I feel like we should have OP run an nmap scan on them for lels. OP, will you let me teamviewer into your box later?
Sure if I'm available.
I almost asked that. Feels odd the ask a random guy on the internet to trust a random guy from the internet though.
I trust most people on this forum. They all seem okay for the time being.
wife is being mad at me for keeping roku and "file server" offline, so am gonna just let them connect for now. All the "file server" is is a computer with all of our movies on it.
I mean maybe you should. I have only personal experience to go on. You actually have a job in the biz. WIFI hacking is just a hobby for me.
I'm not sure I have a whitelist.. so if you find something... please let me know.
I think I do, but I don't know shit bout this router. haha.
My skills are an entirely different realm than wifi penetration. I know of theories to defend against it really, but we don't even have wifi at work here so I don't actually have to apply any of that.
ADVANCED > Advanced Setup > Wireless Settings
Click the Set Up Access List button
Full instructions are pg 126 of the manual
I'll be leaving to go home here in a few, should be about a half hour. If you're still around op I'll PM you and we can try to teamviewer so I can get a closer look at this.
@Smerrills @Adubs
You should document this as best you can (screenshots/capture) and post here. This is the most exciting thread I've seen, I gotta know the outcome.
/popcorn
also dont let it be something lame...if it is, you should make up something good lol
Notice the logon times. They are always the same 4 instances every hour. This is a script, a bot, not a person.
You have Android phones.
It is persistent across SSID changes.
It is persistent over frequency bands.
It is persistent accross PC reformatting attempts.
Whitlisting has no effect.
It is on your local network.
It does not activate when your phones are off.
In other words, maybe a bad Android app. Are any of them rooted? Check the WiFi usage on each phone.
I think the source IP address might be hardcoded in the app. In addition to trying to isolate which phone and which App is causing it, I would suggest disabling DHCP and assigning addresses manually. Make sure you know how to do this before disabling DHCP.
After that does not work, then change your router's LAN IP to another subnet. So like 192.168.100.1 /24. Changing subnets constantly with DHCP off will forcibly remove every device from your network, both wired and wireless, until you manually add them back in.
Then you can check your traffic usage for any suspicious use and also your router for suspicious login attempts once per hour (the script repeats 4 times every hour). That should forcefully isolate the device causing the problems.
The phone idea is great, but the IP is still sitting on the network, with the phones physically off. I took the batteries out.
It's on the network now, but isn't doing anything. No traffic to it. I shut off the router twice while waiting. It's just sitting there.
He did say he just recently did this but we have no idea if its persistent because they were re infected after doing so or because they have another device infected OP hasnt considered. I dont think we should jump to this conclusion just yet.
Whitelisting is generally easy to get around but op isnt sure he has a whitelist on this router currently.
He did show the device in a screenshot with all other devices disconnected that he claims is not his.
I'm not saying you're entirely wrong to think what youre thinking but OP needs to do all of the things suggested simultaneously for it to be effective because doing any one of them individually isnt enough.
I really feel like an nmap scan might divulge more information here about what kind of device it is. If it is indeed one of his phones or another computer it could be easy to track down what...or we might come up with nothing at all.
A RADIUS setup would be ideal in this situation but could be a pain in the ass for OP to set up if he never has before.
So there are several things here.
- Unathorized/unidentified device
- Suspiciuos log in attempts
- Massive bandwidth usage
These are not all the same problems. Pick ONE problem to solve at a time. So to confirm, are #2 and 3 not occurring with the phones off? Try changing networks and disabling DHCP and seeing if the unknown device follows. I am assuming your wife will yell at you because her phone will stop working once you do that so be sure you know how to enter in addresses manually first.
@Adubs Thanks for pointing out the stuff I missed, esp the lack of an attempt to whitelist.
You dont have any wireless range extenders do you?
But i guess that dont explain the random login attempts.
If the attacker has persistence disabling dhcp isn't going to get him anywhere really. I did almost suggest that myself as well.
There was no lack of attempt. I'm not sure I whitelisted right.
2 and #3 stopped BEFORE the phones went off.
This happened with my old router too. It literally followed me.
The IP address is STILL on my network, but now it doesn't look like it's doing jack squat. Logging in remotely from my phone at work and looking at the logs, I don't see any more login attempts. Still seeing stuff from what the router is calling a DoS attack from several sources, but they're far and few inbetween.
The point of disabling dhcp is to prepare a network addressing change and to make sure the OP knows how to enter addresses in manually. Chaning the addressing scheme should be able to kick the unathorized user off the lan for good, or at least let the OP know when the "attacker" is back on by allowing the op to add devices back into the network 1 by 1 starting from a clean slate.
o.o...
If the bot's login attempts and data usage have stopped with the phones still on the WiFi, and with the phones off the WiFi still have the suspicious device, then it is probably not the phones that are responsible for anything unless the data usage and login attempts are intermittent. Are they?
#2 and #3 seem fixed-ish maybe? So just #1 now. So... please update after changing the addressing scheme and adding all the phones back.
@Peanut253 Not sure I understand what you're saying, but I'll try my best here.
The login attempts seemed to stop whenever I logged into the router before. Which is why I suspected someone actively trying to get in to my router\network or whatever. It didn't seem like a script to me. If you look back through those logs, the admin login failure seemed to stop when I logged in, and simply waited till I logged off to start again.
Now looking at the logs, nothing is happening. There's just an IP sitting on 5ghz band all by itself doing nothing on 192.168.0.176. It's still not any of my devices. I've checked the IP's on all my devices. Every phone, every tablet, every console, every pc. Simply does not match at all.
So you're thinking if I change my IP scheme should stop them? So, simply changing it to something like 10.10.0.1 or something like that?
Edit: Sorry, but this seems so damned simple that I am having a hard time believing this will work. I mean, I will do it. But seems too simple.
Can you get a hostname when you ping -a the suspicious address?