RE: Multiple Connection Attempts to Home Wireless Network

["Corey Watts-Jones" <cwattsjones () rogers com>]

Sometimes these things are even more innocuous than you've theorized too. My
former employer used to get a *large* number of entries in the log regarding
connection attempts and what we eventually boiled it down to was that users
with wireless enabled PDAs (we were in the financial district of a major
city) were almost always around and a lot of their devices were set up to
make connection attempts to any available wireless, encrypted or otherwise.

Thanks,

Corey Watts-Jones
Systems Support Specialist
BIT Incorporated

-----Original Message-----
From: Guru4u Support [mailto:support () guru4u co uk] 
Sent: Thursday, January 05, 2006 5:33 PM
To: Joe George
Cc: security-basics () securityfocus com
Subject: Re: Multiple Connection Attempts to Home Wireless Network

Thanks for your reply,

The 'attempts' seem to happen during the afternoon more often than not 
and now seem to have settled down to occurring around 1.00pm and 5.00pm, 
although the odd individual occurrence does appear.

Each time in the logs it shows 5 sets of repeated attempts (repeated 
usually 20 times) all around 5 minutes apart as below. I think you're 
quite right that if it was a war-driving attempt or an attempt to 
piggyback my Internet connection that they would have hit the unsecured 
network nearby.

I cannot report this to an ISP as all I have is the MAC address that is 
being blocked by my router (D-Link).

I dont think it is malicious but it is nice to hear others thoughts on 
the matter as I havent seen this behaviour before on my network.

[INFO] Sat Dec 31 20:38:38 2005 Access denied to wireless system with MAC
address 000C76C94BC4   
[INFO] Sat Dec 31 20:38:38 2005 Previous message repeated 20 times   
[INFO] Sat Dec 31 20:24:31 2005 Access denied to wireless system with MAC
address 000C76C94BC4   
[INFO] Sat Dec 31 20:24:31 2005 Previous message repeated 20 times   
[INFO] Sat Dec 31 20:22:11 2005 Access denied to wireless system with MAC
address 000C76C94BC4   
[INFO] Sat Dec 31 20:22:11 2005 Previous message repeated 20 times   
[INFO] Sat Dec 31 20:20:59 2005 Access denied to wireless system with MAC
address 000C76C94BC4   
[INFO] Sat Dec 31 20:20:59 2005 Previous message repeated 20 times   
[INFO] Sat Dec 31 20:18:38 2005 Access denied to wireless system with MAC
address 000C76C94BC4   

Many thanks,

Ed


Joe George wrote:

> If malicious, my best guess is that someone is making some attempts to
> connect while war-driving or a neighbor with the intent of giving you a
> headache. Keep an eye out, but if there were something serious going on,
> I think a hacker would enter through the easiest hole (i.e. your
> neighbor w/ the unsecured network). 
>
> If it is anything benign, my best guess is that one of your neighbors
> wi-fi node is trying to make a connection, thinking it's their own only
> to later realize whats going on and ceases. In other words, a user with
> limited understanding of wireless (if the case, most likely the neighbor
> with the unsecured network).
>
> In the logs, do these attacks take place at similar times one the days
> they occur? Do you have anything in the log about the device trying to
> gain access?  I couldn't find the manufacturer based on what you
> provided. Port scanning isn't really illegal (at least here in the USA),
> but if consistently happening, from the same IP, I'd report the user for
> abuse with the attached log for proof. 
>
> Best,
>
> Joe
>
> -----Original Message-----
> From: Guru4u Support [mailto:support () guru4u co uk] 
> Sent: Thursday, January 05, 2006 4:19 PM
> To: security-basics () securityfocus com
> Subject: Multiple Connection Attempts to Home Wireless Network
>
>
> Hi folks,
>
> I would appreciate some thoughts on this.
>
> I am running a small  home network with a D-Link DGL-4300 router. I have
> MAC Address filtering enabled (both for wireless and wired clients) and
> I  have two clients that connect wirelessly, one being a PSP and the
> other an XBOX 360. As a side note for more information I have changed
> the SSID name, enabled SPI and use WPA security, the network is also set
> to visible.
>
> My question is this, over the last few days i have noted in my router's
> logs that a wireless client with an unauthorized MAC address is trying
> to connect but being blocked. OK no so big a deal if it was a one off or
> maybe occasionally but it is becoming more frequent and over the past
> couple of days its been happening for the best part of each day and
> stopping in the evening.
>
> example of my log below:
>
> [INFO] Mon Jan 02 15:50:07 2006 Previous message repeated 12 times
> [INFO] Mon Jan 02 15:50:04 2006 Access denied to wireless system with
> MAC address 000C76C94*** [INFO] Mon Jan 02 15:50:04 2006 Previous
> message repeated 20 times [INFO] Mon Jan 02 15:46:34 2006 Access denied
> to wireless system with MAC address 000C76C94*** [INFO] Mon Jan 02
> 15:46:34 2006 Previous message repeated 20 times [INFO] Mon Jan 02
> 15:43:02 2006 Access denied to wireless system with MAC address
> 000C76C94*** [INFO] Mon Jan 02 15:43:02 2006 Previous message repeated
> 20 times [INFO] Mon Jan 02 15:37:11 2006 Access denied to wireless
> system with MAC address 000C76C94*** [INFO] Mon Jan 02 15:37:11 2006
> Previous message repeated 20 times [INFO] Mon Jan 02 15:32:28 2006
> Access denied to wireless system with MAC address 000C76C94***
>
> These attempts seem to come mostly in the afternoon and recently seem to
> hit in 5 minute bursts.
>
> I can only detect two other wireless networks in range. One is
> completely unsecured (i didnt connect but  my PSP showed it as having no
> security) now that network has been secured and the other is secured
> with WEP. I have no other wireless kit so it isnt something im my house.
>
> I have also seen a few access denied to my LAN with various IP MAC
> addresses, don't think this is related though.
>
> [INFO] Sun Jan 01 14:38:34 2006 Access denied to LAN system with MAC
> address EA1C1F677*** 
>
> Does this sound like a hacking attempt or just another network or
> wireless client been setup incorrectly or left on scanning for available
> connection points? It seems like something scanning for another network
> repeatedly?
>
> Thanks in advance,
>
> Ed
>
> ------------------------------------------------------------------------
> ---
> EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The Norwich
> University program offers unparalleled Infosec management education and
> the case study affords you unmatched consulting experience. 
> Tailor your education to your own professional goals with degree
> customizations including Emergency Management, Business Continuity
> Planning, Computer Emergency Response Teams, and Digital Investigations.
>
>
> http://www.msia.norwich.edu/secfocus
> ------------------------------------------------------------------------
> ----
>
>
>
> __________ NOD32 1.1354 (20060105) Information __________
>
> This message was checked by NOD32 antivirus system.
> http://www.eset.com
>
>
>
>  


---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Tailor your education to your own professional goals with degree 
customizations including Emergency Management, Business Continuity Planning,

Computer Emergency Response Teams, and Digital Investigations. 

http://www.msia.norwich.edu/secfocus
----------------------------------------------------------------------------




---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Tailor your education to your own professional goals with degree 
customizations including Emergency Management, Business Continuity Planning, 
Computer Emergency Response Teams, and Digital Investigations. 

http://www.msia.norwich.edu/secfocus
----------------------------------------------------------------------------