Unkown Connections on My Network

chetansha

chetansha

Innovator
I am seeing unknown Person(s) / Names on my router
Nov 3 09:14:21 dnsmasq-dhcp[14448]: DHCPACK(br0) 192.168.1.63 e0:5f:45:de:c9:7d Ronaldo
Nov 3 08:52:14 dnsmasq-dhcp[14448]: DHCPACK(br0) 192.168.1.113 a4:f1:e8:e4:01:8f Aksheys-iPhone
Nov 2 20:36:47 dnsmasq-dhcp[428]: DHCPACK(br0) 192.168.1.63 e0:5f:45:de:c9:7d Sathyans-iPhone


running Netgear R7000, XWRT-VORTEX ASUSWRT-MERLIN FIRMWARE FOR VARIOUS ROUTERS Firmware:380.62_1

Any idea whats happening ?
 
Note how the Ronaldo and Sathyan connections have the same MAC IDs. Maybe you have guest network enabled or something? And not just changing the WiFi password, probably avoid running non-standard firmware from who-knows-where you downloaded which might have known backdoors pre-installed :D
 
Having the same Mac ID but different hostnames means either someone is spoofing the mac or has changed their hostname.

Check the authenticity of the firmware, and change the WiFi password. Also check if there could be a rogue AP on your network.
 
Firmware is authentic from merlin.
Have changed user name and password for the router now. Don't see suspicious entries. Let me monitor for few more days
 
Change the WiFi password OR check for a rogue AP on the wired network.

DNS and DHCP entries mean that someone is on the network.
 
14 characters :astonished:

I was using a 25 character password once. Got fed up when having to give the password to friends and family when they came for get togethers/parties. Now its a simple mobile number :p
 
Why not hide the ssid first, and as an additional step restrict wireless access to specified macs. most places have a fixed number of clients, and if a guest does come over, well then add that device !
 
vivek.krishnan said:
Google for why its not a good idea please.
Click to expand...

hidden ssid or mac restrictions?[DOUBLEPOST=1478374208][/DOUBLEPOST]ok, i googled, and i fail to see how this makes anything worse. using it as a substitute for wpa2 is obviously a bad idea, but i didn't say use an open ssid and hide it and mac filter...
 
Last edited by a moderator:
Use wpa2psk with aes encryption alone and disable wps/wep if enabled also would change password to something uncommon as wpa2psk can only be hacked using a wordlist.
 
vivek.krishnan said:
14 characters :astonished:

I was using a 25 character password once. Got fed up when having to give the password to friends and family when they came for get togethers/parties. Now its a simple mobile number :p
Click to expand...

Use the "guest" option for those situations. Length is more important than complexity. For your 10 character password add a small something at the end it can be as simple as +vikr.
 
looks like its my pc that's infected. Will report back after scanning and cleaning.

Nope, even after "cleaning " my PC , and even when my PC was shut down, i could see "ronaldo" on my network. IS it possible that the trojan is in the router itself?

I have switched routers now, using the same model R7000 borrowed from a friend, and i do not see any ronaldo or such entries.
 
Last edited:
"Cleaned" the R7000 by going back to Netgear Stock Firmware, resetting it. Then flashed latest Asus XWrt vortex FW. Changed Router SSID / Name, changed login and wifi passwords too,.
no intrusions detected yet. fingers crossed.
 
Back
Top