BleepingComputer.com: Router being accessed by PC

For the past few weeks my logs in the router have shown and attempted login by the PC for no reason every 25 minutes to the second.
I have checked the PC on MBAM forum and its clean, no infections at all. And no one there seems to be able to explain this.
Here is an example.

Mon, 2010-09-20 23:14:30 - Administrator login failure - IP:192.168.0.2
Mon, 2010-09-20 23:39:30 - Administrator login failure - IP:192.168.0.2
Tue, 2010-09-21 00:04:30 - Administrator login failure - IP:192.168.0.2
Tue, 2010-09-21 00:29:30 - Administrator login failure - IP:192.168.0.2
Tue, 2010-09-21 00:53:27 - Administrator login failure - IP:192.168.0.2 < that last one was me, the others are not.

not sure if this is the right part of the forum for this, but can anyone help?

First question I have to ask you is do you have a short-cut linked to the routers login page saved on your computer?

Does anyone besides yourself have access to your computer?

The IP you showed above is that of your computer, the one the router has assigned to it.

So that means your computer was the one that attempted this login.

Being that the proper Administrator password was not used, the login attempt failed.

If your computer is only being used by you and there is no one else using this computer or has had access to it, there is a chance, there is a hidden back door Trojan running on your computer.

Before I get you alarmed here I still need to know if you are this computers only user, or if others also have access to it.

Bruce.

Hi, Yes I am the only one on the PC and no one has access to it. There is no shortcut to it on my PC either.
http://forums.malwarebytes.org/index.php?s...mp;#entry310610 This a thread from MBAM forum where it was confirmed my PC was clean.
I took a netstat log a week or so ago.


This is the netstat /b log

Microsoft Windows [Version 6.0.6002]
Copyright © 2006 Microsoft Corporation. All rights reserved.

C:\Windows\system32>netstat /b

Active Connections

Proto Local Address Foreign Address State
TCP 127.0.0.1:49160 myname-pc:49161 ESTABLISHED
[firefox.exe]
TCP 127.0.0.1:49161 myname-pc:49160 ESTABLISHED
[firefox.exe]
TCP 127.0.0.1:49162 myname-pc:49163 ESTABLISHED
[firefox.exe]
TCP 127.0.0.1:49163 myname-pc:49162 ESTABLISHED
[firefox.exe]
TCP 192.168.0.2:51587 02:http ESTABLISHED
[firefox.exe]
TCP 192.168.0.2:51695 02:http ESTABLISHED
[firefox.exe]
TCP 192.168.0.2:51699 lhr14s02-in-f104:http TIME_WAIT
TCP 192.168.0.2:51700 lhr14s02-in-f104:http TIME_WAIT
TCP 192.168.0.2:51703 surfcanyon:http TIME_WAIT
TCP 192.168.0.2:51736 jupiter:http ESTABLISHED
[firefox.exe]
TCP 192.168.0.2:51741 jupiter:http ESTABLISHED
[firefox.exe]
TCP 192.168.0.2:51742 jupiter:http ESTABLISHED
[firefox.exe]
TCP 192.168.0.2:51744 jupiter:http ESTABLISHED
[firefox.exe]
TCP 192.168.0.2:51745 jupiter:http ESTABLISHED
[firefox.exe]
TCP 192.168.0.2:51746 jupiter:http ESTABLISHED
[firefox.exe]
TCP 192.168.0.2:51751 www:http TIME_WAIT
TCP 192.168.0.2:51752 www:http TIME_WAIT
TCP 192.168.0.2:51753 www:http TIME_WAIT
TCP 192.168.0.2:51754 www:http TIME_WAIT
TCP 192.168.0.2:51755 www:http TIME_WAIT
TCP 192.168.0.2:51756 www:http TIME_WAIT
TCP 192.168.0.2:51758 www:http TIME_WAIT

C:\Windows\system32>

And this is one I took today if its of any help.

Microsoft Windows [Version 6.0.6002]
Copyright © 2006 Microsoft Corporation. All rights reserved.

C:\Windows\system32>netstat /b

Active Connections

Proto Local Address Foreign Address State
TCP 127.0.0.1:49161 myname:49162 ESTABLISHED
[firefox.exe]
TCP 127.0.0.1:49162 myname:49161 ESTABLISHED
[firefox.exe]
TCP 127.0.0.1:49163 myname:49164 ESTABLISHED
[firefox.exe]
TCP 127.0.0.1:49164 myname:49163 ESTABLISHED
[firefox.exe]
TCP 192.168.0.2:49285 81.23.243.153:http CLOSE_WAIT
[jusched.exe]
TCP 192.168.0.2:49821 02:http ESTABLISHED
[firefox.exe]
TCP 192.168.0.2:49905 02:http ESTABLISHED
[firefox.exe]
TCP 192.168.0.2:49963 login-10-04-snc4:https ESTABLISHED
[firefox.exe]
TCP 192.168.0.2:49964 www-12-02-ash2:http ESTABLISHED
[firefox.exe]
TCP 192.168.0.2:49965 www-12-02-ash2:http ESTABLISHED
[firefox.exe]
TCP 192.168.0.2:49966 80.15.233.41:http ESTABLISHED
[firefox.exe]
TCP 192.168.0.2:49967 channel6-02-07-snc1:http ESTABLISHED
[firefox.exe]
TCP 192.168.0.2:49968 5adfd858:http ESTABLISHED
[firefox.exe]
TCP 192.168.0.2:49969 5adfd858:http ESTABLISHED
[firefox.exe]
TCP 192.168.0.2:49970 5adfd858:http ESTABLISHED
[firefox.exe]

C:\Windows\system32>

Thank you for your help.

This post has been edited by nizzy: 21 September 2010 - 07:29 PM

Can you please post your routers full make and model number?

Thanks in advance.

Bruce.

It looks to me like there is some kind of trojan or spyware trying to brute-force its way into the router, but not so often that it alerts anyone.
Try using Emsisoft Anti-Malware. One time it detected a trojan that was missed by Malwarebytes. Do a full scan and wait until it finishes.

Its a black Netgear DG934
Thank you for the link RainbowSix but I will hold off scanning with that for now (I scanned with SAS/MBAM/Esetonline and Combofix, plus Spybot which only found false positives due to my use of hostman, and that was the only thing found. I use sandboxie 95% of the time (the only time I don't is when I need to update things like FF)

This post has been edited by nizzy: 22 September 2010 - 01:54 PM

Most NetGear routers start with the H, M, R or W prefix.

Wireless routers.

http://kb.netgear.com/app/products/list/p3/164

Wired routers.

http://kb.netgear.com/app/products/list/p3/163/eol/1

The model number DG934 does not come up as a valid NetGear product.

It is my belief that your router is a sky NetGear DG934G wireless router, is this correct?

Bruce.

I believe that is right, sorry about that.

nizzy, on Sep 22 2010, 08:07 PM, said:

Thank you for your quick reply.

Let me put some support pages up here for the sake of convienece.

http://www.skyuser.co.uk/tag/dg934g

Not sure if you have wireless or not.

http://www.skyuser.co.uk/forum/view-wireless.html

Also a warning that these routers have been cracked for their user names and passwords.

http://www.skyuser.co.uk/skyinfo/783.html

I can not seem to find a users manual on line for this router.


Bruce.

Thank you, but I have already asked on that forum and they are at a loss to explain what is happening also.

It seems the culprit is NoScript http://www.skyuser.co.uk/forum/sky-broadba...outer-logs.html .

nizzy, on Sep 25 2010, 02:08 PM, said:

I am glad you solved your problem.

I read the posts to which you linked us too and I see where the rpoblem was related to having no script set.

I hope your post here helps other users of SKY NetGear equipment, when they run into the same problem.

Bruce.