Did my network just get hacked?
Yes, most likely it was hacked.
The tell-tale sign is the range of ports used: all OSes use low ports ( < about 10,000) to listen for incoming connections, and high ports (the remaining ones, but especially those above 30,000) for outgoing connections. Instead, your log displays connections between pairs of high ports, which means no conventional access to your pc was used, no telnet, no ssh, no http, and so on. Instead, the use of pairs of high ports is typical of a classic hacker tool duo, netcat and meterpreter.
In particular, it is abundantly clear the hacker left a backdoor on pc 192.168.1.9 listening on port 63457, but he also did some port forwarding to allow connections to this port on this pc to go thru your router. So the hacker violated both this pc and your router. There is further proof of this in these two lines,
[LAN access from remote] from 88.180.30.194:60240 to 192.168.1.9:63457, Saturday, November 28, 2015 10:45:21
[admin login] from source 192.168.1.9, Saturday, November 28, 2015 10:45:21
Look at the time stamps: within a sec, the hacker logs into pc 192.168.1.9, and then from that gains admin access to your router.
Mitigation steps
You are in a tight spot, because you have a powerful enemy lurking right outside your door. You should remain disconnected until you have taken sufficient measures to erect against him a powerful barrier. The risk here is that, since he knows he has been discovered, he will proceed to hack all of your machines, including the line printer (yes, it can be done), and you will never get rid of him. All this while you surely have a fifth column in your LAN, pc 192.168.1.9. We will take it one step at a time.
Buy another router, of a different brand, possibly one with an easily configurable firewall. I use the Buffalo routers with pre-installed DD-WRT, a powerful OS.
Disconnect the pc identified by 192.168.1.9, and keep it turned off.
Replace the old router but do not connect the new one to the Internet yet.
Configure it from within your LAN with any other pc.
In particular, (these instructions for a DD-WRT router will give you an idea of what to do even in the non-DD-WRT router), go to the Services tab, and disable telnet access and VNC repeater, and enable syslogd.
Go to the Administration tab, and disable all buttons under Remote Access. Still in the Administration tab, change the password to something formidable, something like I_want_T0_k33p_all_Hacck3rs_0ut! (the spelling error is deliberate). Those who are technically savvy should enable passwordless login (in Services-> Services, Secure Shell), then, under Administration-> Management, Web Access, they should disable
http
and enablehttps
only, so as to prevent passing clear-text passwords; the details on how to connect to a DD-WRT router viahttps
can be found here, it requires thessh
connection we just enabled .-
Now go to Administration -> Commands, and type the following into the Commands area:
iptables -A INPUT -s 88.180.30.194 -j DROP iptables -A OUTPUT -d 88.180.30.194 -j DROP iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT iptables -I INPUT -i $WAN_IFACE -DROP
Here $WAN_IFACE is the name of the NIC connected to your ISP, in my system it would be
vlan2
, but you would better check for your system. The first two rules shut out completely one of the IP addresses from which came the illegal connections to your pc 192.168.1.9. You may wish to add other similar rules to shut out also 105.101.68.216 and so on.The third rule allows input which is a continuation of connections started by you, i.e. presumably legal connections. The fourth rule shuts out everything else.Hit Save firewall, and you are done.
Now leave the router on but disconnected from the Internet for about a day, and see whether any pc other than 192.168.1.9 tries to contact strange IP addresses. Legitimate companies, like Microsoft or Apple, Akamai or Sony, do not count, but consumer accounts in Algeria, Burundi, France, Germany, Singapore, UK (the apparent sources of the connections in the log above) do. If there are such attempts, take the originating pc offline, turn it off, and subject it to the treatment of Step 11.
Now you may connect the new router to the Internet.
Now take your (turned off!) pc 192.168.1.9 and bring it elsewhere, i.e. not at your home. Turn it on, and either run all anti-virus tests available to mankind, or, better still, re-install the operating system.
Check the system log of your brand new router daily, for some time, to make sure there are no more connections of the above sort: there is always the possibility that the hacker infiltrated other systems in your home. As soon as you see traces of this, repeat the steps above for the hacked pc, and when the infected pc is off-line, change the router password.
You may toss the old router, or, better still, decide that it is a fun project installing DD-WRT on it. You may find out here whether that is possible. If it is , then it is some fun, and you would also get a shining new, safe, powerful router, from the pile of garbage it is instead today.
At some point in the future, you ought to learn to configure the firewall,
iptables
, properly, and how to setup passwordless ssh connection to the router, which would allow you to disable password login completely (see here for a brief description of how to do it). But these things can wait.
You should be happy: your hacker, despite having penetrated your router, was absent-minded enough to leave the system log in place, which ultimately led to his detection. You might not be so lucky next time.