Security Basics mailing list archives

RE: Multiple Connection Attempts to Home Wireless Network

From: "Burton Strauss" <Burton () FelisCatus org>
Date: Thu, 5 Jan 2006 16:37:51 -0600

That block of MAC addresses is registered to

00-0C-76   (hex)                MICRO-STAR INTERNATIONAL CO., LTD.
000C76     (base 16)            MICRO-STAR INTERNATIONAL CO., LTD.
                                No 69, Li-De Street, Jung-He City, Taipe
                                Taipei  
                                TAIWAN, REPUBLIC OF CHINA 

They're one of the inexpensive OEM manufacturers of computer gear (MSI -
http://www.msi.com.tw/).  So I'd GUESS it's somebody with a misconfigured
network card searching for you.  It could be somebody bringing his/her
laptop home and forgetting to turn off the wireless they use @ work.

There isn't much you can do, as most OSes can (and usually are) configured
to be aggressive about connecting to any available network.  I wouldn't
worry ... with WPA, you aren't 'available'.

-----Burton



-----Original Message-----
From: Guru4u Support [mailto:support () guru4u co uk] 
Sent: Thursday, January 05, 2006 3:18 PM
To: security-basics () securityfocus com
Subject: Multiple Connection Attempts to Home Wireless Network


Hi folks,

I would appreciate some thoughts on this.

I am running a small  home network with a D-Link DGL-4300 router. I have MAC
Address filtering enabled (both for wireless and wired clients) and I  have
two clients that connect wirelessly, one being a PSP and the other an XBOX
360. As a side note for more information I have changed the SSID name,
enabled SPI and use WPA security, the network is also set to visible.

My question is this, over the last few days i have noted in my router's logs
that a wireless client with an unauthorized MAC address is trying to connect
but being blocked. OK no so big a deal if it was a one off or maybe
occasionally but it is becoming more frequent and over the past couple of
days its been happening for the best part of each day and stopping in the
evening.

example of my log below:

[INFO] Mon Jan 02 15:50:07 2006 Previous message repeated 12 times [INFO]
Mon Jan 02 15:50:04 2006 Access denied to wireless system with MAC address
000C76C94*** [INFO] Mon Jan 02 15:50:04 2006 Previous message repeated 20
times [INFO] Mon Jan 02 15:46:34 2006 Access denied to wireless system with
MAC address 000C76C94*** [INFO] Mon Jan 02 15:46:34 2006 Previous message
repeated 20 times [INFO] Mon Jan 02 15:43:02 2006 Access denied to wireless
system with MAC address 000C76C94*** [INFO] Mon Jan 02 15:43:02 2006
Previous message repeated 20 times [INFO] Mon Jan 02 15:37:11 2006 Access
denied to wireless system with MAC address 000C76C94*** [INFO] Mon Jan 02
15:37:11 2006 Previous message repeated 20 times [INFO] Mon Jan 02 15:32:28
2006 Access denied to wireless system with MAC address 000C76C94***

These attempts seem to come mostly in the afternoon and recently seem to hit
in 5 minute bursts.

I can only detect two other wireless networks in range. One is completely
unsecured (i didnt connect but  my PSP showed it as having no
security) now that network has been secured and the other is secured with
WEP. I have no other wireless kit so it isnt something im my house.

I have also seen a few access denied to my LAN with various IP MAC
addresses, don't think this is related though.

[INFO] Sun Jan 01 14:38:34 2006 Access denied to LAN system with MAC address
EA1C1F677*** 

Does this sound like a hacking attempt or just another network or wireless
client been setup incorrectly or left on scanning for available connection
points? It seems like something scanning for another network repeatedly?

Thanks in advance,

Ed

---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The Norwich
University program offers unparalleled Infosec management education and the
case study affords you unmatched consulting experience. 
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity Planning,
Computer Emergency Response Teams, and Digital Investigations. 

http://www.msia.norwich.edu/secfocus
----------------------------------------------------------------------------


---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Tailor your education to your own professional goals with degree 
customizations including Emergency Management, Business Continuity Planning, 
Computer Emergency Response Teams, and Digital Investigations. 

http://www.msia.norwich.edu/secfocus
----------------------------------------------------------------------------

Current thread:

Multiple Connection Attempts to Home Wireless Network Guru4u Support (Jan 05)
- RE: Multiple Connection Attempts to Home Wireless Network Burton Strauss (Jan 05)
- <Possible follow-ups>
- Re: Multiple Connection Attempts to Home Wireless Network Guru4u Support (Jan 05)
  - RE: Multiple Connection Attempts to Home Wireless Network Corey Watts-Jones (Jan 06)
- RE: Multiple Connection Attempts to Home Wireless Network Huang, John, GCM (Jan 13)
  - Re: Multiple Connection Attempts to Home Wireless Network Guru4u Support (Jan 15)