7

Please see image.

Does anyone have any idea of whats going on?

They come and go as attached devices in my attached devices list.

I also attached my routers log for you all to see. http://pastie.org/8997306

enter image description here

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
JerryA
  • 73
  • 1
  • 6
  • 1
    Congratulations! You are part of a Chinese botnet. :D (Kidding, that's probably not true.) – asteri Apr 06 '14 at 15:04

2 Answers2

12

Looking at the OUI, it appears you have 3 Apple MACs connected, 1 Netgear MAC, and 3 unknown MACs.

The Apple and Netgear MACs may be spoofed; please compare them against your own devices. Then, if you can, compare their traffic against the legitimate device's traffic to see if those MAC's are being spoofed.

The unknown MACs are almost certainly spoofed. Note that I don't see 120.91 in the log snippet at all, which is interesting.

  BC-3B-AF   (hex)      Apple
  BC3BAF     (base 16)      Apple
                1 Infinite Loop
                Cupertino CA 95014
                UNITED STATES


  30-F7-C5   (hex)      Apple
  30F7C5     (base 16)      Apple
                1 Infinite Loop
                Cupertino CA 95014
                UNITED STATES


  C4-3D-C7   (hex)      NETGEAR
  C43DC7     (base 16)      NETGEAR
                350 EAST PLUMERIA DRIVE
                SAN JOSE CALIFORNIA 95134
                UNITED STATES

Sorry!

The public MA-L listing contains no match for the query 63-20-3D 
Please back up to the search page and try again.

Sorry!

The public MA-L listing contains no match for the query 20-62-3C 
Please back up to the search page and try again.

Sorry!

The public MA-L listing contains no match for the query 42-40-3A 
Please back up to the search page and try again.

If you're concerned (I would be, but I'm overly concerned about security), I would:

  • Tell everyone the Internet will be down for awhile.
  • Make note of all your custom settings
    • Not passwords or SSIDs; those are all going to change.
    • Yes, SSID's - those are the salt for WPA/WPA2, and precomputed tables can be made using those salts, as Pyrit does.
  • Download the newest firmware for your router
  • Factory reset your router (probably a tiny button you have to hit with a pin)
  • Update the firmware on your router
  • Factory reset your router again (probably excessive, but you don't lose anything but 90 seconds of your time)
  • DISABLE WPS to prevent Reaver attacks.
    • If you can't disable WPS, buy a new router that can, or use a non-router access point like a Ubiquiti.
  • Set a new SSID, something unique.
    • Add some randomness if you can handle it - the purpose is to get out of the range of SSID's an attacker may have precomputed tables of.
  • Verify your wifi is set to WPA2-AES
  • Set a new Wifi password, something 100% random and at least 20 characters long.
    • You can use something like "openssl rand 20 -base64" and add in some more symbols; especially symbols NOT above numbers.
    • Personally, I recommend putting it into all your devices now, and then destroying any other records. When you add a new device, make a new password and reset everything; this is a primitive password change schedule.
  • Disable access to the router's web interface from the WAN.
  • Disable access to the router's web interface from Wifi - you can afford to plug in a cable when you need to get into the router's interface.
  • Set a new admin password, just like the wifi password.
  • Watch your logs and device list for awhile.
  • Run Rescue CD's or other antimalware products on all your devices, just in case.
Anti-weakpasswords
  • 9,785
  • 2
  • 23
  • 51
  • Wow, Ok I'll try these things. Thankyou. – JerryA Apr 06 '14 at 13:21
  • I would also take note of all MACs that will connect to the router, and reject any device that doesn't match. This can certainly be spoofed, but attacker needs to know the MAC first. – code ninja Apr 06 '14 at 15:35
  • Thanks, Ive done most of the steps. It is not clear how to disable the web interface from wan and wireless on the wnr2000v2. Im looking into Ubiquiti products. – JerryA Apr 06 '14 at 17:47
  • So far my main pc is the only one connected and the cryptic devices have not showed up. Ill add one at a time and watch. – JerryA Apr 06 '14 at 17:53
  • @matejkramny MAC filtering is more or less pointless - see [this answer to Are MAC Address Filtering and SSID Hiding still worthwhile?](http://security.stackexchange.com/a/15188/39623) – Anti-weakpasswords Apr 06 '14 at 19:18
  • @JerryA I'm glad the answer was useful. There are other good access points out there; Ubiquiti happens to be the ones I use, and they're fairly low cost for what they provide. For your wife's iPhone, definitely update it and run at least two antimalware apps; if you can manage to get her to agree to a factory reset as well, that would be even better. – Anti-weakpasswords Apr 06 '14 at 19:43
1

These are not real devices. Your network device has some sort of memory fault and is displaying memory as "addresses". You can see that the device names contain sections of some JavaScript-like code. The IP and MAC addresses, when ASCII-decoded, show similar data:

120.91.105.43 = 'x[i+'
32.97.44.32 = ' a, '
34.99.101.110 = '"cen'

63:20:3d:20:69:69 = 'c = ii'
20:62:3c:74:64:20 = ' b<td '
42:43:3a:33:42:3a = 'BC:3B:'

Not coincidentally, the "BC:3B:" in the last address is the same as the beginning of your first MAC address listed, which @Anti-weakpasswords notes belongs to an Apple device.

I would recommend rebooting your device, and checking for any available firmware updates from NETGEAR.

bonsaiviking
  • 11,316
  • 1
  • 27
  • 50
  • This may be true , couldn't it be caused by a exploit? – JerryA Sep 09 '14 at 20:40
  • @JerryA Not very likely. It would be a messy exploit that would mess things up like that. Did it go away when you rebooted the router? – bonsaiviking Sep 10 '14 at 03:15
  • No I thought the problem was resolved, but the same issue occurred again the other day. Haven't tested the cause because I'm getting new hardware soon. – JerryA Sep 11 '14 at 17:26