Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible network security issue


  • Please log in to reply
25 replies to this topic

#1 Tacomind

Tacomind

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:23 PM

Posted 07 July 2018 - 01:29 AM

Im not entirely sure what forum to post to but I checked my router logs and I usually do to make sure everything is secure but lately Ive been seeing some suspicious logs and Ive tried finding help to solve the issue and Ive ran out of options and Ive never heard back from my isp so I was wondering if I can get a solution here but again Im not sure if BleepingComputer deals with these sorts of issues but Ive heard a lot of good things about this site and Im practically out of options I have the logs copied but I didnt want to post any of that info until I hear back

BC AdBot (Login to Remove)

 


#2 midimusicman79

midimusicman79

  • Members
  • 762 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Norway
  • Local time:07:23 PM

Posted 07 July 2018 - 08:10 PM

Hi, Tacomind and Welcome to BC! :welcome:

Sorry for the late reply, but anyway:

Suspicious incoming connections showing in the router logs are normally nothing to worry about, as long as your router's network firewall by default is blocking them.

It is actually one of the router's network firewall's most important tasks which it silently does in the background, without simultaneously visually informing you about it, but instead, it logs its activity in log files for you to read afterward.

Normally, such connections should stop after a while, too.

However, instead of posting any router logs, please read this article on How to see who is connected to your wi-fi network:

https://www.howtogeek.com/204057/how-to-see-who%E2%80%99s-connected-to-your-wi-fi-network/

Good luck! :)

Regards,
midimusicman79

Edited by midimusicman79, 08 July 2018 - 07:42 PM.

MS Win 10 Pro 64-bit, EAM Pro/EEK, MB 3 Free, WPP, SWB Free, CryptoPrevent Free, NVT OSA and Unchecky, WFW, FFQ with CanDef, uBO, Ghostery, Grammarly Free and HTTPS Ew. Acronis TI 2018, K. Sw. Upd. AM-tools: 9-lab RT BETA, AdwCleaner, Auslogics AM, aswMBR, Avira PCC, BD ART, catchme, Cezurity AV, CCE, CKS, ClamWin P., Crystal Sec., DDS, DWCI, EMCO MD, eScan MWAV, ESS/EOS, FGP, FMTB, FRST, F-SOS, FSS, FreeFixer, GMP, GMER, hP BETA, HJT, Inherit, JRT, K. avz4, KVRT, K. TDSSKiller, LSP-Fix, MB 3 Free, MBAR BETA, MA Stinger, NMC, NoBot, NPE, NSS, NVT MRF (NMRF), OTL, PCC, QD, RCS, RSIT, RKill, Rs, SC, SR, SAP, SVRT, SAS, SL, TMHC, TSA ART, UHM, Vba32 AR, VRS, WR (AiO), Xvirus PG, ZAM, ZHPC, ZHPD and Zoek. I have 23 Years of PC Experience. Bold = effective.


#3 Tacomind

Tacomind
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:23 PM

Posted 09 July 2018 - 12:56 AM

Ive looked into it Im still slightly unsettled just to give you an idea without actually posting the logs Im seeing stuff I never seen before such as priv tcp packet sourceip and destination ip, unpriv tcp packet dropped,unpriv udp packet,and request for ICMP packets i couldnt find much on the source ips but the destination it is the external I usually check them regularly for as long as I had internet years because I want to understand better and In the many years this is the first time Ive seen this its been going on for a couple months

#4 midimusicman79

midimusicman79

  • Members
  • 762 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Norway
  • Local time:07:23 PM

Posted 09 July 2018 - 06:31 AM

Hi again, Tacomind!

 

That sounds more like normal, namely that someone is performing network scanning and port scanning against your router, and there is more information available about it from here:

 

https://www.extrahop.com/company/blog/2016/how-to-recognize-malicious-network-scanning-port-scanning/

 

However, you may now post the router logs for my review, and I will try to interpret them and subsequently refer you to further professional assistance if need be.

 

Regards,

midimusicman79


MS Win 10 Pro 64-bit, EAM Pro/EEK, MB 3 Free, WPP, SWB Free, CryptoPrevent Free, NVT OSA and Unchecky, WFW, FFQ with CanDef, uBO, Ghostery, Grammarly Free and HTTPS Ew. Acronis TI 2018, K. Sw. Upd. AM-tools: 9-lab RT BETA, AdwCleaner, Auslogics AM, aswMBR, Avira PCC, BD ART, catchme, Cezurity AV, CCE, CKS, ClamWin P., Crystal Sec., DDS, DWCI, EMCO MD, eScan MWAV, ESS/EOS, FGP, FMTB, FRST, F-SOS, FSS, FreeFixer, GMP, GMER, hP BETA, HJT, Inherit, JRT, K. avz4, KVRT, K. TDSSKiller, LSP-Fix, MB 3 Free, MBAR BETA, MA Stinger, NMC, NoBot, NPE, NSS, NVT MRF (NMRF), OTL, PCC, QD, RCS, RSIT, RKill, Rs, SC, SR, SAP, SVRT, SAS, SL, TMHC, TSA ART, UHM, Vba32 AR, VRS, WR (AiO), Xvirus PG, ZAM, ZHPC, ZHPD and Zoek. I have 23 Years of PC Experience. Bold = effective.


#5 Tacomind

Tacomind
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:23 PM

Posted 09 July 2018 - 07:19 AM

So its ok to post?or should I email them to you

#6 midimusicman79

midimusicman79

  • Members
  • 762 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Norway
  • Local time:07:23 PM

Posted 09 July 2018 - 08:24 AM

Hi again, Tacomind!

 

Yes, it is ok to post them, but do not email them, as the latter is not allowed according to the Forum Rules. :lol:

 

BTW, did you find any unknown devices on your network?

 

Regards,

midimusicman79


MS Win 10 Pro 64-bit, EAM Pro/EEK, MB 3 Free, WPP, SWB Free, CryptoPrevent Free, NVT OSA and Unchecky, WFW, FFQ with CanDef, uBO, Ghostery, Grammarly Free and HTTPS Ew. Acronis TI 2018, K. Sw. Upd. AM-tools: 9-lab RT BETA, AdwCleaner, Auslogics AM, aswMBR, Avira PCC, BD ART, catchme, Cezurity AV, CCE, CKS, ClamWin P., Crystal Sec., DDS, DWCI, EMCO MD, eScan MWAV, ESS/EOS, FGP, FMTB, FRST, F-SOS, FSS, FreeFixer, GMP, GMER, hP BETA, HJT, Inherit, JRT, K. avz4, KVRT, K. TDSSKiller, LSP-Fix, MB 3 Free, MBAR BETA, MA Stinger, NMC, NoBot, NPE, NSS, NVT MRF (NMRF), OTL, PCC, QD, RCS, RSIT, RKill, Rs, SC, SR, SAP, SVRT, SAS, SL, TMHC, TSA ART, UHM, Vba32 AR, VRS, WR (AiO), Xvirus PG, ZAM, ZHPC, ZHPD and Zoek. I have 23 Years of PC Experience. Bold = effective.


#7 Tacomind

Tacomind
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:23 PM

Posted 09 July 2018 - 08:44 AM

I seen 1MAC address once that seemed odd because at the time we had only 2 devices connected and the section in the router settings I saw 3 MAC address our devices and 1 extra MAC address but Im still working to better understand this so I didnt want to jump to conclusions before I found out for sure what was going on

#8 midimusicman79

midimusicman79

  • Members
  • 762 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Norway
  • Local time:07:23 PM

Posted 09 July 2018 - 09:20 AM

Hi again, Tacomind!
 
Would you like to expand on what was going on?
 
MAC addresses are unique to each and every device on your network.
 
If you have 1 extra MAC address on your network, you should try looking on your devices' labels and compare the MAC addresses being listed by Wireless Network Watcher by Nirsoft with the MAC addresses on your devices, and see whether they match or not.
 
Please note that all your devices being connected to your network, share the same three number sections of the router's IP address, but not the fourth, so only if these are vastly different from each other, then you may have an intruder on your network.
 
And what about the router logs?
 
Regards,
midimusicman79

Edited by midimusicman79, 10 July 2018 - 01:34 AM.

MS Win 10 Pro 64-bit, EAM Pro/EEK, MB 3 Free, WPP, SWB Free, CryptoPrevent Free, NVT OSA and Unchecky, WFW, FFQ with CanDef, uBO, Ghostery, Grammarly Free and HTTPS Ew. Acronis TI 2018, K. Sw. Upd. AM-tools: 9-lab RT BETA, AdwCleaner, Auslogics AM, aswMBR, Avira PCC, BD ART, catchme, Cezurity AV, CCE, CKS, ClamWin P., Crystal Sec., DDS, DWCI, EMCO MD, eScan MWAV, ESS/EOS, FGP, FMTB, FRST, F-SOS, FSS, FreeFixer, GMP, GMER, hP BETA, HJT, Inherit, JRT, K. avz4, KVRT, K. TDSSKiller, LSP-Fix, MB 3 Free, MBAR BETA, MA Stinger, NMC, NoBot, NPE, NSS, NVT MRF (NMRF), OTL, PCC, QD, RCS, RSIT, RKill, Rs, SC, SR, SAP, SVRT, SAS, SL, TMHC, TSA ART, UHM, Vba32 AR, VRS, WR (AiO), Xvirus PG, ZAM, ZHPC, ZHPD and Zoek. I have 23 Years of PC Experience. Bold = effective.


#9 Tacomind

Tacomind
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:23 PM

Posted 09 July 2018 - 10:17 AM

The extra address was just a bunch of Fs I dont recall how many kind of like ffffff that was the only time I seen it

Attached Files



#10 midimusicman79

midimusicman79

  • Members
  • 762 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Norway
  • Local time:07:23 PM

Posted 09 July 2018 - 11:21 AM

Hi again, Tacomind!

The IP address 184.189.93.33 seems to be located in Louisiana, USA.

Are you using a VPN?

Regards,
midimusicman79

MS Win 10 Pro 64-bit, EAM Pro/EEK, MB 3 Free, WPP, SWB Free, CryptoPrevent Free, NVT OSA and Unchecky, WFW, FFQ with CanDef, uBO, Ghostery, Grammarly Free and HTTPS Ew. Acronis TI 2018, K. Sw. Upd. AM-tools: 9-lab RT BETA, AdwCleaner, Auslogics AM, aswMBR, Avira PCC, BD ART, catchme, Cezurity AV, CCE, CKS, ClamWin P., Crystal Sec., DDS, DWCI, EMCO MD, eScan MWAV, ESS/EOS, FGP, FMTB, FRST, F-SOS, FSS, FreeFixer, GMP, GMER, hP BETA, HJT, Inherit, JRT, K. avz4, KVRT, K. TDSSKiller, LSP-Fix, MB 3 Free, MBAR BETA, MA Stinger, NMC, NoBot, NPE, NSS, NVT MRF (NMRF), OTL, PCC, QD, RCS, RSIT, RKill, Rs, SC, SR, SAP, SVRT, SAS, SL, TMHC, TSA ART, UHM, Vba32 AR, VRS, WR (AiO), Xvirus PG, ZAM, ZHPC, ZHPD and Zoek. I have 23 Years of PC Experience. Bold = effective.


#11 Tacomind

Tacomind
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:23 PM

Posted 09 July 2018 - 05:07 PM

I am not

#12 midimusicman79

midimusicman79

  • Members
  • 762 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Norway
  • Local time:07:23 PM

Posted 10 July 2018 - 01:44 AM

Hi again, Tacomind!

I would like to apologize for that wrong assertion, as you did mention that the destination IP address is external to your router.

And with that said, you are now good to go! :)

Regards,
midimusicman79

MS Win 10 Pro 64-bit, EAM Pro/EEK, MB 3 Free, WPP, SWB Free, CryptoPrevent Free, NVT OSA and Unchecky, WFW, FFQ with CanDef, uBO, Ghostery, Grammarly Free and HTTPS Ew. Acronis TI 2018, K. Sw. Upd. AM-tools: 9-lab RT BETA, AdwCleaner, Auslogics AM, aswMBR, Avira PCC, BD ART, catchme, Cezurity AV, CCE, CKS, ClamWin P., Crystal Sec., DDS, DWCI, EMCO MD, eScan MWAV, ESS/EOS, FGP, FMTB, FRST, F-SOS, FSS, FreeFixer, GMP, GMER, hP BETA, HJT, Inherit, JRT, K. avz4, KVRT, K. TDSSKiller, LSP-Fix, MB 3 Free, MBAR BETA, MA Stinger, NMC, NoBot, NPE, NSS, NVT MRF (NMRF), OTL, PCC, QD, RCS, RSIT, RKill, Rs, SC, SR, SAP, SVRT, SAS, SL, TMHC, TSA ART, UHM, Vba32 AR, VRS, WR (AiO), Xvirus PG, ZAM, ZHPC, ZHPD and Zoek. I have 23 Years of PC Experience. Bold = effective.


#13 Tacomind

Tacomind
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:23 PM

Posted 10 July 2018 - 03:14 AM

No apology necessary I appreciate your time thank you!!! So thats it?

#14 midimusicman79

midimusicman79

  • Members
  • 762 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Norway
  • Local time:07:23 PM

Posted 10 July 2018 - 03:24 AM

Hi again, Tacomind!

Yes, that is it. :thumbup2:

You are welcome! :)

Regards,
midimusicman79

MS Win 10 Pro 64-bit, EAM Pro/EEK, MB 3 Free, WPP, SWB Free, CryptoPrevent Free, NVT OSA and Unchecky, WFW, FFQ with CanDef, uBO, Ghostery, Grammarly Free and HTTPS Ew. Acronis TI 2018, K. Sw. Upd. AM-tools: 9-lab RT BETA, AdwCleaner, Auslogics AM, aswMBR, Avira PCC, BD ART, catchme, Cezurity AV, CCE, CKS, ClamWin P., Crystal Sec., DDS, DWCI, EMCO MD, eScan MWAV, ESS/EOS, FGP, FMTB, FRST, F-SOS, FSS, FreeFixer, GMP, GMER, hP BETA, HJT, Inherit, JRT, K. avz4, KVRT, K. TDSSKiller, LSP-Fix, MB 3 Free, MBAR BETA, MA Stinger, NMC, NoBot, NPE, NSS, NVT MRF (NMRF), OTL, PCC, QD, RCS, RSIT, RKill, Rs, SC, SR, SAP, SVRT, SAS, SL, TMHC, TSA ART, UHM, Vba32 AR, VRS, WR (AiO), Xvirus PG, ZAM, ZHPC, ZHPD and Zoek. I have 23 Years of PC Experience. Bold = effective.


#15 Tacomind

Tacomind
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:23 PM

Posted 10 July 2018 - 03:49 AM

So if the network is secure why did these logs continue to show up it started a few months ago and had not stopped even some of the downloads of programs dont seem legit like the image icons look like knock off of the actual programs image like for example I just reformatted my pc secure erased the hard drive and installed the OS I downloaded chrome malwarebytes and a few other programs and I notice that every download I would right click go the properties and everyone said something along the lines of this download is blocked because it came from another computer I dont remember the exact words but thats the gist of it and it would have a check box next to the statement next to the check box it said unblock I never messed with the check box and the program image icons didnt look legit from just about every download all programs such as chrome malwarebytes etc came straight from the site no 3rd party software this started happening around the times the logs started Im just wondering if the legitimate downloads are being tampered with before that reach me if thats even possible




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users