[CONTINUED IN OTHER POST] Computer on my home network tries to log into router

Zumps · March 5, 2016, 6:45pm

Hi folks. I see strange behaviour in my router log and google doesn’t seem to give any constructive results.

I administer a small LAN with the guys and girls I live with. This one guy has a computer that tries to log into the router. He says it is not something he does on purpose, and I trust him. I think his computer might be infected. BTW it’s a windows 7 machine.

The router log says:
[admin login failure] from source 192.168.1.32, Saturday, March 05,2016 01:18:21

This happens a couple of times a day, where there will be between 50 and 80+ failed login attempts happening within 2-3 seconds.

Is there any legitimate reason why a program would do this, either as a bug or a feature, or is it suspicious behaviour?

Looking forward to your thoughts - Zumps

UPDATE for anyone looking in the future.

So, he did a virus scan on his OS (with Avast which he had the whole time) with all external HDD’s and USB’s attached. That didn’t result in anything.
We made a live disc (DVD) with an Avira live image and scanned his PC, again no hits.
Enabled UPnP, just to see if it could have anything to do with it, even though it was unlikely.

Well, It happened again, unlike yesterday with 88 failed attepts, this time it was 79 failed attempts preceded by:
UPnP set event:AddPortMapping 192.168.1.xx
UPnP set event:DeletePortMapping 192.168.1.xx

Both within the same second. Funny thing is this happened within 5 minutes of the time it happened yesterday.

Another thing is, ever since enabling UPnP, the router has started excessively handing the same IP to the same device, numerous times per second. Effectively flooding the log… sigh

Next step is trying another live anti-virus disc and setting up Wireshark on his device.

Update II

We managed to capture his traffic with wireshark, as we noticed it happened around the same time each night (and many other times for that matter). Let’s just say we are 99% sure this is something malicious. The log is very interesting. However, neither of us is qualified to know exactly what we are looking at, or how to mend the problem.

I will probably make a new thread tomorrow and link it here.
AFK BRB

Link to the continuation of this post

Th3Z0ne · March 5, 2016, 6:49pm

On SSH, HTTP or HTTPS? UPnP (not SNMP)? - what protocol? UPnP (not SNMP) could be some game trying to drill a hole into the firewall; SSH, HTTP/S is fishy as that most most likely is a brute force atempt by some mallware;

If you administer it, you could man in the middle his connection and check it with wireshark

Zumps · March 5, 2016, 7:33pm

Thanks for the reply. I do need some more info though.

How do I check whether it's from SSH, HTTP/S or SNMP? The router log has no such information. It only shows port number on DoS from the outside. (To clarify, we're not being actually DoS'ed, it's just from dropbox and the like over port 80, 443 and 445)

Protocol, do you mean IPv4 or IPv6? I think it's IPv4 since the IP is short, right?

Regarding SNMP trying to drill a hole, I think the firewall is allowing all outgoing and blocking all incoming by default? (I am not at home right now so can't check) Thus meaning outgoing (since it comes from a local IP) would be allowed if it needed to connect to some server?

Man in the middle, I will look into this, thanks!

Edit: It's a crappy netgear consumer grade router. I could make a pfsense box to put in temporarily if I need better logs or something.

Th3Z0ne · March 5, 2016, 8:02pm

Ok, so if its a crapy netgear one.. the log only shows failed attempts against the web interface = ergo someone/thing is trying to log in as admin (deffault user name for netgear)

Nope - SSH, HTTP, HTTPS, SNMP those are protocolls =) And yes your router 99.99% uses IPv4 (192.168.1.X is default for netger it think)

Never said anything about DOS; Brute force means that someone/thing is guessing through passwords.. thus so many attempts in a row.

NAT usually does exaclty that; lan->wan=OK; wan->lan=only related; But games often need a inbound connection, and thus often use UPnP (not SNMP) to open a port and forward that to the macine the game is running on;

Why not run pfsense in general?

Zumps · March 5, 2016, 8:44pm

So we're pretty sure it's something nefarious? Running a dictionary attack or something?

Got it, thanks :)

You're right. I just mentioned DoS because that's the only entry in the log that shows port number, thinking port number correlated to the protocol, because for instance 443 is HTTPS on UDP. But I'm stupid because that doesn't make sense, I got things mixed up. An SSH session would be able to use any port, right? And the same with HTTP/S?

I did disable UPnP, thought that's what that was for. Can this have anything to do with it? Sorry if my questions does not make much sense. Am noob.

Totally good point! Problem is the only spare machine I've got uses 90 watts at idle. I do look around and am ready to jump at a good hardware deal if it comes my way.

Th3Z0ne · March 5, 2016, 9:02pm

Well, it looks like fish, and smells like fish.. I would realy check your pals pc for mallware;

Any protocoll could use any port; But there are the well known ports, becaus how should your browser otherwise know where the HTTP server is listening. https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers#Well-known_ports

Taking into account that you have a customer grade router, the log entry to 99% means someon/thing trying to log into the webGUI -> ergo sum - nothing to do with UPnP (I am sorry, I actually ment UPnP facepalm)

Yeah, good reason to not run that 24/7

Edited my previous posts to correct SNMP to UPnP!

Zumps · March 5, 2016, 9:20pm

Alright, will do. Thanks a lot for your time!

I actually think another machine has also begun doing the same, as the IP doing it today has a new computer name compared to the last few times I've checked. I know what you think, check the MAC, but this shitty router only keeps logs from the last 12 hours... pfsense box appeal intensifies..

Again, thanks a lot. I will take appropriate steps and have a grown-ups talk with the guy.

Th3Z0ne · March 5, 2016, 9:28pm

Some bootable AV CD/DVD should help a lot in that case.

Zumps · March 5, 2016, 9:34pm

I'll make a thumb drive with some stand-alone anti-virus and clean-up programs. Has been on the to-do list for a while now anyway.

Th3Z0ne · March 5, 2016, 9:40pm

When you use a USB Stick, you have to be careful to mount the host PCs drives read only!
Not that the nefarious mallware gets onto the stick... quite theoretical but possible;

A SD card reader with a physical write protect switch is what I use; as fast as a USB stick but read only when it needs protection.

Zumps · March 5, 2016, 9:48pm

Ah, great info. So what you're saying is I should make a linux live usb to be sure I have control over the mounting process? TBH, the thing I had in mind was just putting the programs on a fat32 stick and boot up the infected OS.

Th3Z0ne · March 5, 2016, 9:55pm

Yeah use a linux live system; Actually most AV companies have live systems avaliable;
When you install the AV after the infection, a) it will never get to work b) the mallware is hidden c) actively fighting the detection / or removal of itselve

The best chance finding, and removing you have with a live system

anon75264233 · March 12, 2016, 5:32am

I read your other post OP. If its something serious, always Malwarebytes Chameleon.

anon75264233 · March 12, 2016, 3:04pm

Just checking in; @Zumps, were you able to run Malwarebytes Chameleon on the suspected computer(s)?

Freaksmacker · March 12, 2016, 3:18pm

Not a network expert ? but software firewall / logs ?

Zumps · March 12, 2016, 3:46pm

I did download it, but the guy who owns the computer in question is not home at the moment. Will report back if we are going further with this.