

A new Java-based ransomware targets Windows and Linux

Researchers found a dozen 'Tycoon' attacks in the past few months.

techcrunch.com

"A new Java-based ransomware targets Windows and Linux"

The Scary Truth About the Growing Threat of Linux Ransomware

New findings have confirmed the inevitable: more strains of Linux ransomware are out and infections are on the rise. Are you prepared?

invenioit.com

It is, however, FAR less likely on a Linux system, for a variety of reasons.

 

[SamirD]

'The only winning move is not to play' -- Joshua from Wargames

So what I would do if you can stand it--just turn off your computer and unplug it and go net silent for a week. This is usually enough for people to move on to another target.

Also, since you have information on this person, you can report him to att for violating their subscriber tos, fb for violating their user tos, and the police for what probably is cybercriminal activities. ATT probably has a duty to cut him off while the others may not do anything as such is law enforcement today (and that's why we have these problem in the first place). Good luck. You can contact att at abuse at att.net.

 

[jeffpass]

I logged in today and now the DNS leak test says this:

IP	Hostname	ISP	Country
12.121.113.142	None	AT&T Services	Cicero, United States
12.121.113.147	None	AT&T Services	Cicero, United States
151.164.109.150	None	AT&T Internet Services	Cicero, United States
151.164.109.164	None	AT&T Internet Services	Cicero, United States
151.164.109.165	None	AT&T Internet Services	Cicero, United States

Why would the routing change all by itself, from one Cloudfare address in Chicago (108.162.217.15) to this now?
I've done nothing but use the Internet.
Can anyone explain. Just trying to understand. tx

 

[bill001g]

What do you have the DNS set to in your PC. If you have it hardcoded to 1.1.1.1 then I can't see how it can be att.
The default setting is to use the router as a proxy. The router then learns the DNS from the ISP.

DNSleak is mostly used to test VPN. If you do not have a vpn up and att is your ISP it would be expected that you are using the DNS from att unless you set it to something else manually.

The key thing you watch for in dnsleak is the location of the server. If you are connected to a vpn data center far away from your house and you see a dns listed from a close by city then you suspect dns traffic is somehow bypassing the vpn.

I use vpn on the router so it is impossible for any traffic to bypass.

 

[jeffpass]

I am utterly lost. Not by what you are saying..... but as to whether you are saying you think what I am seeing is normal.

>I use vpn on the router so it is impossible for any traffic to bypass.>>

Is this something that can be set up from a UNIX prompt? I think its not necessary in my case. Unless it looks right now like I'm being hacked. If Hacko the Wacko was going to do it, he would have done it by now.

 

[bill001g]

Yes it is normal. That is purely a list of dns servers used by ATT. You said you were using att as your ISP and if you use there DNS server that is the expected results. A dns server is not just 1 machines on a single IP address. They just pretend to be and that tool is showing the actual ip of the different servers.

The vpn on the router has nothing at all to do with the equipment you connect to it. That is the nice thing you can run a tv through a vpn if you want. It is feature the router must have in its software. It is configured on the router configuration page. No commands on your end machine will do anything....that also means there is no way for a hacker to bypass the vpn even if they got control of your machine.

Now if you were to load dd-wrt into a router you could actually use unix commands on the router itself to configure the vpn. It uses IPTABLES just like most other unix to accomplish it. Even many routers that can do vpn in factory firmware use IPTABLES it is just hidden from the user by the gui interface.