A little background, I noticed an attempted WHOIS on an IRC chat that revealed my public IP (I know stupid me, has since been resolved by routing through tor), but I immediately went to my router logs and noticed an attempted port scan happening. I disconnected my modem immediately, and put another router in between the router that was port scanned thus giving me a new public IP. There were no more remote attempts for 2 weeks while the intermediary router was in place. Figuring my ip reservation expired (have attempted this before and received a new ip in 7 days) I disconnected the intermediary router after the 2 weeks and went back to the original configuration. Immediately, I saw no more port scanning being attempted but instead just a steady remote access attempt on the ip and port for my remote desktop. I put the intermediary router in between again and it all stopped. So I downloaded syslog and attached it for the time that the remote access attempts were made on the VM. The VM is only used for remote access to files but is only done through a VPN run through the router that logs in locally, so would not show a remote access. The IP used belonged to a UK security firm who has a big banner on the front of their page saying that hackers have used their IP and to contact UKs fraud division, so ya ugh. This VM is also used to run a nightly sync between the router's NAS and a versioned backup on unraid. However, the VM showed no usage because it was shut down due to W10 having initiated an update a few days earlier and logging, in I was greeted by the update installing. Oh and I should add that when I put the config back, my internet connection slowed to a crawl due to bandwidth being consumed by whatever happened (back to normal after putting the other router back in between). So is what is compromised? What should my next course of action be? I really appreciate anyone spending the time to read through this and give me your input. Thanks.
syslog.txt