Wireless hacker - part 2

[Kimsan]

Wrote last week about problems with someone hacking my wireless router. Quick recap is that I have done everything to block access....including WPA2 and very long, random computer generated SSID and passwords (30 character/60 character respectively)...and still getting the messages from Comcast that stuff was downloaded illegally. So, I shutoff the radio. Today, I looked at the router admin log and with the wireless turned off noticed that log entries showing someone accessing the internet. I entered serveral of the sites (common sites) into the "block entries" file for the router but below is an example I copied just a few minutes ago:

[site blocked: /minitri.flg] from source 192.168.1.93, Friday, April 27,2012 18:03:22
[site blocked: gadgets.live.com] from source 192.168.1.93, Friday, April 27,2012 18:02:52
[site blocked: websearch.ask.com] from source 192.168.1.93, Friday, April 27,2012 18:02:22
[site blocked: asktoolbar.weather.com] from source 192.168.1.93, Friday, April 27,2012 18:01:56
[site blocked: money.service.msn.com] from source 192.168.1.93, Friday, April 27,2012 18:01:05
[site blocked: /minitri.flg] from source 192.168.1.93, Friday, April 27,2012 17:58:22
[Log Cleared] Friday, April 27,2012 17:57:36

Can anyone explain what is going on? I would think that with the radio off there should be no activity showing up on the router log. Thanks for any insight.

 

[Kimsan]

Wow....this is getting stranger by the minute. Another notice from comcast just arrived in my email...for a copyright violation (porn download) that was 3 days after I turned off the wireless radio! Appreciate feedback/comment very much but please assume 1) nobody in my household is doing this and 2) there is only one computer connected via cable through this router/modem combination (I am typing on it now) and this computer was not used to download this material or to try and access the websites listed in the router log I mentioned in previous post. Previousl comment was made that comcast might have my IP address confused with someone else but then how does that explain the router log? Could some ahole be accessing the internet through my wired up computer without sitting at the keyboard?

Notice of Action under the Digital Millennium Copyright Act

Abuse Incident Number: Not Applicable
Report Date/Time: 26 Apr 2012 09:16:58 -04:00


KIM WAGNER
[address removed]
[removed], TN [zip removed]


Dear Comcast High-Speed Internet Subscriber:

Comcast has received a notification by a copyright owner, or its authorized agent, reporting an alleged infringement of one or more copyrighted works made on or over Comcast's High-Speed Internet service (the 'Service'). The copyright owner has identified the Internet Protocol ('IP') address associated with your Service account at the time as the source of the infringing works. The works identified by the copyright owner in its notification are listed below. Comcast reminds you that use of the Service (or any part of the Service) in any manner that constitutes an infringement of any copyrighted work is a violation of Comcast's Acceptable Use Policy and may result in the suspension or termination of your Service account.

If you have any questions regarding this notice, you may direct them to Comcast in writing by sending a letter or e-mail to:

Comcast Customer Security Assurance
Comcast Cable Communications, LLC
1800 Bishops Gate Blvd., 3rd Floor East Wing
Mount Laurel, NJ 08054 U.S.A.
Phone: (888) 565-4329
Fax: (856) 324-2940

For more information regarding Comcast's copyright infringement policy, procedures, and contact information, please read our Acceptable Use Policy by clicking on the Terms of Service link at www.comcast.net

Sincerely,
Comcast Customer Security Assurance

Copyright work(s) identified in the notification of claimed infringement:

Evidence:
Infringement Title: Big *** White Girls
Infringement File Name: Big.***.White.Girls.XXX.DVDRip.XviD-NYMPHO
Infringement Hash: e1e4d31d2a7b653bea75268ada24f02ff42e3242
Infringement File Size: 1468723225 bytes
Infringement Protocol: BitTorrent
Infringement Timestamp: 2012-04-25 23:38:01 North American Eastern Time
Infringers IP Address: 75.64.189.181
Infringers Port: 11387
The following files were included in the download:
File 1: Big.***.White.Girls.XXX.DVDRip.XviD-NYMPHO/CD1/nympho-bawg1.avi
File 2: Big.***.White.Girls.XXX.DVDRip.XviD-NYMPHO/CD2/nympho-bawg2.avi

 

[jdillman1502]

I see in your router log that the source accessing the sites you blocked was 192.168.1.93. Is that the ip address assigned to your pc?

 

[Leeky]

Right, keep wireless disabled.

1. Log in to the router, and bring up the ip addressed connected to your router (e.g. the IPs leased by the routers DHCP server) -- some times it shows the computer's hostname in the list. If its just the IP and device MAC, print the list.

2. Connect to every computer, and open a command prompt (Start > All Programs > Accessories > Command Prompt).

3. Type ipconfig /all to reveal the IP address. Take mine for example:

Copyright (c) 2009 Microsoft Corporation. All rights reserved.

C:\Users\Leeky>ipconfig /all

Windows IP Configuration

Host Name . . . . . . . . . . . . : Leeky-PC
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Local Area Connection 2:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Realtek PCIe GBE Family Controller #2
Physical Address. . . . . . . . . : REMOVED
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Realtek PCIe GBE Family Controller
Physical Address. . . . . . . . . : REMOVED
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : REMOVED
IPv4 Address. . . . . . . . . . . : 192.168.0.5(Preferred)
Subnet Mask . . . . . . . . . . . : REMOVED
Lease Obtained. . . . . . . . . . : 01 May 2012 09:57:47
Lease Expires . . . . . . . . . . : 01 May 2012 22:28:09
Default Gateway . . . . . . . . . : REMOVED
DHCP Server . . . . . . . . . . . : REMOVED
DHCPv6 IAID . . . . . . . . . . . : REMOVED
DHCPv6 Client DUID. . . . . . . . : REMOVED

DNS Servers . . . . . . . . . . . : REMOVED
REMOVED
NetBIOS over Tcpip. . . . . . . . : REMOVED

REMOVED == I removed the details to avoid them being displayed for security reasons.

Underlined red in code above is my network IP address.

Tell us who's computer is 192.168.1.93 please

 

[Kimsan]

IP 192.168.1.193 is not any of my computers. I talked to a tech guy from comcast on Saturday (had to pay an extra fee). He did not seem concerned about the router log files but never did really explain why I got the notices with the router wireless turned off. We rebooted the router, setup the tight security settings again, turned on the wireless and I haven't received anymore emails. But I just checked the router log and it has assigning IP address to MAC address that doesn't belong to my devices (I have a list from setting up MAC filter before):

 

[jdillman1502]

I assume you meant 93, not 193. Are you able to ping the IP address that you don't recognize? If so, turn off your wireless (assuming you're not connected to it) and see if you are still able to ping that IP address.

 

[Leeky]

If Wireless is disabled, it has to be a physically connected device, connected by ethernet -- there is no other option, period.

So either one of your computers is downloading this material, or it has been compromised and is being used remotely to do it.

Go to your DHCP IP list, and copy the Mac address of IP 192.168.1.193, then go to Mac filtering and add that Mac address to the denied MAC addresses list. Or alternatively, you could take the Mac addresses of your known devices (your physically connected computers) and add them to an allowed list, and block absolutely everything else.

The last option will prevent any other device from connecting to your network regardless of whether Wireless is enabled or not. Also check that remote login is disabled.

If you don't mind, please take a screenshot of your IP address pool and post it here.