Help my ISP says im doing DDoS and cut off my internet connection

so dont know really where to put this but anyway... so for like 2 days ago my ISP started to cut my internet and when i called them up they said they had got complains from companies in germany and usa that some device on my network were doing DDOS in some sort of botnet i found this really weird .. i have 1 windows machine that i scanned with malwarebytes antimalware and it doesnt find anything then i have a pfsense machine .. and a freenas box and a raspberry pi .. and my mom use ubuntu on her laptop.. anyone got any idea?? they have cut the internet 2 days in a row now its sucks .. like anyone know where too start looking? i saw that new shell shock bug and was thinking could it possible be that? tho i think only my freenas machine got bash installed by default no idea how to remove such a thing on freenas well anyway thanks for any Help

You should be able to block port 22 for ssh and that should prevent a lot of issues. Use the following command in a bash prompt to see if it was patched. 

*Sigh* can't fix the formatting. The code will out put
  • vulnerable
  •  
  •  
  • echo this is a test

 

if you're not safe. I know Debian and Ubuntu have released patches. Another tool you could try is WireShark and see if any odd

traffic is going over your Windows box. The ISP should be able to trace which PC is doing, (I know my ISP can....)

see if they will give you the information of the machine.

 

 
  • Source for code http://arstechnica.com/security/2014/09/bug-in-bash-shell-creates-big-security-hole-on-anything-with-nix-in-it/

EDIT: I love the TS but I sure hate the posting comments form >.<!

Throlling OP is throlling...

ISP's don't wait for you to call in to tell you that you're DDoSing, and ISP's don't receive complaints for criminal transgressions.

Complaints against DDoS are handled by the police/DA/FBI/judiciary police/whatever law enforcement depending on country and type of DDoS, and those are also the first you see when you're DDoSing.

Entire thing makes no sense. If a company from Germany would have detected a DDoS from your IP, they would have informed the special administration for cybersecurity and cybercrime in Germany, that deals with these things. They would most certainly not have informed your ISP.

the isp is comhem and i live in sweden and well i actually asked if they could see exactly what machine and they said no just the router ip and i dont have ssh on alot execpt nas and openelec raspberry pi movie pc and i have nothing portforwarded i checked the shell shock thingy with that code tho from redhat but yeah my freenas box is vulnerable but i dont think they have any patches yet for it its kinda scary D;

verify you are not with wireshark on your network with your wireless card in monitor mode (easiest way to do this is on the ubuntu laptop, install the aircrack-ng suite, then tun airmon to get a monitor interface. then run wireshark with this interface).

lol well yeah i thought it was really weird we didnt got contacted at all when they cut our internet connection .. but like i have called them 2 times now and talked with diffrent "teams" that handle stuff like that at the isp like its super weird and like idk i dont think i have got hacked? i guess its always possible but i find it pretty small chance but idk i dont want to need to call them everyday for getting my f***king internet back hmm not sure what to do...            apparently they have send some letters or something but havent got them yet

well i have run wireshark on windows im not an expert on wireshark .. what would it look like? like super alot of packages from same computer to somewhere or something like that?

Actually they do, I worked for a computer repair shop and someone had that LOIC installed on their machine and Cox called to let us know that they were getting traffic that was related to DDoS. Also had the same thing happen with torrents downloading on users' machines.

Really anything that doesn't look normal, you know what services you're using and what you're not. If in doubt Google should be able to help with whatever you might find. You could even shut the Windows machine down or disconnect it and see if the problem is resolved.

well i think they said they notice it during the night and well my windows machine is always off then and well yeah it did continue..

Hmm that's curious, you've never done anything like this before right? (IE DDoS'ed someone) Maybe some software is lingering or they just now saw it in the logs? Not trying to pass judgement or anything just trying to see if there is a cause.

lol no i have never been active in any ddos things or anything like that they said it was a botnet so that creepys me out if some *nix or windows computer actually is in a botnet

It's possible, if your router supports it you could enable a whitelist and at first block everything and only open things you need. That could help trace the issue and I'm honestly surprised the ISP won't give you more info, maybe switch to another if possible? Or at least threaten them you'll switch unless they give you some more information on what is going on.

well that was all they did know at all they said and well my mom was quite angry haha she threated to switch ;D but yeah idk and well i have pfsense (freebsd based) on my router and well a sucky router from the isp that is in bridge mode too that one but i guess they dont have things open that doesnt need to be in a default install? i havent touched any ports or anything i have only installed things like HAVP and squid and like idk pfblocker just some small things

From the sounds of it, I'm thinking someone might be leaching off your wifi signal? Do you have *good* wifi security enabled? IE WPA or WPA2 not WEP.

yeah its wpa2 preshared key with WPS turned off tho i dont remember if i ever tested if its one of those routers that tools like Reaver works on anyway but yeah and i dont think its any evil persons near my house atleast lol but yeah

I'm honestly at a loss then, not sure what could be causing it, least they could do is give you the port/protocol it's using. (And I know they can get that at least, that's how they see it.)

yeah well im thinking on take out all of the devices when im going to sleep atleast then i see if its my pfsense router then i can idk plug in one device each day or something lol sucks if i need to call them everytime to get it up again -.-"

All I can offer is good luck and hopefully you can trace it.

well i did that and it havent been shutdown yet atleast gonna do same thing but with my nas plugged in this time idk that letter they said they were going to send havent come yet .. it all seems so weird to me. anyway thanks for the help