Review of my home broadband router logs (suspicious activity

[Paul M. Cook]

Does this activity found accidentally in my home broadband
wireless router log seem suspicious to you?

Here is a screenshot of the suspicious log entries:
https://i.imgur.com/iZm1CCq.jpg

When "I" log into my router, I see a line like this:
[Admin login] from source 192.168.1.16, Tuesday, Dec 22,2015 19:16:15

But, I see the following (suspicious?) activity in my log file:
[LAN access from remote] from 93.38.179.187:9000 to 192.168.1.5:9000, Saturday, Dec 19,2015 06:42:41
[LAN access from remote] from 177.206.146.201:9000 to 192.168.1.5:9000, Saturday, Dec 19,2015 06:41:54
[LAN access from remote] from 101.176.44.21:1026 to 192.168.1.5:9000, Saturday, Dec 19,2015 06:34:19
[LAN access from remote] from 181.164.218.29:9000 to 192.168.1.5:9000, Saturday, Dec 19,2015 06:34:19
[LAN access from remote] from 2.133.67.47:11233 to 192.168.1.5:9000, Saturday, Dec 19,2015 06:34:19
[LAN access from remote] from 186.206.138.72:62531 to 192.168.1.5:9000, Saturday, Dec 19,2015 06:34:19
[LAN access from remote] from 148.246.193.87:9000 to 192.168.1.5:9000, Saturday, Dec 19,2015 06:34:19
[LAN access from remote] from 195.67.252.183:49076 to 192.168.1.5:9000, Saturday, Dec 19,2015 06:34:16
[LAN access from remote] from 1.78.16.174:47891 to 192.168.1.5:9000, Saturday, Dec 19,2015 06:34:16
[LAN access from remote] from 178.116.59.223:9000 to 192.168.1.5:9000, Saturday, Dec 19,2015 06:34:16
[LAN access from remote] from 82.237.141.86:9000 to 192.168.1.5:9000, Saturday, Dec 19,2015 06:34:16
[LAN access from remote] from 107.223.217.54:9000 to 192.168.1.5:9000, Saturday, Dec 19,2015 06:34:11
[LAN access from remote] from 216.98.48.95:11020 to 192.168.1.5:9000, Saturday, Dec 19,2015 06:32:31

I don't know what this really means: "LAN access from remote".

Looking at the router wired & wireless list of devices, 192.168.1.5
seems to not be attached at the moment.

But, looking back, I can determine (from the MAC address) that it's
my child's Sony Playstation (which has "UPNP events" whatever they are):

[UPnP set event: Public_UPNP_C3] from source 192.168.1.5, Saturday, Dec 19,2015 06:32:28
[DHCP IP: (192.168.1.5)] to MAC address F80:AC:B14:A3, Monday, Dec 21,2015 12:26:18
[DHCP IP: (192.168.1.5)] to MAC address F80:AC:B14:A3, Tuesday, Dec 22,2015 16:17:47
[UPnP set event: Public_UPNP_C3] from source 192.168.1.5, Tuesday, Dec 22,2015 16:46:15
*****************************************************************
Can you advise me whether I should be worried that there are many
LAN accesses from a remote IP address to a kid's Sony Playstation?
*****************************************************************

 

[Paul M. Cook]

On Tue, 22 Dec 2015 23:11:38 -0500, ng_reader wrote:

> Are you afraid of, what, exactly?

To answer why I ask about these activities, it's that I did not elicit
these transactions, nor do I understand them.

The IP addresses seem to belong to the following (from a whois):
--------------------------------------------------
inetnum: 93.38.176.0 - 93.38.183.255
netname: FASTWEB-DPPU
descr: Infrastructure for Fastwebs main location
descr: NAT POOL 7 for residential customer POP 4106,
country: IT
--------------------------------------------------
inetnum: 177.204/14
aut-num: AS18881
abuse-c: GOI
owner: Global Village Telecom
country: BR
--------------------------------------------------
inetnum: 101.160.0.0 - 101.191.255.255
netname: TELSTRAINTERNET50-AU
descr: Telstra
descr: Level 12, 242 Exhibition St
descr: Melbourne
descr: VIC 3000
country: AU
--------------------------------------------------
inetnum: 181.164/14
status: allocated
aut-num: N/A
owner: CABLEVISION S.A.
ownerid: AR-CASA10-LACNIC
responsible: Esteban Poggio
address: Aguero, 3440,
address: 1605 - Munro - BA
country: AR
--------------------------------------------------
inetnum: 2.133.64.0 - 2.133.71.255
netname: TALDYKMETRO
descr: JSC Kazakhtelecom, Taldykorgan
descr: Metro Ethernet Network
country: KZ
--------------------------------------------------
inetnum: 186.204/14
aut-num: AS28573
abuse-c: GRSVI
owner: CLARO S.A.
ownerid: 040.432.544/0835-06
responsible: CLARO S.A.
country: BR
--------------------------------------------------
inetnum: 148.246/16
status: allocated
aut-num: N/A
owner: Mexico Red de Telecomunicaciones, S. de R.L. de C.V.
ownerid: MX-MRTS1-LACNIC
responsible: Ana MarĂ­a Solorzano Luna Parra
address: Bosque de Duraznos, 55, PB, Bosques de las Lomas
address: 11700 - Miguel Hidalgo - DF
country: MX
--------------------------------------------------
inetnum: 195.67.224.0 - 195.67.255.255
netname: TELIANET
descr: TeliaSonera AB Networks
descr: ISP
country: SE
--------------------------------------------------
inetnum: 1.72.0.0 - 1.79.255.255
netname: NTTDoCoMo
descr: NTT DOCOMO,INC.
descr: Sannno Park Tower Bldg.11-1 Nagatacho 2-chome
descr: hiyoda-ku,Tokyo Japan
country: JP
--------------------------------------------------
inetnum: 1.72.0.0 - 1.79.255.255
netname: MAPS
descr: NTT DoCoMo, Inc.
country: JP
--------------------------------------------------
inetnum: 178.116.0.0 - 178.116.255.255
netname: TELENET
descr: Telenet N.V. Residentials
remarks: INFRA-AW
country: BE
--------------------------------------------------
inetnum: 82.237.140.0 - 82.237.143.255
netname: FR-PROXAD-ADSL
descr: Proxad / Free SAS
descr: Static pool (Freebox)
descr: deu95-3 (mours)
descr: NCC#2005090519
country: FR
--------------------------------------------------
NetRange: 107.192.0.0 - 107.223.255.255
NetName: SIS-80-4-2012
NetHandle: NET-107-192-0-0-1
Parent: NET107 (NET-107-0-0-0-0)
NetType: Direct Allocation
OriginAS: AS7132
Organization: AT&T Internet Services (SIS-80)
City: Richardson
StateProv: TX
--------------------------------------------------
NetRange: 216.98.48.0 - 216.98.63.255
CIDR: 216.98.48.0/20
NetName: UBICOM
NetHandle: NET-216-98-48-0-1
Parent: NET216 (NET-216-0-0-0-0)
NetType: Direct Assignment
OriginAS:
Organization: Ubisoft Entertainment (UBISOF-2)
--------------------------------------------------

 

[ng_reader]

<snip>

*****************************************************************
Can you advise me whether I should be worried that there are many
LAN accesses from a remote IP address to a kid's Sony Playstation?
*****************************************************************

Are you afraid of, what, exactly?

 

[Tony Hwang]

ng_reader wrote:

snip

*****************************************************************
Can you advise me whether I should be worried that there are many
LAN accesses from a remote IP address to a kid's Sony Playstation?
*****************************************************************


Are you afraid of, what, exactly?

Ask the kid if he is playing on line game.

 

[Paul M. Cook]

On Tue, 22 Dec 2015 22:00:40 -0700, Tony Hwang wrote:

> Ask the kid if he is playing on line game.

He does play online, but I don't know if *those* are
activities *he* initiated, or if they are attempts
to attack us.

 

[Micky]

On Wed, 23 Dec 2015 00:11:30 -0500, "Paul M. Cook" <pmcook@gte.net>
wrote:

On Tue, 22 Dec 2015 22:00:40 -0700, Tony Hwang wrote:

Ask the kid if he is playing on line game.

He does play online, but I don't know if *those* are
activities *he* initiated, or if they are attempts
to attack us.

Maybe you could ask him and you could also have him play a game at a
recorded time and then check your log to see if the entries are
similar.

AIUI, the average desktop gets thousands of pings a day. When I had
that famous software firewall whose name escapes me, it would record
and count them.

But thhat doesn't mean the outside ip is targeting your kid
specifically. Maybe it just goes through IP numbers consecutively,
looking for those that are unprotected.

And it doesn't mean that it can do anything to your kid's device.
Isn'tt the software in a game or insertable game hard-coded?

And it doesn't mean the pinger wants to. A lot of my pings were from
my own ISP iirc. i don't know why it was doing this when I was
already connected.

What could an outside force do to your kid? Can the game display
messages on it, like "Come to Syria and kill the infidels. Call
1-800-KIL-L-INF". Frankly I think the people whos say that 12 or 10
is not too young to talk to their children about sex, drugs, etc. are
missing the mark. What parents should do is talk during dinner to
each other about how stupid drug users are and how stupid and selfish
those who get someone pregnant when they're not married, and they can
do this when the kid is 4 and up and kids will listen to everything
their parents say. But if they are 12 and the parent is telling them
what to do, it will be for some kids a challenge to do the opposite,
because they dont' like being lectured. That's why parents should
talk to each other in front of the kids. There are adequate
conversation starters in the news.

 

[M. Stradbury]

On Wed, 23 Dec 2015 10:17:10 -0500, Mayayana wrote:

First, do you have a good, long password for
your router? You should. Maybe 20 characters

Which router password are you talking about?

1. The Admin password?
2. The SSID WPA2/PSK passphrase?

 

[Danny D.]

Micky wrote, on Wed, 23 Dec 2015 11:24:16 -0500:

I noticed that because some families have so many wireless devices,
they've redesigned routers and now many are 100 to 200 dollars.

You can't go wrong with almost any "ac" router nowadays.
An "ac1200" router will be just fine for almost any household.

 

[Paul M. Cook]

On Wed, 23 Dec 2015 04:19:59 -0800, DerbyDad03 wrote:

It's not a question of what could be done to the device, it's whether or
not that device is allowing access to the home's network. Once inside
the network it may be possible to gain access to other computers.

Exactly. I'm not worried about the kid being attacked.

I'm worried about the attacker coming in through the port 9000 of the
IP address 192.168.1.5 which, at least today, is the Sony Playstation
(but it could have been any computer on the day of the attack since
I have DHCP).

Once the attacker is on the router, they can potentially get to any
computer or monitor anything or watch or whatever the reason they
got in for.

That there were *many* similar attacks at roughly the same time is
what worries me also.

But, mostly, I am just wanting to know *what* happened, which, from
the log files, I can't tell - but that's why I asked. I don't know
how to correctly *interpret* this particular set of errors.

We're all just guessing. And that's bad.

 

[Tony Hwang]

Paul M. Cook wrote:

On Wed, 23 Dec 2015 04:19:59 -0800, DerbyDad03 wrote:

It's not a question of what could be done to the device, it's whether or
not that device is allowing access to the home's network. Once inside
the network it may be possible to gain access to other computers.

Exactly. I'm not worried about the kid being attacked.

I'm worried about the attacker coming in through the port 9000 of the
IP address 192.168.1.5 which, at least today, is the Sony Playstation
(but it could have been any computer on the day of the attack since
I have DHCP).

Once the attacker is on the router, they can potentially get to any
computer or monitor anything or watch or whatever the reason they
got in for.

That there were *many* similar attacks at roughly the same time is
what worries me also.

But, mostly, I am just wanting to know *what* happened, which, from
the log files, I can't tell - but that's why I asked. I don't know
how to correctly *interpret* this particular set of errors.

We're all just guessing. And that's bad.

Playing on-line game? Kids do most of time.

 

[Paul M. Cook]

On Wed, 23 Dec 2015 00:22:59 -0700, Don Y wrote:

Have you edited your log, here? Are there other activities not shown?
Do you see just these sporadic accesses?

That's an excerpt only but those were the only messages listed with the
prefix of "[LAN access from remote]".

Most routers will provide a (DHCP?) page that show where the current
IP addresses that *it* has doled out are being used. (I suspect
"Attached Devices" in your router).

At the moment, there are no "attached devices" with the DHCP IP
address of 192.168.1.5, and the log file doesn't say which device
in the house was 192.168.1.5 on that day.

But, looking at the log file, at some point thereafter, the
IP address of 192.168.1.5 was the MAC address which is the
Sony Playstation.

I can't tell, from the log, what device had the DHCP given
address of 192.168.1.5 on the day of the attack.

The router shows "attached devices" but it doesn't show
a history.

 

[Paul M. Cook]

On Wed, 23 Dec 2015 07:58:33 -0700, Tony Hwang wrote:

> Playing on-line game? Kids do most of time.

Maybe. But is *that* what the error message says?

I guess I need to *experiment*, by asking the kid to play a few
games and then watch the router log file.

What is worrisome is that some of the entries don't come from
what I'd expect an online game to come from, e.g., Brazil,
Mexico, Japan, France, etc.

 

[Danny D.]

Don Y wrote, on Wed, 23 Dec 2015 12:57:02 -0700:

First, the SSID is effectively public. Even if you turn off SSID
broadcasts, it's trivial to detect your SSID. So, any sort of
access control you expect to gain from *hiding* it is laughable!
Likewise, making it "obscure" -- "sdsf0gl9k2345s0d" -- won't
buy you anything.

Jeff Liebermann knows this stuff much better than I do, but here
is what he taught me.

WORSE THAN YOU SAID:

1. If you hide your SSID, then your laptop has to look for it on
purpose, which it dutifully does (that's how it finds it).
However, that also means that when you boot your laptop at
Starbucks, it *still* looks *first* for your hidden IP (because
your laptop has no idea you're at Starbucks yet). Only after
your laptop can no longer find the SSID it wanted first, does
the laptop look for *other* broadcast SSIDs.

Hence, you have *worse* privacy at a hotspot when you decide
to not broadcast your SSID at home.

MOSTLY TRUE WHAT YOU SAID:
2. Making your SSID obscure is critical if you want to stay out
of rainbow hash tables. Anyone who knows YOUR SSID already
can download a hash table that allows them to log into your
router using the SSID as a "salt".

So you really really really want to have a UNIQUE ESSID!
https://security.stackexchange.com/questions/92903/rainbow-tables-hash-tables-versus-wpa-wpa2

MORE CONSIDERATIONS:
3. In addition, you don't want your unique ESSID to pinpoint
you, so don't name it after your last name or your address.

4. One more thing, the BSSID (i.e., the MAC address) of your
router is what Google puts into its database when that
spycar drives down your road. Short of putting up a sign
saying "private road", you can't stop them from driving
past your home and gathering your BSSID and those of your
neighbors.

One thing you can do is change your ESSID to have "_nomap"
on the end of it, which Google says they won't keep. Yes,
I know, they expect the entire world to opt out manually
that way, which is silly, but that's what they do.

Otherwise, you'll need to change *both* your ESSID and
your BSSID (MAC address) periodically, so that Google
databases no longer have accurate records. (You can't
do anything about your stupid neighbors though, so,
you're already doomed.)

 

[Micky]

On Wed, 23 Dec 2015 10:06:04 -0500, "Paul M. Cook" <pmcook@gte.net>
wrote:

On Wed, 23 Dec 2015 07:58:33 -0700, Tony Hwang wrote:

Playing on-line game? Kids do most of time.

Maybe. But is *that* what the error message says?

I guess I need to *experiment*, by asking the kid to play a few
games and then watch the router log file.

Good idea.

What is worrisome is that some of the entries don't come from
what I'd expect an online game to come from, e.g., Brazil,
Mexico, Japan, France, etc.

When I went to France in 1974, I thought I could impress girls with
hershey bars and nylon stockings, but instead I couldnt' afford to eat
in a real restaurant.

(though I did eat in an expensive restaurant in Amsterdam before the
flight home, rijstafel, and it was only meal I shared with a girl I
met the previous day, and we were on the same plane the day after the
meal and we were both sick. From the expensive meal)

IOW, despite the impression we're oftren given, they have civilization
in those places, and even infra-civilization like games. I'm sure
there are gamers in all those countries, but there may also be hackers
..

 

[Mayayana]

That's interesting. I didn't know routers kept logs. Did
you find that by logging in to the "control panel"?

I used to get a lot of attempts to get into my computer
when I had dialup. That mostly stopped with cable, though
I have caught my cable company, RCN, trying to get
in. I have no idea why. Apparently they just go around
snooping on customers, perhaps tracking how many
machines are at each address, or some such.

First, do you have a good, long password for
your router? You should. Maybe 20 characters.

You didn't mention what computers you have.
Assuming Windows...

It's important to understand that most
Windows computers are full of holes. The default
configuration has numerous unsafe services running.
Many people now also enable remote Desktop
functionality for tech support. You should have a
firewall that blocks all incoming and asks permission
for all outgoing processes. (In many cases it's also
possible to block svchost from going out, which takes
care of most or all Microsoft spyware.)

Some may remember there was a problem with XP
in the early days. A service called Messenger (not
Windows Messenger) was running by default. It was
intended for sys admin people in corporations to be
able to pop up notices to employees on the network.
(Like "Don't forget: Company picnic on Saturday.")
It was being used to show people ads. The problem is
that Windows NT (2000/XP/Vista/7/8/10) is designed
to be a corporate workstation. It's a sieve, set up
with the assumption that the network is safe while
the users can't be trusted. If you want to set up
reasonable security see here:

http://www.blackviper.com/

You can use that site to adjust services. And get a
firewall.

I don't know much about Playstation, but that's
a good example of increasing intrusion online. Online
services and spyware operating systems are changing
the norm. Most software is now designed to call home
without asking. A few years ago that was known as
spyware. Windows 10 is a new level of spyware. It
now has a privacy policy and TOS that claim Microsoft
has a legal right to spy on virtually everything you do.
(I suspect Playstation is probably worse in that regard.)

At the same time, more people want more of those
services. Without selling out to Apple you can't get
all those nifty apps. Without selling out to Adobe you
can no longer use Photoshop without it spying on you.
The latest version is still installed on your computer,
but it's officially marketed as an online service. The
difference is not so much in the software but in the
fact that you have to accept it as spyware. MS Office
and many other programs are going the same way.
They want to steal your car and rent you a taxi.

So there may be different, conflicting concerns
for you. One concern is preventing malware/spyware
intrusion by strengthening your security. But then
there's also the issue of whether you're actually willing
and able to do that in the context of how you want
to use your connected devices. If you want to accept
and use online services then you must accept that
you're now in a shopping mall. The mall cameras,
marketing data collectors and security guards will be
watching. You're on their property, not your own.

 

[Micky]

On Wed, 23 Dec 2015 09:58:45 -0500, "Paul M. Cook" <pmcook@gte.net>
wrote:

On Wed, 23 Dec 2015 00:22:59 -0700, Don Y wrote:

Have you edited your log, here? Are there other activities not shown?
Do you see just these sporadic accesses?

That's an excerpt only but those were the only messages listed with the
prefix of "[LAN access from remote]".

I thought I'd look at my log, for the first time in 8 years. The
only wireless device I use is a printer.

Dec/21/2015 18:59:18 DHCP lease IP 192.168.0.106 to
android-fce7fa4f93da6881 64-89-9A-6E-9C-85
Dec/21/2015 18:59:09 DHCP lease IP 192.168.0.106 to
android-fce7fa4f93da6881 64-89-9A-6E-9C-85
Dec/21/2015 18:59:04 DHCP lease IP 192.168.0.106 to
android-fce7fa4f93da6881 64-89-9A-6E-9C-85

Dec/20/2015 05:20:07 DHCP lease IP 192.168.0.102 to Dennis-Iphone-2
70-3E-AC-DE-14-94
Dec/20/2015 05:20:06 DHCP lease IP 192.168.0.102 to Dennis-Iphone-2
70-3E-AC-DE-14-94

So who is Dennis? 5 in the morning? That's my time, right? or GMT?

Dec/20/2015 05:20:05 Wireless PC connected 70-3E-AC-DE-14-94
Dec/19/2015 23:51:38 Wireless PC connected A4-EE-57-E3-09-E4

Whose is this wireless PC? I have one, but haven't used it in weeks.

Dec/19/2015 21:48:06 DHCP Request success 192.168.1.46
Dec/19/2015 21:48:06 DHCP Request 192.168.1.46
Dec/19/2015 15:16:58 DHCP lease IP 192.168.0.100 to EPSONE309E4
A4-EE-57-E3-09-E4
Dec/19/2015 10:13:04 DHCP lease IP 192.168.0.102 to Dennis-Iphone-2
70-3E-AC-DE-14-94
Dec/19/2015 10:13:02 DHCP lease IP 192.168.0.102 to Dennis-Iphone-2
70-3E-AC-DE-14-94

The Epson is my printer. I was probably printing the crossword
puzzle. But more Dennis!

Dec/19/2015 10:13:02 Wireless PC connected 70-3E-AC-DE-14-94
Dec/19/2015 07:51:01 DHCP lease IP 192.168.0.105 to
android_a1d17253796b3c9c 14-7D-C5-A7-E9-5C

I have a cell phone that runs android, but I don't think I've had it
on in the house on the 19th. I haven't tried to connect to wifi with
it for a year or more.

Could something like this cause interruptions in my internet, which I
get sometimes? The router light for the jack I use flickers all the
time, but sometimes no data gets dl'd. I have DSL.

Dec/16/2015 15:12:23 DHCP lease IP 192.168.0.103 to Tiyes-Iphone-2
20-A2-E4-E7-81-36

Dec/16/2015 08:49:25 Wireless PC connected A4-EE-57-E3-09-E4
Dec/16/2015 06:25:38 Wireless PC connected A4-EE-57-E3-09-E4
Dec/16/2015 05:27:09 Wireless PC connected A4-EE-57-E3-09-E4
Dec/16/2015 05:26:17 Wireless PC connected A4-EE-57-E3-09-E4

Dec/13/2015 20:22:09 Wireless PC connected A4-EE-57-E3-09-E4
Dec/13/2015 20:21:49 Wireless PC connected A4-EE-57-E3-09-E4
Dec/13/2015 12:27:17 DHCP lease IP 192.168.0.103 to Tiyes-Iphone-2
20-A2-E4-E7-81-36
Dec/13/2015 12:27:16 Wireless PC connected 20-A2-E4-E7-81-36

Dec/09/2015 08:06:17 DHCP lease IP 192.168.0.106 to Sharlenes-iPad
34-C0-59-19-F9-46

Hmmm..

To send myself the log it asks for SMTP Server / IP Address .

Does that mean the smtp server is enough, or do I need its IP address
too, which I don't know?

Help says "SMTP Server - The address of the SMTP (Simple Mail Transfer
Protocol) server that will be used to send the logs." but I haven't
gotten the email I sent yet, and I should have by now.

 

[Paul M. Cook]

On Wed, 23 Dec 2015 10:51:25 -0500, Micky wrote:

> To send myself the log it asks for SMTP Server / IP Address .

I saw the send-log command, but I just copy-and-pasted my
router log into a text file on the computer.

1. While looking at the router log file from within your browser:
Control-A to select all
Control-C to copy

2. Then paste that into any open text file:
Control-V to paste

 

[Paul M. Cook]

On Wed, 23 Dec 2015 10:51:25 -0500, Micky wrote:

Dec/20/2015 05:20:07 DHCP lease IP 192.168.0.102 to Dennis-Iphone-2
70-3E-AC-DE-14-94
Dec/20/2015 05:20:06 DHCP lease IP 192.168.0.102 to Dennis-Iphone-2
70-3E-AC-DE-14-94

So who is Dennis? 5 in the morning?
That's my time, right? or GMT?

I just logged into my Netgear WNDR3400v2 router, and went to the
advanced tab of Administration > Logs

It says on top of the window what time it "thinks" it is:
Current Time: Wednesday, Dec 23,2015 08:03:08

Looking at the clock, that's the local time in my time zone.

 

[Paul M. Cook]

On Wed, 23 Dec 2015 10:51:25 -0500, Micky wrote:

Dec/19/2015 21:48:06 DHCP Request success 192.168.1.46
Dec/19/2015 21:48:06 DHCP Request 192.168.1.46
Dec/19/2015 15:16:58 DHCP lease IP 192.168.0.100 to EPSONE309E4
A4-EE-57-E3-09-E4
Dec/19/2015 10:13:04 DHCP lease IP 192.168.0.102 to Dennis-Iphone-2
70-3E-AC-DE-14-94
Dec/19/2015 10:13:02 DHCP lease IP 192.168.0.102 to Dennis-Iphone-2
70-3E-AC-DE-14-94

The Epson is my printer. I was probably printing the crossword
puzzle. But more Dennis!

There is what appears to be an iPhone connecting to your router.

You can look up the first half of the MAC address (the OUI) to see
what kind of device it appears to be from:
https://www.adminsub.net/mac-address-finder

Denis' MAC address is the following:
(70-3E-AC) (DE-14-94)

The organizationally unique part is the first half:
(70-3E-AC)

That indeed is an Apple device OUI:
703EAC indeed resolves to "Apple, Inc."

 

[Paul M. Cook]

On Wed, 23 Dec 2015 10:17:10 -0500, Mayayana wrote:

That's interesting. I didn't know routers kept logs. Did
you find that by logging in to the "control panel"?

I don't know of *any* router that does *not* keep logs.
Usually they start at reboot time, and go on forever from there.
For my Netgear router, I log in and then go to:
Advanced > Administration > Logs

I used to get a lot of attempts to get into my computer
when I had dialup. That mostly stopped with cable, though
I have caught my cable company, RCN, trying to get
in. I have no idea why. Apparently they just go around
snooping on customers, perhaps tracking how many
machines are at each address, or some such.

Cable should be the worst, as I understand it, since anyone
in your neighborhood on the same cable is essentially connected
to you as I understand it.

So, I'd be sure to have a router, but, as we all know, anyone
who knows what they're doing can get past our cheap routers.

First, do you have a good, long password for
your router? You should. Maybe 20 characters.

The thing is that most routers don't allow a password greater
than 8 characters (from my experience). Sure, they'll *let*
you type a long password - but they'll take anything (or nothing)
after the first 8 characters.

Try it. That's how "my" router works.

You didn't mention what computers you have.
Assuming Windows...

Oh, I have everything. Windows. Linux. OS/X. iOS, Android.
Printers. And other devices (like the playstation).