Review of my home broadband router logs (suspicious activity?)

Page 2 of 6  
On 12/23/2015 9:09 AM, Ed Pawlowski wrote:

[snip]

LOL!
Aw, c'mon, Ed, don't be a spoilsport. Won't you share her response to that "perfect squelch" with us?
Add pictures here
βœ–
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
Unquestionably Confused wrote:

Probably similar to my mother's response when she found out Dad's last bit of advice as I was leaving for boot camp - "If you dip the wick don't dribble any wax." - which I made even worse by laughing at her ...
--
Snag



Add pictures here
βœ–
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
wrote:

My father died when I was little** but one of the last things my motehr said before I went off to college was, The girl has more to lose than the boy does by getting pregnant so it's at least half her responsibility not to get pregnant.
But a couple years later when it came up that I had had sex with girls, she sounded disapproving. Huh? So what did your advice mean? I don't remember if I reminded her of what she's said.
**And my uncle had a total of one conversation more than 2 sentences with me from the time I was 10, when we moved to his city, until 18, and that was by accident. Even less in other years.
Add pictures here
βœ–
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On 12/22/2015 8:55 PM, Paul M. Cook wrote:

Have you edited your log, here? Are there other activities not shown? Do you see just these sporadic accesses?

(your) LAN (is being) access(ed) from a remote device. The first address listed in each of these lines (the one that is NOT 192.168.1.5) represents the "remote" device. The device on *your* LAN is the second address listed (192.168.1.5).

Chances are, it's a DHCP assigned IP address. If <whatever> doesn't reconnect to the router within the lease time, the IP address may get reallocated to some other device. 192.168/16 (i.e., 192.168.xxx.yyy) is a private network address -- damn near everyone here is using the same address (but *behind* a router/NATd of some sort). So, the IP addresses of all of your "computers" will be in that same general range.
Most routers will provide a (DHCP?) page that show where the current IP addresses that *it* has doled out are being used. (I suspect "Attached Devices" in your router).

This is the DHCP request *from* the F8:D0:AC:B1:D4:A3 device being satisfied by the router with the issuance/renewal of a lease (usually good for 24 hours; longer if the device renews the request) on the IP address 192.168.1.5

You want to look at the IP's in question. As 9000 is not a privileged port, it's possible any application can be using it, friend or foe:
<http://www.speedguide.net/port.php?port 00> If you feel ambitious, you can install a rule to block inbound/outbound connections to/from that port and see if <something> that you WANT suddenly stops working. Probably under "Security"?
Add pictures here
βœ–
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On Wed, 23 Dec 2015 00:22:59 -0700, Don Y wrote:

That's an excerpt only but those were the only messages listed with the prefix of "[LAN access from remote]".

At the moment, there are no "attached devices" with the DHCP IP address of 192.168.1.5, and the log file doesn't say which device in the house was 192.168.1.5 on that day.
But, looking at the log file, at some point thereafter, the IP address of 192.168.1.5 was the MAC address which is the Sony Playstation.
I can't tell, from the log, what device had the DHCP given address of 192.168.1.5 on the day of the attack.
The router shows "attached devices" but it doesn't show a history.
Add pictures here
βœ–
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
wrote:

I thought I'd look at my log, for the first time in 8 years. The only wireless device I use is a printer.
Dec/21/2015 18:59:18     DHCP lease IP 192.168.0.106 to android-fce7fa4f93da6881            64-89-9A-6E-9C-85 Dec/21/2015 18:59:09     DHCP lease IP 192.168.0.106 to android-fce7fa4f93da6881            64-89-9A-6E-9C-85 Dec/21/2015 18:59:04     DHCP lease IP 192.168.0.106 to android-fce7fa4f93da6881            64-89-9A-6E-9C-85
Dec/20/2015 05:20:07     DHCP lease IP 192.168.0.102 to Dennis-Iphone-2 70-3E-AC-DE-14-94 Dec/20/2015 05:20:06     DHCP lease IP 192.168.0.102 to Dennis-Iphone-2 70-3E-AC-DE-14-94
So who is Dennis? 5 in the morning? That's my time, right? or GMT?
Dec/20/2015 05:20:05     Wireless PC connected 70-3E-AC-DE-14-94 Dec/19/2015 23:51:38     Wireless PC connected A4-EE-57-E3-09-E4
Whose is this wireless PC? I have one, but haven't used it in weeks.
Dec/19/2015 21:48:06     DHCP Request success 192.168.1.46 Dec/19/2015 21:48:06     DHCP Request            192.168.1.46 Dec/19/2015 15:16:58     DHCP lease IP 192.168.0.100 to EPSONE309E4 A4-EE-57-E3-09-E4 Dec/19/2015 10:13:04     DHCP lease IP 192.168.0.102 to Dennis-Iphone-2 70-3E-AC-DE-14-94 Dec/19/2015 10:13:02     DHCP lease IP 192.168.0.102 to Dennis-Iphone-2 70-3E-AC-DE-14-94
The Epson is my printer. I was probably printing the crossword puzzle. But more Dennis!
Dec/19/2015 10:13:02     Wireless PC connected 70-3E-AC-DE-14-94 Dec/19/2015 07:51:01     DHCP lease IP 192.168.0.105 to android_a1d17253796b3c9c            14-7D-C5-A7-E9-5C
I have a cell phone that runs android, but I don't think I've had it on in the house on the 19th. I haven't tried to connect to wifi with it for a year or more.
Could something like this cause interruptions in my internet, which I get sometimes? The router light for the jack I use flickers all the time, but sometimes no data gets dl'd. I have DSL.
Dec/16/2015 15:12:23     DHCP lease IP 192.168.0.103 to Tiyes-Iphone-2 20-A2-E4-E7-81-36
Dec/16/2015 08:49:25     Wireless PC connected A4-EE-57-E3-09-E4 Dec/16/2015 06:25:38     Wireless PC connected A4-EE-57-E3-09-E4 Dec/16/2015 05:27:09     Wireless PC connected A4-EE-57-E3-09-E4 Dec/16/2015 05:26:17     Wireless PC connected A4-EE-57-E3-09-E4
Dec/13/2015 20:22:09     Wireless PC connected A4-EE-57-E3-09-E4 Dec/13/2015 20:21:49     Wireless PC connected A4-EE-57-E3-09-E4 Dec/13/2015 12:27:17     DHCP lease IP 192.168.0.103 to Tiyes-Iphone-2 20-A2-E4-E7-81-36 Dec/13/2015 12:27:16     Wireless PC connected 20-A2-E4-E7-81-36
Dec/09/2015 08:06:17     DHCP lease IP 192.168.0.106 to Sharlenes-iPad 34-C0-59-19-F9-46
Hmmm..
To send myself the log it asks for SMTP Server / IP Address .
Does that mean the smtp server is enough, or do I need its IP address too, which I don't know?
Help says "SMTP Server - The address of the SMTP (Simple Mail Transfer Protocol) server that will be used to send the logs." but I haven't gotten the email I sent yet, and I should have by now.
Add pictures here
βœ–
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On Wed, 23 Dec 2015 10:51:25 -0500, Micky wrote:

I saw the send-log command, but I just copy-and-pasted my router log into a text file on the computer.
1. While looking at the router log file from within your browser: Control-A to select all Control-C to copy
2. Then paste that into any open text file: Control-V to paste
Add pictures here
βœ–
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
wrote:

I tried that but it highlighted the whole page, not just the data.
So it was easier to use to the cursor to choose what to highlight.
My firmware is almost 11 years old. Maybe D-Link has refined it by now.
Plus there are 20 pages of data, each requiring separate copying, so I was hoping to get all 20 pages in one email.
And that includes only System Activity, Attacks, and Notice, not Debug Information and Dropped Packets.
Later I will check those to see what shows up.

Add pictures here
βœ–
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On Wed, 23 Dec 2015 11:19:48 -0500, Micky wrote:

In any browser session, you can also use "control F" and then type in what you're looking for.
Then select just that which you found.
F3 moves to the next find. Shift F3 moves backward to the previous find.
Add pictures here
βœ–
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On Wed, 23 Dec 2015 11:19:48 -0500, Micky wrote:

Makes sense.
Let me know if you figure out the email because I didn't figure it out myself on mine, and my firmware is fully up to date.
Add pictures here
βœ–
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
wrote:

Well, I just googled and there is something called SMTP Server / IP Address
How to Find My SMTP Server IP Address http://www.ehow.com/how_5810894_smtp-server-ip-address.html Click "Start," then "Run" and type "cmd" in the box that appears.
Press enter. A command window will appear.
Type "ping," a space and then the name of your SMTP Server. For example, type "ping smtp.server.com" and press "Enter." The window will then try to contact the SMTP server by the IP address. It will say, "Pinging x.x.x.x with 32 bytes of data." The "x.x.x.x" will be the SMTP server's IP address.
So I'm debating whether I should put [ ] around the number and then it turns out, even without the [ ] there isn't enough room for the entire number!! Even thnough it's the standard length 3,2,3,3 = 11 plus 3 dots. So I removed the smtp value and put only the IP address, and sent it, and that didnt' work either.
Add pictures here
βœ–
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On Wed, 23 Dec 2015 10:51:25 -0500, Micky wrote:

I just logged into my Netgear WNDR3400v2 router, and went to the advanced tab of Administration > Logs
It says on top of the window what time it "thinks" it is: Current Time: Wednesday, Dec 23,2015 08:03:08
Looking at the clock, that's the local time in my time zone.
Add pictures here
βœ–
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
wrote:

Mine doesn't show the time anywhere, but if yours shows the current time, that's good enough for me.
I noticed that because some families have so many wireless devices, they've redesigned routers and now many are 100 to 200 dollars. That means I should be able to get a 2-year old one cheap. Actually I bought cheap at a hamfest what I thought was identical, and only noticed a year later that it was a router like mine but without the wireless part. Now is a bad time to try it because every day I may wish to print the crossword.

Add pictures here
βœ–
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
Micky wrote, on Wed, 23 Dec 2015 11:24:16 -0500:

You can't go wrong with almost any "ac" router nowadays. An "ac1200" router will be just fine for almost any household.
Add pictures here
βœ–
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
wrote:

I figured out a way to verify the time zone, and that's to watch the log for a new event, or to create a new event, like by trying to send an email (since I have all 5 kinds of events checked now).
So I did that a couple hours ago and the time that showed in the log was 7 minutes later than the current time!
I went out for a couple hours and when I tried it just now, the time the log showed was 11 minutes later than the current time.
Put that in your pipe and smoke it.

Add pictures here
βœ–
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On Wed, 23 Dec 2015 18:19:36 -0500, Micky wrote:

How do you know which one was right?
This is the current time...
http://www.time.gov/
Add pictures here
βœ–
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
wrote:

The current time was my computer which has maybe never been wrong, but I checked it with my atomic clock, satellite clock whatever it is.
So, how was it 7 minutes later in the log than in reality? Later meaning it had not yet reached that time.
And why did that change to 11 minutes?

Add pictures here
βœ–
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
wrote:

I found the answer to this, where the computer boys play.
The router has its own clock, which can be wrong, like anything else.
To keep it correct, it has two possibilities. Automatic (Automatic time update with pre-defined NTP servers or enter customized NTP) Manual is the alternative, but I have Automatic checked.
I don't have anything in the customized NTP field and I have the interval for Automatic as 24 hours, the default, so that lets it get wronger and wronger for 24 hours until it gets corrected.
If the log were important, I could set the interval at as little as one hour. (it goes up to 72.) But I'll let it stay at 24. I'm glad to know how it can be wrong, when other times are a lot closer.
It's a shame I can't use this to peer into the future.

Add pictures here
βœ–
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On Wed, 23 Dec 2015 10:51:25 -0500, Micky wrote:

There is what appears to be an iPhone connecting to your router.
You can look up the first half of the MAC address (the OUI) to see what kind of device it appears to be from: https://www.adminsub.net/mac-address-finder
Denis' MAC address is the following: (70-3E-AC) (DE-14-94)
The organizationally unique part is the first half: (70-3E-AC)
That indeed is an Apple device OUI: 703EAC indeed resolves to "Apple, Inc."
Add pictures here
βœ–
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
wrote:

Good to know. Thanks.

So that means it's an Apple device, like an iphone.
Not that it's someone working at Apple, inc.!
Add pictures here
βœ–
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload

Related Threads

    HomeOwnersHub.com is a website for homeowners and building and maintenance pros. It is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.