Review of my home broadband router logs (suspicious activity

[Micky]

On Wed, 23 Dec 2015 10:58:58 -0500, "Paul M. Cook" <pmcook@gte.net>
wrote:

On Wed, 23 Dec 2015 10:51:25 -0500, Micky wrote:

To send myself the log it asks for SMTP Server / IP Address .

I saw the send-log command, but I just copy-and-pasted my
router log into a text file on the computer.

1. While looking at the router log file from within your browser:
Control-A to select all

I tried that but it highlighted the whole page, not just the data.

So it was easier to use to the cursor to choose what to highlight.

My firmware is almost 11 years old. Maybe D-Link has refined it by
now.

Plus there are 20 pages of data, each requiring separate copying, so I
was hoping to get all 20 pages in one email.

And that includes only System Activity, Attacks, and Notice, not Debug
Information and Dropped Packets.

Later I will check those to see what shows up.

Control-C to copy

2. Then paste that into any open text file:
Control-V to paste

 

[Tony Hwang]

M. Stradbury wrote:

On Wed, 23 Dec 2015 10:17:10 -0500, Mayayana wrote:

First, do you have a good, long password for
your router? You should. Maybe 20 characters

Which router password are you talking about?

1. The Admin password?
2. The SSID WPA2/PSK passphrase?

PSK? How about AES?

 

[Oren]

On Wed, 23 Dec 2015 10:06:04 -0500, "Paul M. Cook" <pmcook@gte.net>
wrote:

On Wed, 23 Dec 2015 07:58:33 -0700, Tony Hwang wrote:

Playing on-line game? Kids do most of time.

Maybe. But is *that* what the error message says?

I guess I need to *experiment*, by asking the kid to play a few
games and then watch the router log file.

What is worrisome is that some of the entries don't come from
what I'd expect an online game to come from, e.g., Brazil,
Mexico, Japan, France, etc.

Personally, I would turn off DHCP and manually give each machine a
static IP number. Any outside machine connecting to your network is
being issued an IP number.

"...DHCP is a good option for easy home networking. But if you
are truly serious about network security—if you have sensitive data
residing on your network or just want to make data or identity theft
much less likely—you're probably better off sticking with disabling
DHCP and maintaining full manual control of your home network."

Two Cents.

 

[Micky]

On Wed, 23 Dec 2015 11:02:44 -0500, "Paul M. Cook" <pmcook@gte.net>
wrote:

On Wed, 23 Dec 2015 10:51:25 -0500, Micky wrote:

Dec/20/2015 05:20:07 DHCP lease IP 192.168.0.102 to Dennis-Iphone-2
70-3E-AC-DE-14-94
Dec/20/2015 05:20:06 DHCP lease IP 192.168.0.102 to Dennis-Iphone-2
70-3E-AC-DE-14-94

So who is Dennis? 5 in the morning?
That's my time, right? or GMT?

I just logged into my Netgear WNDR3400v2 router, and went to the
advanced tab of Administration > Logs

It says on top of the window what time it "thinks" it is:
Current Time: Wednesday, Dec 23,2015 08:03:08

Mine doesn't show the time anywhere, but if yours shows the current
time, that's good enough for me.

I noticed that because some families have so many wireless devices,
they've redesigned routers and now many are 100 to 200 dollars. That
means I should be able to get a 2-year old one cheap. Actually I
bought cheap at a hamfest what I thought was identical, and only
noticed a year later that it was a router like mine but without the
wireless part. Now is a bad time to try it because every day I may
wish to print the crossword.

Looking at the clock, that's the local time in my time zone.

 

[Micky]

On Wed, 23 Dec 2015 11:07:42 -0500, "Paul M. Cook" <pmcook@gte.net>
wrote:

On Wed, 23 Dec 2015 10:51:25 -0500, Micky wrote:

Dec/19/2015 21:48:06 DHCP Request success 192.168.1.46
Dec/19/2015 21:48:06 DHCP Request 192.168.1.46
Dec/19/2015 15:16:58 DHCP lease IP 192.168.0.100 to EPSONE309E4
A4-EE-57-E3-09-E4
Dec/19/2015 10:13:04 DHCP lease IP 192.168.0.102 to Dennis-Iphone-2
70-3E-AC-DE-14-94
Dec/19/2015 10:13:02 DHCP lease IP 192.168.0.102 to Dennis-Iphone-2
70-3E-AC-DE-14-94

The Epson is my printer. I was probably printing the crossword
puzzle. But more Dennis!

There is what appears to be an iPhone connecting to your router.

You can look up the first half of the MAC address (the OUI) to see
what kind of device it appears to be from:
https://www.adminsub.net/mac-address-finder

Good to know. Thanks.

Denis' MAC address is the following:
(70-3E-AC) (DE-14-94)

The organizationally unique part is the first half:
(70-3E-AC)

That indeed is an Apple device OUI:
703EAC indeed resolves to "Apple, Inc."

So that means it's an Apple device, like an iphone.

Not that it's someone working at Apple, inc.!

 

[Micky]

On Wed, 23 Dec 2015 10:17:10 -0500, "Mayayana"
<mayayana@invalid.nospam> wrote:

That's interesting. I didn't know routers kept logs. Did
you find that by logging in to the "control panel"?

No, the control panel is on the computer.

You have to go to the router. The address is in the manual. In
D-link and I think maybe all of them it's http://192.168.0.1

I used to get a lot of attempts to get into my computer
when I had dialup. That mostly stopped with cable, though
I have caught my cable company, RCN, trying to get

I had RCN too, dialup, but after years of their promising high-speed,
I decided they were kidding, so I had to go to Verizon.

They said I could have email only, with no access to the net, for 3 a
month, but then 4 months later, with no warning, they took away my
ability to send email, and because of the way Eudora is set up, it's
not totally obvious how to change the settings to send only via
Verizon. (They also did 3 other bad things to me. And currently,
if my credit card number changes and the automatic payment doesn't
work, they told me I had told them not to send either an email or a
postal mail. I never said that. So 3 times over several years
they disconnected me with no warning, and one time they threw away all
my email, including any I hadn't downloaded yet.

Later they raised it from 3 to 4 a month.

Now if they won't notify me both ways, I asked to be notified by
email, but they said they won't do that. it's an email company but
they won't notify me by email.

How has your customer service been?

>in. I have no idea why.

That's what I said in another post. I was referring to Erols/RCN.

Apparently they just go around
snooping on customers, perhaps tracking how many
machines are at each address, or some such.

First, do you have a good, long password for
your router? You should. Maybe 20 characters.

You didn't mention what computers you have.
Assuming Windows...

It's important to understand that most
Windows computers are full of holes. The default
configuration has numerous unsafe services running.
Many people now also enable remote Desktop
functionality for tech support. You should have a
firewall that blocks all incoming and asks permission
for all outgoing processes. (In many cases it's also
possible to block svchost from going out, which takes
care of most or all Microsoft spyware.)

Some may remember there was a problem with XP
in the early days. A service called Messenger (not
Windows Messenger) was running by default. It was
intended for sys admin people in corporations to be
able to pop up notices to employees on the network.
(Like "Don't forget: Company picnic on Saturday.")
It was being used to show people ads. The problem is
that Windows NT (2000/XP/Vista/7/8/10) is designed
to be a corporate workstation. It's a sieve, set up
with the assumption that the network is safe while
the users can't be trusted. If you want to set up
reasonable security see here:

http://www.blackviper.com/

You can use that site to adjust services. And get a
firewall.

I don't know much about Playstation, but that's
a good example of increasing intrusion online. Online
services and spyware operating systems are changing
the norm. Most software is now designed to call home
without asking. A few years ago that was known as
spyware. Windows 10 is a new level of spyware. It
now has a privacy policy and TOS that claim Microsoft
has a legal right to spy on virtually everything you do.
(I suspect Playstation is probably worse in that regard.)

At the same time, more people want more of those
services. Without selling out to Apple you can't get
all those nifty apps. Without selling out to Adobe you
can no longer use Photoshop without it spying on you.
The latest version is still installed on your computer,
but it's officially marketed as an online service. The
difference is not so much in the software but in the
fact that you have to accept it as spyware. MS Office
and many other programs are going the same way.
They want to steal your car and rent you a taxi.

So there may be different, conflicting concerns
for you. One concern is preventing malware/spyware
intrusion by strengthening your security. But then
there's also the issue of whether you're actually willing
and able to do that in the context of how you want
to use your connected devices. If you want to accept
and use online services then you must accept that
you're now in a shopping mall. The mall cameras,
marketing data collectors and security guards will be
watching. You're on their property, not your own.

 

[Mayayana]

| > First, do you have a good, long password for
| > your router? You should. Maybe 20 characters.
|
| The thing is that most routers don't allow a password greater
| than 8 characters (from my experience). Sure, they'll *let*
| you type a long password - but they'll take anything (or nothing)
| after the first 8 characters.
|
| Try it. That's how "my" router works.
|

I tried it. I entered the first 13 characters. It didn't
let me in. I've never heard of an 8-char limit.

| > You didn't mention what computers you have.
| > Assuming Windows...
|
| Oh, I have everything. Windows. Linux. OS/X. iOS, Android.
| Printers. And other devices (like the playstation).
|

I don't see any scanning or contact in my logs,
but I also only use computers, with no networking,
and get informed by my firewall about unrequested
incoming. You may not have much option with
Playstation. I assume it's not under your control.
But you should have firewalls on your computers
that will drop incoming requests. (Though that's
one of the many shortcomings of Linux in my book.
Last I checked, Linux firewalls could stop incoming
but didn't monitor outgoing.)

 

[Oren]

On Wed, 23 Dec 2015 09:54:05 -0500, "Paul M. Cook" <pmcook@gte.net>
wrote:

Once the attacker is on the router, they can potentially get to any
computer or monitor anything or watch or whatever the reason they
got in for.

....and run a packet sniffer that captures passwords, network traffic,
etc. into a log file.

<http://netsecurity.about.com/od/informationresources/a/What-Is-A-Packet-Sniffer.htm>

 

[Adrian Caspersz]

On 23/12/15 03:55, Paul M. Cook wrote:

Does this activity found accidentally in my home broadband
wireless router log seem suspicious to you?

Here is a screenshot of the suspicious log entries:
https://i.imgur.com/iZm1CCq.jpg

When "I" log into my router, I see a line like this:
[Admin login] from source 192.168.1.16, Tuesday, Dec 22,2015 19:16:15

But, I see the following (suspicious?) activity in my log file:
[LAN access from remote] from 93.38.179.187:9000 to 192.168.1.5:9000, Saturday, Dec 19,2015 06:42:41
[LAN access from remote] from 177.206.146.201:9000 to 192.168.1.5:9000, Saturday, Dec 19,2015 06:41:54
....

Informational logs, not a warning or critical error.

from source 192.168.1.5, Tuesday, Dec 22,2015 16:46:15
*****************************************************************
Can you advise me whether I should be worried that there are many
LAN accesses from a remote IP address to a kid's Sony Playstation?
*****************************************************************

It's how the games can only work. Your uPNP enabled router is port
forwarding that incoming traffic to a specific machine on your LAN, your
kid's playstation. It would take a flaw, or a hack, in your router for
this traffic to go anywhere else.

Personally, I wouldn't have a problem with it.

Try playing about with anything that uses peer-to-peer services like
Skype, Spotify or torrent programs and you'll see much the same logs.

Have your kid take a break from that game and you both have a read of
the following Microsoft ebook on

https://www.microsoft.com/en-gb/download/details.aspx?id=1522
or http://www.ownyourspace.net/

--
Adrian C

 

[Mayayana]

| > That's interesting. I didn't know routers kept logs. Did
| >you find that by logging in to the "control panel"?
|
| No, the control panel is on the computer.
|
| You have to go to the router. The address is in the manual. In
| D-link and I think maybe all of them it's http://192.168.0.1

Yes. That's what I was referring to. I think of it
as a control panel. I'm not sure whether it's called
that. My web host, too, calls it a control panel when
I log in.

| >
| > I used to get a lot of attempts to get into my computer
| >when I had dialup. That mostly stopped with cable, though
| >I have caught my cable company, RCN, trying to get
|
| I had RCN too, dialup, but after years of their promising high-speed,
| I decided they were kidding, so I had to go to Verizon.
|
| They said I could have email only, with no access to the net, for 3 a
| month, but then 4 months later, with no warning, they took away my
| ability to send email, and because of the way Eudora is set up, it's
| not totally obvious how to change the settings to send only via
| Verizon. (They also did 3 other bad things to me. And currently,
| if my credit card number changes and the automatic payment doesn't
| work, they told me I had told them not to send either an email or a
| postal mail. I never said that. So 3 times over several years
| they disconnected me with no warning, and one time they threw away all
| my email, including any I hadn't downloaded yet.
|
| Later they raised it from 3 to 4 a month.
|
| Now if they won't notify me both ways, I asked to be notified by
| email, but they said they won't do that. it's an email company but
| they won't notify me by email.
|
| How has your customer service been?
|

I've found the service to be very good.
Customer service is 24/7, and seems to be American.
Recently we got an upgraded modem because speeds
were slow, and that seems to have fixed it. In the
process they accidentally disconnected my separate
RCN phone wire. But then they came the next morning
and upgraded that as well, for free.

My only complaint is that they periodically raise the price
for no reason. But then if we call up they agree to lower it
again. ?? It seems to be the new strategy: Fleece the
customer base and then be nice to anyone who complains.
I suppose a lot of people are now on auto-payment
and don't notice.
Considering complaints I hear from customers of other
companies, I feel very content with RCN. But I never
had dialup with them.

I get ads about every two weeks for Verizon FIOS.
They have several inches of tiny fine print, in light gray,
that I can't even read with glasses on. There's no way
to find out the actual cost of the service. It's like an ad
out of a cartoon. I have no need for FIOS, anyway.
Recently a salesman came to the door. He wanted to tell
me that Verizon had some spiffy new wiring and that I
should switch. I told him how Verizon keeps sending ads
but won't even tell me what the product costs. He miled
and said, "That's why I'm here." Then I said goodbye to
him and closed the door. They must be making very big
profits to justify sending out salesmen.

But that problem is not just with Verizon. A couple of
years ago I went around to cellphone providers to find
out what a basic plan costs. ATT/Verizon/Sprint/T-Mobile.
All of them had plans starting at $40. Not one could/would
tell me what the actual bill would be after the various scam
fees and taxes were added on.

 

[Paul M. Cook]

On Wed, 23 Dec 2015 08:22:08 -0800, Oren wrote:

Personally, I would turn off DHCP and manually give each machine a
static IP number.

I have never not used DHCP.

How do we do assign permanent IP addresses when devices come on and
off the network all the time?

Do we attach the IP address to the MAC address of the device?

For example, if the Android phone is MAC address DE:AD:BE:EF:CA:FE,
do we attach the IP address 192.168.1.10 to *that* MAC address from
the router?

Or, is there some other way of doing it from the device itself?

 

[Paul M. Cook]

On Wed, 23 Dec 2015 09:07:46 -0800, Oren wrote:

...and run a packet sniffer that captures passwords, network traffic,
etc. into a log file.

I have run wifi-radar, kismet, and iwscanner, but the output is
horrendously cryptic.

I hear there is Wireshark, AirShark, netstumbler, & netcrumbler,
so, maybe one of those has easier to read output?

 

[Paul M. Cook]

On Wed, 23 Dec 2015 11:19:48 -0500, Micky wrote:

I tried that but it highlighted the whole page, not just the data.

So it was easier to use to the cursor to choose what to highlight.

In any browser session, you can also use "control F" and then type
in what you're looking for.

Then select just that which you found.

F3 moves to the next find.
Shift F3 moves backward to the previous find.

 

[Paul M. Cook]

On Wed, 23 Dec 2015 11:19:48 -0500, Micky wrote:

Plus there are 20 pages of data, each requiring separate copying, so I
was hoping to get all 20 pages in one email.

Makes sense.

Let me know if you figure out the email because I didn't figure it
out myself on mine, and my firmware is fully up to date.

 

[Paul M. Cook]

On Wed, 23 Dec 2015 11:24:52 -0500, Micky wrote:

So that means it's an Apple device, like an iphone.

Not that it's someone working at Apple, inc.!

If you can get an IP address like I did on my router logs,
you can run a "whois" command which will reverse IP check.

https://duckduckgo.com/?q=reverse+ip+address+lookup

If it's coming from Apple, whois will tell you that.

Of course, most of the time "I" run it, the IP address
is coming from China, but even that can be spoofed with
VPN or some other means.

 

[Paul M. Cook]

On Wed, 23 Dec 2015 12:03:34 -0500, Mayayana wrote:

I tried it. I entered the first 13 characters. It didn't
let me in. I've never heard of an 8-char limit.

Are we talking about the ROUTER "admin" password?
Or are we talking about the ESSID encryption passcode?

They're different things.
"I" was talking about the router admin password.

 

[Oren]

On Wed, 23 Dec 2015 12:39:11 -0500, "Paul M. Cook" <pmcook@gte.net>
wrote:

On Wed, 23 Dec 2015 08:22:08 -0800, Oren wrote:

Personally, I would turn off DHCP and manually give each machine a
static IP number.

I have never not used DHCP.

How do we do assign permanent IP addresses when devices come on and
off the network all the time?

Do we attach the IP address to the MAC address of the device?

<https://tinyurl.com/hkqsa3t> The first link includes computers and
gaming consoles.

For example, if the Android phone is MAC address DE:AD:BE:EF:CA:FE,
do we attach the IP address 192.168.1.10 to *that* MAC address from
the router?

Or, is there some other way of doing it from the device itself?

Can't speak for the phone, sorry.

 

[Paul M. Cook]

On Wed, 23 Dec 2015 09:20:13 -0700, Tony Hwang wrote:

1. The Admin password?
2. The SSID WPA2/PSK passphrase?

PSK? How about AES?

I think you're talking about different things that have nothing
to do with each other.

AFAIK, WPA2 is the strongest "we" can generally get (being normal
homeowners and not corporations) on our routers.

For us, the PSK (pre-shared key) is the way "we" homeowners do
WPA2. It just is.

However, if we were a corporation, we could do more with WPA2
than pre-shared keys, which, I don't remember what it's called,
but it's some kind of rotating or assigned key that the IT
department of the company can manage (instead of the router).a

What you seem to be talking about is the difference between
various security options, such as:
* WPA-PSK [TKIP]
* WPA-PSK [AES]
* WPA-PSK [TKIP] + WPA-PSK [AES]

All of those above are WPA2/PSK.

 

[Oren]

On Wed, 23 Dec 2015 12:41:36 -0500, "Paul M. Cook" <pmcook@gte.net>
wrote:

On Wed, 23 Dec 2015 09:07:46 -0800, Oren wrote:

...and run a packet sniffer that captures passwords, network traffic,
etc. into a log file.

I have run wifi-radar, kismet, and iwscanner, but the output is
horrendously cryptic.

I hear there is Wireshark, AirShark, netstumbler, & netcrumbler,
so, maybe one of those has easier to read output?

Encrypted packets will be scrabbled, so it is even more secure...

"...Another way to protect your network traffic from being
sniffed is to use encryption such as Secure Sockets Layer (SSL) or
Transport Layer Security (TLS). Encryption doesn't prevent packet
sniffers from seeing source and destination information, but it does
encrypt the data packet's payload so that all the sniffer sees is
encrypted gibberish. Any attempt to modify or inject data into the
packets would likely fail since messing with the encrypted data would
cause errors that would be evident when the encrypted information was
decrypted at the other end."

 

[Mayayana]

| Are we talking about the ROUTER "admin" password?
| Or are we talking about the ESSID encryption passcode?
|
| They're different things.
| "I" was talking about the router admin password.
|

Yes. I don't know why people are making this
so complicated. There have been cases of
routers being hacked, sometimes because they're
set with default passwords that don't get
changed. Not a big issue. Just one thing to
make sure you have covered.