Security Basics mailing list archives
RE: Multiple Connection Attempts to Home Wireless Network
From: "Corey Watts-Jones" <cwattsjones () rogers com>
Date: Fri, 6 Jan 2006 08:22:26 -0500
Sometimes these things are even more innocuous than you've theorized too. My former employer used to get a *large* number of entries in the log regarding connection attempts and what we eventually boiled it down to was that users with wireless enabled PDAs (we were in the financial district of a major city) were almost always around and a lot of their devices were set up to make connection attempts to any available wireless, encrypted or otherwise. Thanks, Corey Watts-Jones Systems Support Specialist BIT Incorporated -----Original Message----- From: Guru4u Support [mailto:support () guru4u co uk] Sent: Thursday, January 05, 2006 5:33 PM To: Joe George Cc: security-basics () securityfocus com Subject: Re: Multiple Connection Attempts to Home Wireless Network Thanks for your reply, The 'attempts' seem to happen during the afternoon more often than not and now seem to have settled down to occurring around 1.00pm and 5.00pm, although the odd individual occurrence does appear. Each time in the logs it shows 5 sets of repeated attempts (repeated usually 20 times) all around 5 minutes apart as below. I think you're quite right that if it was a war-driving attempt or an attempt to piggyback my Internet connection that they would have hit the unsecured network nearby. I cannot report this to an ISP as all I have is the MAC address that is being blocked by my router (D-Link). I dont think it is malicious but it is nice to hear others thoughts on the matter as I havent seen this behaviour before on my network. [INFO] Sat Dec 31 20:38:38 2005 Access denied to wireless system with MAC address 000C76C94BC4 [INFO] Sat Dec 31 20:38:38 2005 Previous message repeated 20 times [INFO] Sat Dec 31 20:24:31 2005 Access denied to wireless system with MAC address 000C76C94BC4 [INFO] Sat Dec 31 20:24:31 2005 Previous message repeated 20 times [INFO] Sat Dec 31 20:22:11 2005 Access denied to wireless system with MAC address 000C76C94BC4 [INFO] Sat Dec 31 20:22:11 2005 Previous message repeated 20 times [INFO] Sat Dec 31 20:20:59 2005 Access denied to wireless system with MAC address 000C76C94BC4 [INFO] Sat Dec 31 20:20:59 2005 Previous message repeated 20 times [INFO] Sat Dec 31 20:18:38 2005 Access denied to wireless system with MAC address 000C76C94BC4 Many thanks, Ed Joe George wrote:
If malicious, my best guess is that someone is making some attempts to connect while war-driving or a neighbor with the intent of giving you a headache. Keep an eye out, but if there were something serious going on, I think a hacker would enter through the easiest hole (i.e. your neighbor w/ the unsecured network). If it is anything benign, my best guess is that one of your neighbors wi-fi node is trying to make a connection, thinking it's their own only to later realize whats going on and ceases. In other words, a user with limited understanding of wireless (if the case, most likely the neighbor with the unsecured network). In the logs, do these attacks take place at similar times one the days they occur? Do you have anything in the log about the device trying to gain access? I couldn't find the manufacturer based on what you provided. Port scanning isn't really illegal (at least here in the USA), but if consistently happening, from the same IP, I'd report the user for abuse with the attached log for proof. Best, Joe -----Original Message----- From: Guru4u Support [mailto:support () guru4u co uk] Sent: Thursday, January 05, 2006 4:19 PM To: security-basics () securityfocus com Subject: Multiple Connection Attempts to Home Wireless Network Hi folks, I would appreciate some thoughts on this. I am running a small home network with a D-Link DGL-4300 router. I have MAC Address filtering enabled (both for wireless and wired clients) and I have two clients that connect wirelessly, one being a PSP and the other an XBOX 360. As a side note for more information I have changed the SSID name, enabled SPI and use WPA security, the network is also set to visible. My question is this, over the last few days i have noted in my router's logs that a wireless client with an unauthorized MAC address is trying to connect but being blocked. OK no so big a deal if it was a one off or maybe occasionally but it is becoming more frequent and over the past couple of days its been happening for the best part of each day and stopping in the evening. example of my log below: [INFO] Mon Jan 02 15:50:07 2006 Previous message repeated 12 times [INFO] Mon Jan 02 15:50:04 2006 Access denied to wireless system with MAC address 000C76C94*** [INFO] Mon Jan 02 15:50:04 2006 Previous message repeated 20 times [INFO] Mon Jan 02 15:46:34 2006 Access denied to wireless system with MAC address 000C76C94*** [INFO] Mon Jan 02 15:46:34 2006 Previous message repeated 20 times [INFO] Mon Jan 02 15:43:02 2006 Access denied to wireless system with MAC address 000C76C94*** [INFO] Mon Jan 02 15:43:02 2006 Previous message repeated 20 times [INFO] Mon Jan 02 15:37:11 2006 Access denied to wireless system with MAC address 000C76C94*** [INFO] Mon Jan 02 15:37:11 2006 Previous message repeated 20 times [INFO] Mon Jan 02 15:32:28 2006 Access denied to wireless system with MAC address 000C76C94*** These attempts seem to come mostly in the afternoon and recently seem to hit in 5 minute bursts. I can only detect two other wireless networks in range. One is completely unsecured (i didnt connect but my PSP showed it as having no security) now that network has been secured and the other is secured with WEP. I have no other wireless kit so it isnt something im my house. I have also seen a few access denied to my LAN with various IP MAC addresses, don't think this is related though. [INFO] Sun Jan 01 14:38:34 2006 Access denied to LAN system with MAC address EA1C1F677*** Does this sound like a hacking attempt or just another network or wireless client been setup incorrectly or left on scanning for available connection points? It seems like something scanning for another network repeatedly? Thanks in advance, Ed ------------------------------------------------------------------------ --- EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The Norwich University program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Tailor your education to your own professional goals with degree customizations including Emergency Management, Business Continuity Planning, Computer Emergency Response Teams, and Digital Investigations. http://www.msia.norwich.edu/secfocus ------------------------------------------------------------------------ ---- __________ NOD32 1.1354 (20060105) Information __________ This message was checked by NOD32 antivirus system. http://www.eset.com
--------------------------------------------------------------------------- EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The Norwich University program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Tailor your education to your own professional goals with degree customizations including Emergency Management, Business Continuity Planning, Computer Emergency Response Teams, and Digital Investigations. http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------- --------------------------------------------------------------------------- EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The Norwich University program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Tailor your education to your own professional goals with degree customizations including Emergency Management, Business Continuity Planning, Computer Emergency Response Teams, and Digital Investigations. http://www.msia.norwich.edu/secfocus ----------------------------------------------------------------------------
Current thread:
- Multiple Connection Attempts to Home Wireless Network Guru4u Support (Jan 05)
- RE: Multiple Connection Attempts to Home Wireless Network Burton Strauss (Jan 05)
- <Possible follow-ups>
- Re: Multiple Connection Attempts to Home Wireless Network Guru4u Support (Jan 05)
- RE: Multiple Connection Attempts to Home Wireless Network Corey Watts-Jones (Jan 06)
- RE: Multiple Connection Attempts to Home Wireless Network Huang, John, GCM (Jan 13)
- Re: Multiple Connection Attempts to Home Wireless Network Guru4u Support (Jan 15)