It seems as if someone has hacked my phone using metasploit. It seems to be a client sided hack as when I'm using openvpn I can see the persistent tunnel enabled and have a remote tcp connection to an ip. Also alot of my apps are opening up ports on their own (not in a usual way). Also they are using the phone to hack the WiFi to get the public IP (mine is dynamic) then gaining access around the network that way. They seem to be using some sort of multicasting. This is only a hunch but basically think it was revenge off a neighbour I have no idea why. They wouldn't admit it to me or the police. So I've been left to deal with it. If I goto /etc/ppp I have a file called ip-up-vpn. Does that mean they are using a persistent tunnel/backdoor to gain access. The port they are using is 995.
I don't know if it's worth mentioning but I've used LANdroid and termux to do netstat and I have alot of established connections. But they seem to be with servers like akami, cloudflare, aws, gws.
I think they performed a Krack attack on me and used a packet sniffer to gain access originally then after having pen tested the router opened up ports. The ones I'm mainly concerned about is netbios-ssn 139 and Microsoft-ds 445.
I use the ISP router and there isn't a setting to block ports on the GUI. But after checking the technical logs once I factory reset my router internal and external port 0 is forwarded to port 0. So I think they may have changed the startup rules.
I'm not very tech savy I'm useless with Linux. I only know what I've read up and then seen the pattern of behaviour it follows.
Also they have a smb over ip set up on my network.
I'm guessing I'm going to need to close the backdoors on my devices first then factory reset the router.
Or am I wrong.
Does anyone have any suggestions?