Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Router being accessed by PC


  • Please log in to reply
11 replies to this topic

#1 nizzy

nizzy

  • Members
  • 93 posts
  • OFFLINE
  •  
  • Local time:09:58 PM

Posted 20 September 2010 - 07:59 PM

For the past few weeks my logs in the router have shown and attempted login by the PC for no reason every 25 minutes to the second.
I have checked the PC on MBAM forum and its clean, no infections at all. And no one there seems to be able to explain this.
Here is an example.

Mon, 2010-09-20 23:14:30 - Administrator login failure - IP:192.168.0.2
Mon, 2010-09-20 23:39:30 - Administrator login failure - IP:192.168.0.2
Tue, 2010-09-21 00:04:30 - Administrator login failure - IP:192.168.0.2
Tue, 2010-09-21 00:29:30 - Administrator login failure - IP:192.168.0.2
Tue, 2010-09-21 00:53:27 - Administrator login failure - IP:192.168.0.2 < that last one was me, the others are not.

not sure if this is the right part of the forum for this, but can anyone help?

BC AdBot (Login to Remove)

 


#2 MrBruce1959

MrBruce1959

    My cat Oreo


  • BC Advisor
  • 6,377 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Norwich, Connecticut. in the USA
  • Local time:05:58 PM

Posted 21 September 2010 - 02:53 PM

First question I have to ask you is do you have a short-cut linked to the routers login page saved on your computer?

Does anyone besides yourself have access to your computer?

The IP you showed above is that of your computer, the one the router has assigned to it.

So that means your computer was the one that attempted this login.

Being that the proper Administrator password was not used, the login attempt failed.

If your computer is only being used by you and there is no one else using this computer or has had access to it, there is a chance, there is a hidden back door Trojan running on your computer.

Before I get you alarmed here I still need to know if you are this computers only user, or if others also have access to it.

Bruce.
Welcome to Bleeping Computer! :welcome:
New Members: Please click here for the Bleeping Computer Forum Board Rules
 
My Career Involves 37 Years as an Electronics Repair Technician, to Which I am Currently Retired From.

I Am Currently Using Windows 10 Home Edition.

As a Volunteer Staff Member of Bleeping Computer, the Help That I Proudly Provide Here To Our BC Forum Board Membership is Free of Charge. :wink:

#3 nizzy

nizzy
  • Topic Starter

  • Members
  • 93 posts
  • OFFLINE
  •  
  • Local time:09:58 PM

Posted 21 September 2010 - 06:48 PM

Hi, Yes I am the only one on the PC and no one has access to it. There is no shortcut to it on my PC either.
http://forums.malwarebytes.org/index.php?s...mp;#entry310610 This a thread from MBAM forum where it was confirmed my PC was clean.
I took a netstat log a week or so ago.


This is the netstat /b log

Microsoft Windows [Version 6.0.6002]
Copyright © 2006 Microsoft Corporation. All rights reserved.

C:\Windows\system32>netstat /b

Active Connections

Proto Local Address Foreign Address State
TCP 127.0.0.1:49160 myname-pc:49161 ESTABLISHED
[firefox.exe]
TCP 127.0.0.1:49161 myname-pc:49160 ESTABLISHED
[firefox.exe]
TCP 127.0.0.1:49162 myname-pc:49163 ESTABLISHED
[firefox.exe]
TCP 127.0.0.1:49163 myname-pc:49162 ESTABLISHED
[firefox.exe]
TCP 192.168.0.2:51587 02:http ESTABLISHED
[firefox.exe]
TCP 192.168.0.2:51695 02:http ESTABLISHED
[firefox.exe]
TCP 192.168.0.2:51699 lhr14s02-in-f104:http TIME_WAIT
TCP 192.168.0.2:51700 lhr14s02-in-f104:http TIME_WAIT
TCP 192.168.0.2:51703 surfcanyon:http TIME_WAIT
TCP 192.168.0.2:51736 jupiter:http ESTABLISHED
[firefox.exe]
TCP 192.168.0.2:51741 jupiter:http ESTABLISHED
[firefox.exe]
TCP 192.168.0.2:51742 jupiter:http ESTABLISHED
[firefox.exe]
TCP 192.168.0.2:51744 jupiter:http ESTABLISHED
[firefox.exe]
TCP 192.168.0.2:51745 jupiter:http ESTABLISHED
[firefox.exe]
TCP 192.168.0.2:51746 jupiter:http ESTABLISHED
[firefox.exe]
TCP 192.168.0.2:51751 www:http TIME_WAIT
TCP 192.168.0.2:51752 www:http TIME_WAIT
TCP 192.168.0.2:51753 www:http TIME_WAIT
TCP 192.168.0.2:51754 www:http TIME_WAIT
TCP 192.168.0.2:51755 www:http TIME_WAIT
TCP 192.168.0.2:51756 www:http TIME_WAIT
TCP 192.168.0.2:51758 www:http TIME_WAIT

C:\Windows\system32>

And this is one I took today if its of any help.

Microsoft Windows [Version 6.0.6002]
Copyright © 2006 Microsoft Corporation. All rights reserved.

C:\Windows\system32>netstat /b

Active Connections

Proto Local Address Foreign Address State
TCP 127.0.0.1:49161 myname:49162 ESTABLISHED
[firefox.exe]
TCP 127.0.0.1:49162 myname:49161 ESTABLISHED
[firefox.exe]
TCP 127.0.0.1:49163 myname:49164 ESTABLISHED
[firefox.exe]
TCP 127.0.0.1:49164 myname:49163 ESTABLISHED
[firefox.exe]
TCP 192.168.0.2:49285 81.23.243.153:http CLOSE_WAIT
[jusched.exe]
TCP 192.168.0.2:49821 02:http ESTABLISHED
[firefox.exe]
TCP 192.168.0.2:49905 02:http ESTABLISHED
[firefox.exe]
TCP 192.168.0.2:49963 login-10-04-snc4:https ESTABLISHED
[firefox.exe]
TCP 192.168.0.2:49964 www-12-02-ash2:http ESTABLISHED
[firefox.exe]
TCP 192.168.0.2:49965 www-12-02-ash2:http ESTABLISHED
[firefox.exe]
TCP 192.168.0.2:49966 80.15.233.41:http ESTABLISHED
[firefox.exe]
TCP 192.168.0.2:49967 channel6-02-07-snc1:http ESTABLISHED
[firefox.exe]
TCP 192.168.0.2:49968 5adfd858:http ESTABLISHED
[firefox.exe]
TCP 192.168.0.2:49969 5adfd858:http ESTABLISHED
[firefox.exe]
TCP 192.168.0.2:49970 5adfd858:http ESTABLISHED
[firefox.exe]

C:\Windows\system32>

Thank you for your help.

Edited by nizzy, 21 September 2010 - 07:29 PM.


#4 MrBruce1959

MrBruce1959

    My cat Oreo


  • BC Advisor
  • 6,377 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Norwich, Connecticut. in the USA
  • Local time:05:58 PM

Posted 22 September 2010 - 12:54 PM

Can you please post your routers full make and model number?

Thanks in advance.

Bruce.
Welcome to Bleeping Computer! :welcome:
New Members: Please click here for the Bleeping Computer Forum Board Rules
 
My Career Involves 37 Years as an Electronics Repair Technician, to Which I am Currently Retired From.

I Am Currently Using Windows 10 Home Edition.

As a Volunteer Staff Member of Bleeping Computer, the Help That I Proudly Provide Here To Our BC Forum Board Membership is Free of Charge. :wink:

#5 RainbowSix

RainbowSix

  • Members
  • 604 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:58 PM

Posted 22 September 2010 - 01:01 PM

It looks to me like there is some kind of trojan or spyware trying to brute-force its way into the router, but not so often that it alerts anyone.
Try using Emsisoft Anti-Malware. One time it detected a trojan that was missed by Malwarebytes. Do a full scan and wait until it finishes.
[ Antec 1200 v3 | Gigabyte GA-890FXA-UD5 rev. 3.1 | AMD Phenom II x6 1090T (overclocked to 4GHz) | Corsair XMS3 4x4GB DDR3 1600 | COOLER MASTER Silent Pro 600W & Visiontek Juice Box 450W | SAMSUNG 470 Series 64GB SSD | WD Caviar Black 640GB & Samsung Spinpoint 2TB HDD | 2x XFX Radeon HD 5770 in Crossfire | SAMSUNG 22X DVD±RW | Microsoft Windows 7 Professional 64-bit]

CompTIA A+ certified
Stringfellow Electronics

#6 nizzy

nizzy
  • Topic Starter

  • Members
  • 93 posts
  • OFFLINE
  •  
  • Local time:09:58 PM

Posted 22 September 2010 - 01:38 PM

Its a black Netgear DG934
Thank you for the link RainbowSix but I will hold off scanning with that for now (I scanned with SAS/MBAM/Esetonline and Combofix, plus Spybot which only found false positives due to my use of hostman, and that was the only thing found. I use sandboxie 95% of the time (the only time I don't is when I need to update things like FF)

Edited by nizzy, 22 September 2010 - 01:54 PM.


#7 MrBruce1959

MrBruce1959

    My cat Oreo


  • BC Advisor
  • 6,377 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Norwich, Connecticut. in the USA
  • Local time:05:58 PM

Posted 22 September 2010 - 03:38 PM

Most NetGear routers start with the H, M, R or W prefix.

Wireless routers.

http://kb.netgear.com/app/products/list/p3/164

Wired routers.

http://kb.netgear.com/app/products/list/p3/163/eol/1

The model number DG934 does not come up as a valid NetGear product.

It is my belief that your router is a sky NetGear DG934G wireless router, is this correct?

Bruce.
Welcome to Bleeping Computer! :welcome:
New Members: Please click here for the Bleeping Computer Forum Board Rules
 
My Career Involves 37 Years as an Electronics Repair Technician, to Which I am Currently Retired From.

I Am Currently Using Windows 10 Home Edition.

As a Volunteer Staff Member of Bleeping Computer, the Help That I Proudly Provide Here To Our BC Forum Board Membership is Free of Charge. :wink:

#8 nizzy

nizzy
  • Topic Starter

  • Members
  • 93 posts
  • OFFLINE
  •  
  • Local time:09:58 PM

Posted 22 September 2010 - 07:07 PM

I believe that is right, sorry about that.

#9 MrBruce1959

MrBruce1959

    My cat Oreo


  • BC Advisor
  • 6,377 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Norwich, Connecticut. in the USA
  • Local time:05:58 PM

Posted 22 September 2010 - 09:03 PM

I believe that is right, sorry about that.

Thank you for your quick reply.

Let me put some support pages up here for the sake of convienece.

http://www.skyuser.co.uk/tag/dg934g

Not sure if you have wireless or not.

http://www.skyuser.co.uk/forum/view-wireless.html

Also a warning that these routers have been cracked for their user names and passwords.

http://www.skyuser.co.uk/skyinfo/783.html

I can not seem to find a users manual on line for this router.


Bruce.
Welcome to Bleeping Computer! :welcome:
New Members: Please click here for the Bleeping Computer Forum Board Rules
 
My Career Involves 37 Years as an Electronics Repair Technician, to Which I am Currently Retired From.

I Am Currently Using Windows 10 Home Edition.

As a Volunteer Staff Member of Bleeping Computer, the Help That I Proudly Provide Here To Our BC Forum Board Membership is Free of Charge. :wink:

#10 nizzy

nizzy
  • Topic Starter

  • Members
  • 93 posts
  • OFFLINE
  •  
  • Local time:09:58 PM

Posted 23 September 2010 - 05:13 AM

Thank you, but I have already asked on that forum and they are at a loss to explain what is happening also.

#11 nizzy

nizzy
  • Topic Starter

  • Members
  • 93 posts
  • OFFLINE
  •  
  • Local time:09:58 PM

Posted 25 September 2010 - 01:08 PM

It seems the culprit is NoScript http://www.skyuser.co.uk/forum/sky-broadba...outer-logs.html . :thumbsup:

#12 MrBruce1959

MrBruce1959

    My cat Oreo


  • BC Advisor
  • 6,377 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Norwich, Connecticut. in the USA
  • Local time:05:58 PM

Posted 26 September 2010 - 12:05 AM

It seems the culprit is NoScript http://www.skyuser.co.uk/forum/sky-broadba...outer-logs.html . :thumbsup:

I am glad you solved your problem.

I read the posts to which you linked us too and I see where the rpoblem was related to having no script set.

I hope your post here helps other users of SKY NetGear equipment, when they run into the same problem.

Bruce.
Welcome to Bleeping Computer! :welcome:
New Members: Please click here for the Bleeping Computer Forum Board Rules
 
My Career Involves 37 Years as an Electronics Repair Technician, to Which I am Currently Retired From.

I Am Currently Using Windows 10 Home Edition.

As a Volunteer Staff Member of Bleeping Computer, the Help That I Proudly Provide Here To Our BC Forum Board Membership is Free of Charge. :wink:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users