Security Basics mailing list archives
Re: Multiple Connection Attempts to Home Wireless Network
From: Guru4u Support <support () guru4u co uk>
Date: Thu, 05 Jan 2006 22:32:58 +0000
Thanks for your reply,The 'attempts' seem to happen during the afternoon more often than not and now seem to have settled down to occurring around 1.00pm and 5.00pm, although the odd individual occurrence does appear.
Each time in the logs it shows 5 sets of repeated attempts (repeated usually 20 times) all around 5 minutes apart as below. I think you're quite right that if it was a war-driving attempt or an attempt to piggyback my Internet connection that they would have hit the unsecured network nearby.
I cannot report this to an ISP as all I have is the MAC address that is being blocked by my router (D-Link).
I dont think it is malicious but it is nice to hear others thoughts on the matter as I havent seen this behaviour before on my network.
[INFO] Sat Dec 31 20:38:38 2005 Access denied to wireless system with MAC address 000C76C94BC4 [INFO] Sat Dec 31 20:38:38 2005 Previous message repeated 20 times [INFO] Sat Dec 31 20:24:31 2005 Access denied to wireless system with MAC address 000C76C94BC4 [INFO] Sat Dec 31 20:24:31 2005 Previous message repeated 20 times [INFO] Sat Dec 31 20:22:11 2005 Access denied to wireless system with MAC address 000C76C94BC4 [INFO] Sat Dec 31 20:22:11 2005 Previous message repeated 20 times [INFO] Sat Dec 31 20:20:59 2005 Access denied to wireless system with MAC address 000C76C94BC4 [INFO] Sat Dec 31 20:20:59 2005 Previous message repeated 20 times [INFO] Sat Dec 31 20:18:38 2005 Access denied to wireless system with MAC address 000C76C94BC4
Many thanks, Ed Joe George wrote:
If malicious, my best guess is that someone is making some attempts to connect while war-driving or a neighbor with the intent of giving you a headache. Keep an eye out, but if there were something serious going on, I think a hacker would enter through the easiest hole (i.e. yourneighbor w/ the unsecured network).If it is anything benign, my best guess is that one of your neighbors wi-fi node is trying to make a connection, thinking it's their own only to later realize whats going on and ceases. In other words, a user with limited understanding of wireless (if the case, most likely the neighbor with the unsecured network). In the logs, do these attacks take place at similar times one the days they occur? Do you have anything in the log about the device trying to gain access? I couldn't find the manufacturer based on what you provided. Port scanning isn't really illegal (at least here in the USA), but if consistently happening, from the same IP, I'd report the user forabuse with the attached log for proof.Best, Joe -----Original Message-----From: Guru4u Support [mailto:support () guru4u co uk] Sent: Thursday, January 05, 2006 4:19 PMTo: security-basics () securityfocus com Subject: Multiple Connection Attempts to Home Wireless Network Hi folks, I would appreciate some thoughts on this. I am running a small home network with a D-Link DGL-4300 router. I have MAC Address filtering enabled (both for wireless and wired clients) and I have two clients that connect wirelessly, one being a PSP and the other an XBOX 360. As a side note for more information I have changed the SSID name, enabled SPI and use WPA security, the network is also set to visible. My question is this, over the last few days i have noted in my router's logs that a wireless client with an unauthorized MAC address is trying to connect but being blocked. OK no so big a deal if it was a one off or maybe occasionally but it is becoming more frequent and over the past couple of days its been happening for the best part of each day and stopping in the evening. example of my log below: [INFO] Mon Jan 02 15:50:07 2006 Previous message repeated 12 times [INFO] Mon Jan 02 15:50:04 2006 Access denied to wireless system with MAC address 000C76C94*** [INFO] Mon Jan 02 15:50:04 2006 Previous message repeated 20 times [INFO] Mon Jan 02 15:46:34 2006 Access denied to wireless system with MAC address 000C76C94*** [INFO] Mon Jan 02 15:46:34 2006 Previous message repeated 20 times [INFO] Mon Jan 02 15:43:02 2006 Access denied to wireless system with MAC address 000C76C94*** [INFO] Mon Jan 02 15:43:02 2006 Previous message repeated 20 times [INFO] Mon Jan 02 15:37:11 2006 Access denied to wireless system with MAC address 000C76C94*** [INFO] Mon Jan 02 15:37:11 2006 Previous message repeated 20 times [INFO] Mon Jan 02 15:32:28 2006 Access denied to wireless system with MAC address 000C76C94*** These attempts seem to come mostly in the afternoon and recently seem to hit in 5 minute bursts. I can only detect two other wireless networks in range. One is completely unsecured (i didnt connect but my PSP showed it as having no security) now that network has been secured and the other is secured with WEP. I have no other wireless kit so it isnt something im my house. I have also seen a few access denied to my LAN with various IP MAC addresses, don't think this is related though. [INFO] Sun Jan 01 14:38:34 2006 Access denied to LAN system with MACaddress EA1C1F677***Does this sound like a hacking attempt or just another network or wireless client been setup incorrectly or left on scanning for available connection points? It seems like something scanning for another network repeatedly? Thanks in advance, Ed ------------------------------------------------------------------------ --- EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The Norwich University program offers unparalleled Infosec management education andthe case study affords you unmatched consulting experience. Tailor your education to your own professional goals with degreecustomizations including Emergency Management, Business Continuity Planning, Computer Emergency Response Teams, and Digital Investigations. http://www.msia.norwich.edu/secfocus ------------------------------------------------------------------------ ---- __________ NOD32 1.1354 (20060105) Information __________ This message was checked by NOD32 antivirus system. http://www.eset.com
--------------------------------------------------------------------------- EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINEThe Norwich University program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Tailor your education to your own professional goals with degree customizations including Emergency Management, Business Continuity Planning, Computer Emergency Response Teams, and Digital Investigations.
http://www.msia.norwich.edu/secfocus ----------------------------------------------------------------------------
Current thread:
- Multiple Connection Attempts to Home Wireless Network Guru4u Support (Jan 05)
- RE: Multiple Connection Attempts to Home Wireless Network Burton Strauss (Jan 05)
- <Possible follow-ups>
- Re: Multiple Connection Attempts to Home Wireless Network Guru4u Support (Jan 05)
- RE: Multiple Connection Attempts to Home Wireless Network Corey Watts-Jones (Jan 06)
- RE: Multiple Connection Attempts to Home Wireless Network Huang, John, GCM (Jan 13)
- Re: Multiple Connection Attempts to Home Wireless Network Guru4u Support (Jan 15)