Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Something sharing WiFi with an IP "0.0.0.0"; An intruder or...?


  • Please log in to reply
6 replies to this topic

#1 Itchy01

Itchy01

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:08:37 PM

Posted 15 August 2016 - 12:02 AM

Hi all

I’m in a quandary and need some expert help.

We’re in Brisbane, Australia. This query is about whether an unknown device that connected to our WiFi hotspot is (1) a genuine intruder who’s discovered our password or (2) some virtual device of ours to do with, say, Win 10 updates.

My family has a Netgear, BigPond Wi-Fi 4G Advanced II AirCard 790S hotspot. A day or so ago, an unknown device was shown on the online manager page. Being alone, and knowing no other devices were on, I panicked and, without noting the device details, just got off the internet. Later, when I’d thought more about it and got back on to see if it re-joined and snare its details, it didn't re-appear.

Today (15/8/2016), it reappeared - my wife was also online this time. I checked with her what devices she knew were on and the suspect one seemed definitely an "extra". So, this time, I logged in to the WiFi manager, got the “stranger’s” details and blocked it.

Devices connected to our hotspot are shown, I gather, by their “device name” which in my case is the name I gave my laptop when setting it up. My wife’s devices seem to have default names which I imagine devices take if you don’t give them a custom name. In the connected devices panel, the “stranger’s” showed as a 12-digit Mac identifier (i.e., paired numbers and/or letters separated by hyphens).

The online WiFi manager page, if you log into it, will also show connected devices’ IP identifiers also. In the “stranger’s” case, was “IP: 0.0.0.0”. I looked up the Mac identifier on a site called "Arul's Utilities" and it told me the manufacturer (Western Digital, 1599 North Broadway, Rochester Mn 55906, United States) which doesn't mean anything to me.

I next googled "IP: 0.0.0.0" AND I have to admit not really understanding a damn thing I read. “Hosts” and "all IPv4 addresses on the local machine" just left my head swimming. (Yes, I’m an old person and I’m just not computer-literate to that extent). But, it put a suspicion in my mind that I might have blocked something that's part of our home network to do with Win 10 updating. And if so, what? But, I’m inclined to doubt this scenario since after the “stranger” was blocked, Security Update for Windows 10 Version 1511 for x64-based Systems (KB3172729) successfully downloaded.

Anyhow, my gratitude for any patient and kind soul who can throw any light on the situation.

Yours

Itchy01



BC AdBot (Login to Remove)

 


#2 technonymous

technonymous

  • Members
  • 2,468 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:37 PM

Posted 15 August 2016 - 02:54 AM

What you're seeing is a normal process. It's part of the DHCP *Dynamic Host Configuration Protocol.

The connecting client sends out a dhcp discover packet over the network with mask 255.255.255.255 and IP 0.0.0.0

A running DCHP server on the network will see the dchp discover packet and the DHCP server will send a return offer packet. The client sends out a request packet. The server responds with a acknowlegment packet.

 

That's the basic process of how a client request a IP address from the DHCP server. In this case your router.

 

However, If you suspect a hacker, Check the router logs & access control lists (if available) and record the MAC address. Verify that with your machines on the network. If your router doesn't have good software to check all that you can use Advanced IP Scanner.  Just google it. If it is a hacker it's likely the WiFi that is compromised because the router might have a WPS flaw and someone is actively cracking it and stole the WPA keys. Another, thing it could be if you're running VM software they too can request IP's. It really depends on what you got connected to the network. Internet ready tv's, cell phones, voip etc. Some may say unknown in the router. It really boils down to checking the network devices MAC addresses.



#3 Itchy01

Itchy01
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:08:37 PM

Posted 15 August 2016 - 07:26 AM

Hi technonymous

 

Thanks for responding. I don't want to seem ungrateful but I'm afraid a lot of what you've said is a bit over my head. I really am low in IT knowledge and terminology - even what must seem basic to many. Sorry. :( .  But I can read a bit on DHCP and match it with what you've said.

 

The AC790s manager screen (once you've logged in) shows the IP addresses as well as device names. For the devices we know are on the network, the IP addresses are the usual four groups of numerals separated by full-stops. Only the "stranger" had an IP address of 0.0.0.0.

 

Not sure where to find router logs and access control lists but I gather they'd be in one of the Programs folders. What is "VM software"? That might be something to follow up. Also I'll look at Advanced IP Scanner.

 

Again my thanks,

 

Itchy01



#4 technonymous

technonymous

  • Members
  • 2,468 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:37 PM

Posted 15 August 2016 - 11:39 PM

I wouldn't worry to much about it. You just saw at that instant that one of your devices was connecting with IP 0.0.0.0 and asking the AC790s for a new lease IP address. I am not familiar with the AC790s and DHCP lease times. Some routers that setting cannot be changed at it's only 24hrs. Some can be changed 24hrs to 7 days. Some can be set indefinite. If your AC790s has a short lease period then you will probably encounter this 0.0.0.0 often. VM (Virtual Machine) software. Like Vmware, you can run a virtual operating system on top of your operating system.



#5 Itchy01

Itchy01
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:08:37 PM

Posted 17 August 2016 - 11:34 PM

Thanks technonymous

 

The AC790S is a small mobile "hotspot" (? "router" - my knowledge of terminology is low as said) about the dimensions of a playing card and the thickness of a finger. (Link to its manual = http://www.telstra.com.au/content/dam/tcom/personal/support/pdf/broadband/4g-advanced-ac790s-guide.pdf).

 

I read a bit on Virtual Machine software - no, none of us is running anything like that as far as I know. But now for a painful admission - my wife put me onto a little device sitting on the tv set. Could it be that? she asked. Today, late in the peace, I checked it out. The device is a WD TV Live Streaming Media Player. On the back is a details sheet - with the MAC number listed on it. The same number as the "intruder". (See also your first post).

 

One BIG red face. I do apologize for wasting your time here. It's a learning curve. :blush:

 

Thanks

 

Itchy01 (Perhaps more "a gumby")


Edited by Itchy01, 18 August 2016 - 12:43 AM.


#6 Condobloke

Condobloke

    Outback Aussie @ 54.2101 N, 0.2906 W


  • Members
  • 5,708 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:37 AM

Posted 17 August 2016 - 11:42 PM

No red faces here Itchy....and no apologies necessary....I have been following this topic, and will add that little gem to my store of knowledge......thanks to technonymous !  :thumbup2:


Condobloke ...Outback Australian  

 

fed up with Windows antics...??....LINUX IS THE ANSWER....I USE LINUX MINT 18.3  EXCLUSIVELY.

 

Microsoft gives you Windows, Linux gives you the whole house...

 

 

 

 

 


#7 Itchy01

Itchy01
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:08:37 PM

Posted 18 August 2016 - 12:49 AM

Thanks Condobloke!

 

You make me feel better! Although some embarrassment lingers as I noted I signed off "ausgumbie", my nickname from a different forum. I've edited that to avoid confusion by other readers. And, yes indeed, thanks also to technonymous - it really does boil down to checking what network devices you have and their MAC addresses.

 

Cheers

:)

Itchy01






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users