Skip navigation

Hack Attempt? Stealth Mode & unrecognized attached device on router

2732 Views 8 Replies Latest reply: Apr 12, 2012 3:42 PM by fane_j RSS
jameso1111 Level 1 Level 1 (0 points)
Currently Being Moderated
Apr 11, 2012 2:56 AM

Hi Everyone.

 

I am connecting to the internet via a shared netgear router of my landlord who lives nextdoor. I am on a mbp and running 10.6.3.

 

I was actually able to sign into the router and see a list of attached devices. I was also able to see the router stats. On this list of devices, I was able to look up and verify the mac address of my computer and my landlords computer which was cross referenced by using arp -a and http://www.coffer.com/mac_find/.

 

When I ran arp - a - I noticed this ip address 192.168.1.6. So, I looked up the mac address, which was NOT confirmed. I got an error that the mac address associated with this ip is not valid  by using http://www.coffer.com/mac_find/. Because of this I am thinking this is a "spoofed" mac address, used to connect to the router.

 

A few days ago, I received a error on my computer :192.168.1.X - this ip is associated with my landlord's computer.

 

So, tonight I also opened Console and I have received "stealth mode connection attempt to UDP 192.168.X.X: 161 (my ip)  from 192.168.1.6:65168"  - and the list goes on for DAYS. The X is to hide my ip. Hope you can still help.

 

So, the first thing is - good news, my firewall is working and any connection is not being made. Is this correct?

 

I'm wondering if this is the scinerio:

MacBook Pro, Mac OS X (10.6.8), hack, arp -a, stealth mode
  • R C-R Level 6 Level 6 (13,835 points)

    The IP address range 192.168.0.0 through 192.168.255.255 is one of three private address spaces reserved for local networks. These IP addresses cannot be reached from outside the local network so if there are any attempts to access your computer they must be coming from someone connecting to your landlord's router from inside its network, not from the Internet.

     

    The "another device on the network is trying to use your computer's ip address" message is likely because the router is not using DHCP  to assign private IP addresses dynamically, or a device on the local network is set up to use a static IP address, so that the IP address already in use by your Mac is also being used by another device when it tries to make a network connection.

     

    Make sure your Mac is set to DHCP in System Preferences > Network to avoid this IP address conflict & talk to your landlord about how the router is set up.

  • fane_j Level 4 Level 4 (3,655 points)

    jameso1111 wrote:

     

    Someone has gained access to the router and they are trying to access my computer but the firewall is stoping it. The password is  WEP and not WPA so I understand this can be a problem. The hacker has accessed the router with ip 192.168.1.6 and has a spoofed mac address. I read that port 161 which is what console says they are trying to connect to is a port hackers like. The sender PID is Firewall 61 on console

    That's a definite possibility.

     

    The whole setup seems very insecure to me. There should be a password to access the router; w/less clients should not be allowed to administer the router; and, of course, breaking WEP is easy and requires next to no expertise (and so does spoofing the MAC address).

     

    Stealth connection attempts reported by the Mac OS X firewall do not, in and of themselves, indicated the LAN was penetrated; but port 161 is suspicious, because I don't see a good reason for another machine on the LAN to connect to yours on that port.

     

    Based on your description (and assuming 192.168.1.6 is not someone who connects with the landlord's permission), I'd say that the LAN has been penetrated, but not your computer. It's difficult to say what the intruder might have done. Getting through WEP is easy, almost anyone can do it, but the rest is not that simple. The likeliest scenario is that it's someone who's simply stealing bandwidth.

     

    You need to talk to the landlord, explain the problem, and change without delay the encryption protocol to WPA2 on all devices, with new passwords. Until then, act as if you were connected to a public WiFi hotspot (eg, public library, airport). Not much else you can do if you're not in charge of the router.

  • fane_j Level 4 Level 4 (3,655 points)

    jameso1111 wrote:

     

    I understand that there are private address spaces

    Private IP address means that these addresses are used only on the LAN and not exposed to the Internet. (Because the router does NAT.) So there's no need to hide it by writing "192.168.X.X"—this address identifies your machine only on your LAN, and nowhere else.

    if someone has access to router, then can they use these private numbers to gain access, internally, within the network, in order to connect to my compter?

    There are two different things. First, gaining access to the LAN. All one needs for that is to break WEP, which is very easy. Once WEP is broken, the intruder connects to the router. If the router is set to do DHCP, it will automatically assign one of these private IP addresses, and thenceforwards the intruder is treated like a legitimate node on the network.

     

    Second, gaining access to your computer. This is much more difficult to do, the difficulty depending on your configuration. If your firewall is on, the difficulty is great; if you haven't opened any of the sharing services, it's even more difficult.

    Apr 12 03:11:14 This-Computer Firewall[66]: Stealth Mode connection attempt to UDP 192.168.X.X:64090 (my ip) from 192.168.X.X:53

    That's DNS traffic. If 192.168.X.X:53 is your router (eg, 192.168.1.1:53), then it's normal. If it's not the router, then it may be suspect.

    runing netstat I'm getting connections

    to ports ranging from

    49198  -

    49210

    from foreign address a23-15-29-88.dep.https

    That's not a complete address, so it's not possible to tell what it is. By the name of the host, I'd say it's probably from Akamai, which would be perfectly legitimate, but that's a wild guess. Can't tell without the full address.

     

    You can use lsof -i or Sloth to see what process uses what socket. But dealing with the router mess, as I said in my previous message, is more urgent.

  • fane_j Level 4 Level 4 (3,655 points)

    Btw, if you're using Little Snitch, you can also use it to monitor local traffic (set it in preferences).

Actions

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • This solved my question - 10 points
  • This helped me - 5 points
This site contains user submitted content, comments and opinions and is for informational purposes only. Apple disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Apple Support Communities Terms of Use.