TechSpot

Wireless hacker - part 2

By Kimsan
Apr 27, 2012
Post New Reply
  1. Wrote last week about problems with someone hacking my wireless router. Quick recap is that I have done everything to block access....including WPA2 and very long, random computer generated SSID and passwords (30 character/60 character respectively)...and still getting the messages from Comcast that stuff was downloaded illegally. So, I shutoff the radio. Today, I looked at the router admin log and with the wireless turned off noticed that log entries showing someone accessing the internet. I entered serveral of the sites (common sites) into the "block entries" file for the router but below is an example I copied just a few minutes ago:

    [site blocked: /minitri.flg] from source 192.168.1.93, Friday, April 27,2012 18:03:22
    [site blocked: gadgets.live.com] from source 192.168.1.93, Friday, April 27,2012 18:02:52
    [site blocked: websearch.ask.com] from source 192.168.1.93, Friday, April 27,2012 18:02:22
    [site blocked: asktoolbar.weather.com] from source 192.168.1.93, Friday, April 27,2012 18:01:56
    [site blocked: money.service.msn.com] from source 192.168.1.93, Friday, April 27,2012 18:01:05
    [site blocked: /minitri.flg] from source 192.168.1.93, Friday, April 27,2012 17:58:22
    [Log Cleared] Friday, April 27,2012 17:57:36

    Can anyone explain what is going on? I would think that with the radio off there should be no activity showing up on the router log. Thanks for any insight.
     
  2. Kimsan

    Kimsan TS Rookie Topic Starter

    Wow....this is getting stranger by the minute. Another notice from comcast just arrived in my email...for a copyright violation (porn download) that was 3 days after I turned off the wireless radio! Appreciate feedback/comment very much but please assume 1) nobody in my household is doing this and 2) there is only one computer connected via cable through this router/modem combination (I am typing on it now) and this computer was not used to download this material or to try and access the websites listed in the router log I mentioned in previous post. Previousl comment was made that comcast might have my IP address confused with someone else but then how does that explain the router log? Could some ahole be accessing the internet through my wired up computer without sitting at the keyboard?

    Notice of Action under the Digital Millennium Copyright Act

    Abuse Incident Number: Not Applicable
    Report Date/Time: 26 Apr 2012 09:16:58 -04:00


    KIM WAGNER
    [address removed]
    [removed], TN [zip removed]


    Dear Comcast High-Speed Internet Subscriber:

    Comcast has received a notification by a copyright owner, or its authorized agent, reporting an alleged infringement of one or more copyrighted works made on or over Comcast's High-Speed Internet service (the 'Service'). The copyright owner has identified the Internet Protocol ('IP') address associated with your Service account at the time as the source of the infringing works. The works identified by the copyright owner in its notification are listed below. Comcast reminds you that use of the Service (or any part of the Service) in any manner that constitutes an infringement of any copyrighted work is a violation of Comcast's Acceptable Use Policy and may result in the suspension or termination of your Service account.

    If you have any questions regarding this notice, you may direct them to Comcast in writing by sending a letter or e-mail to:

    Comcast Customer Security Assurance
    Comcast Cable Communications, LLC
    1800 Bishops Gate Blvd., 3rd Floor East Wing
    Mount Laurel, NJ 08054 U.S.A.
    Phone: (888) 565-4329
    Fax: (856) 324-2940

    For more information regarding Comcast's copyright infringement policy, procedures, and contact information, please read our Acceptable Use Policy by clicking on the Terms of Service link at http://www.comcast.net.

    Sincerely,
    Comcast Customer Security Assurance

    Copyright work(s) identified in the notification of claimed infringement:

    Evidence:
    Infringement Title: Big *** White Girls
    Infringement File Name: Big.***.White.Girls.XXX.DVDRip.XviD-NYMPHO
    Infringement Hash: e1e4d31d2a7b653bea75268ada24f02ff42e3242
    Infringement File Size: 1468723225 bytes
    Infringement Protocol: BitTorrent
    Infringement Timestamp: 2012-04-25 23:38:01 North American Eastern Time
    Infringers IP Address: 75.64.189.181
    Infringers Port: 11387
    The following files were included in the download:
    File 1: Big.***.White.Girls.XXX.DVDRip.XviD-NYMPHO/CD1/nympho-bawg1.avi
    File 2: Big.***.White.Girls.XXX.DVDRip.XviD-NYMPHO/CD2/nympho-bawg2.avi
     
  3. jdillman1502

    jdillman1502 TS Enthusiast Posts: 232

    I see in your router log that the source accessing the sites you blocked was 192.168.1.93. Is that the ip address assigned to your pc?
     
  4. Leeky

    Leeky TS Evangelist Posts: 4,378   +99

    Right, keep wireless disabled.

    1. Log in to the router, and bring up the ip addressed connected to your router (e.g. the IPs leased by the routers DHCP server) -- some times it shows the computer's hostname in the list. If its just the IP and device MAC, print the list.

    2. Connect to every computer, and open a command prompt (Start > All Programs > Accessories > Command Prompt).

    3. Type ipconfig /all to reveal the IP address. Take mine for example:

    Underlined red in code above is my network IP address.

    Tell us who's computer is 192.168.1.93 please
     
  5. Kimsan

    Kimsan TS Rookie Topic Starter

    IP 192.168.1.193 is not any of my computers. I talked to a tech guy from comcast on Saturday (had to pay an extra fee). He did not seem concerned about the router log files but never did really explain why I got the notices with the router wireless turned off. We rebooted the router, setup the tight security settings again, turned on the wireless and I haven't received anymore emails. But I just checked the router log and it has assigning IP address to MAC address that doesn't belong to my devices (I have a list from setting up MAC filter before):
     
  6. jdillman1502

    jdillman1502 TS Enthusiast Posts: 232

    I assume you meant 93, not 193. Are you able to ping the IP address that you don't recognize? If so, turn off your wireless (assuming you're not connected to it) and see if you are still able to ping that IP address.
     
  7. Leeky

    Leeky TS Evangelist Posts: 4,378   +99

    If Wireless is disabled, it has to be a physically connected device, connected by ethernet -- there is no other option, period.

    So either one of your computers is downloading this material, or it has been compromised and is being used remotely to do it.

    Go to your DHCP IP list, and copy the Mac address of IP 192.168.1.193, then go to Mac filtering and add that Mac address to the denied MAC addresses list. Or alternatively, you could take the Mac addresses of your known devices (your physically connected computers) and add them to an allowed list, and block absolutely everything else.

    The last option will prevent any other device from connecting to your network regardless of whether Wireless is enabled or not. Also check that remote login is disabled.

    If you don't mind, please take a screenshot of your IP address pool and post it here.
     


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.