NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Home network security issues
Need help with a lot of issues on my home network. Using the Orbi RBR50 with one satellite and the Orbi outdoor extender. I have contacted Gearhead support numerous times without resolution (do not believe they understand what it is I’m trying to explain is happening - I’m not a techie person); however, I believe my home network is comprised or being controlled by someone inside my network through a computer on the network. Not sure of the correct terms so I apologize if this is worded incorrectly, but 4 other computers are unable to connect to any websites without getting certificate errors, unable to do any updates saying we do not permission or authorization, and based on the router logs, when any of these devices connect to the Wi-Fi; it immediately shows site allowed status.rapidssl.com followed by a bunch of ocsp.xxxx.com websites. I realize these are for certificates, but I have not purchased or authorized any wildcard subscription services. I was able to briefly access the suspected controller computer and run a shell command of Get-NetIPAddress and several ipv6 addresses appeared (which I have ipv6 off at the router) and a ::1 address showed, which I assume is a localhost. I did some digging and found that my iPhone is the ::1 localhost. How can this be shut down so I can reclaim control of my router, network, and the devices connected to it? Lastly, this address showed up today in the log as being accessed from that device. Does anyone know what it means? [site allowed: netgear-07a2d5b3-0d1e-49d4-9038-f3e9ce19f9ce.2d7d] from source 192.168.1.16,
Sorry for the lengthy message but this is very frustrating and I’m at my wits end here!
Sorry for the lengthy message but this is very frustrating and I’m at my wits end here!
40 Replies
If you really believe all your computer are infected and being controlled, you should shut all of them down and disconncect them from the network. Then take one of them and wipe the hard drive and re-install your Operating System (Windows or Mac). If that computer now behaves normally then you know that it was some sort of malware or virus. If the computer still has problems as you described, it is not compromised.
What Firmware is currently loaded?
What is the Mfr and model# of the ISP modem the NG router is connected too?What browser are you using? Does this happen with other browsers like IE11, Firefox or Opera?
Is Remote Management enabled on the RBR? I would disable this if it's enabled and you don't need any remote access.
Be sure you have setup a new PW for the RBRs log in page. Don't give it out to anyone.
Besure you have setup a custom SSID name and PW for the wifi.
Ggogo2368 wrote:
Need help with a lot of issues on my home network. Using the Orbi RBR50 with one satellite and the Orbi outdoor extender. I have contacted Gearhead support numerous times without resolution (do not believe they understand what it is I’m trying to explain is happening - I’m not a techie person); however, I believe my home network is comprised or being controlled by someone inside my network through a computer on the network. Not sure of the correct terms so I apologize if this is worded incorrectly, but 4 other computers are unable to connect to any websites without getting certificate errors, unable to do any updates saying we do not permission or authorization, and based on the router logs, when any of these devices connect to the Wi-Fi; it immediately shows site allowed status.rapidssl.com followed by a bunch of ocsp.xxxx.com websites. I realize these are for certificates, but I have not purchased or authorized any wildcard subscription services. I was able to briefly access the suspected controller computer and run a shell command of Get-NetIPAddress and several ipv6 addresses appeared (which I have ipv6 off at the router) and a ::1 address showed, which I assume is a localhost. I did some digging and found that my iPhone is the ::1 localhost. How can this be shut down so I can reclaim control of my router, network, and the devices connected to it? Lastly, this address showed up today in the log as being accessed from that device. Does anyone know what it means? [site allowed: netgear-07a2d5b3-0d1e-49d4-9038-f3e9ce19f9ce.2d7d] from source 192.168.1.16,
Sorry for the lengthy message but this is very frustrating and I’m at my wits end here!Once a computer is compromised and payload delivered, there is no sure way to remove all traces of the infection other than a total reformat and re-install. You can try downloading and installing anti-malware programs like Malwarebytes, but there is no sure way to know if everything was removed.
This would be a last resort kind of thing. Even if the PCs are infected. Need to scan for infections first. Most of the time, malwarebytes can remove fully most infections. It works pretty good.
- Using an Arris SB8200 - not one provided by the ISP.
I’ve tried Chrome, Edge, and IE11. Do not use Firefox, Mozilla or opera.
Remote mgmt is not enabled and the login password for the admin page of the router has been changed numerous times. Guest network and home network have custom id’s and separate passwords. As much as I’d love to boot the suspected device off of the network and not allow reconnect - that isn’t an option at this point and I need to confirm 100% that my suspicions are in fact true before I take further action in that regard.
As to Jetdrive’s recommendation about shutting down everything and disconnecting them and wiping the hard drive, that was done to some extent on one of the devices; however it returned to its prior state after reconnecting. Another thing I’d like to mention is that I recently connected my iMac which hadn’t been on the network in this house yet. It started behaving just as the other PC’s do the minute I opened safari. I immediately disconnected this device from the network and unplugged it without ever opening a webpage. Just from opening safari browser triggered the router log trail of site allowed: status.rapidssl.com....followed by all the other ocsp ones I mentioned earlier.
And since sending my earlier message today. I’ve been gone from the house - no one is there, yet I’m getting this notification:
[site blocked: netgear-07a2d5b3-0d1e-49d4-9038-f3e9ce19f9ce.2d7d] from source 192.168.1.16, Thursday, December 19, 2019 14:01:45Can you find out which device has this IP address?
192.168.1.16
If you disconnect the RBR from the ISP modem, does problem still happen?
What happens if you completely disconnect ALL lan devices from the RBR and change the SSID name and PW on the RBR to something different? Save connecting just 1 wired PC to the RBR.
Seems like if it returned to it's prior state after connecting things back up, there is one device that seems to be causing this.
Ggogo2368 wrote:
Using an Arris SB8200 - not one provided by the ISP.
I’ve tried Chrome, Edge, and IE11. Do not use Firefox, Mozilla or opera.
Remote mgmt is not enabled and the login password for the admin page of the router has been changed numerous times. Guest network and home network have custom id’s and separate passwords. As much as I’d love to boot the suspected device off of the network and not allow reconnect - that isn’t an option at this point and I need to confirm 100% that my suspicions are in fact true before I take further action in that regard.
As to Jetdrive’s recommendation about shutting down everything and disconnecting them and wiping the hard drive, that was done to some extent on one of the devices; however it returned to its prior state after reconnecting. Another thing I’d like to mention is that I recently connected my iMac which hadn’t been on the network in this house yet. It started behaving just as the other PC’s do the minute I opened safari. I immediately disconnected this device from the network and unplugged it without ever opening a webpage. Just from opening safari browser triggered the router log trail of site allowed: status.rapidssl.com....followed by all the other ocsp ones I mentioned earlier.
And since sending my earlier message today. I’ve been gone from the house - no one is there, yet I’m getting this notification:
[site blocked: netgear-07a2d5b3-0d1e-49d4-9038-f3e9ce19f9ce.2d7d] from source 192.168.1.16, Thursday, December 19, 2019 14:01:45
- I hope Jetdrive didn’t give up on this. I’m hopeful someone in this community can offer some insight and helpful solutions as the Arlo Gearhead Support (NETGEAR support) had no idea about what I was trying to explain to them. I tried to tell them I thought it was either a administrator controlled issue with unauthorized certificates, or something fishy going on where all the PC’s have the same certificates from the same issuing authorities yet they are not all windows 10 OS systems. Also, the system restore points on all of these devices were removed back to the same date, yet I am certain there were restore points in them prior to the dates now showing.
Ggogo2368 wrote:
based on the router logs, when any of these devices connect to the Wi-Fi; it immediately shows site allowed status.rapidssl.com followed by a bunch of ocsp.xxxx.com websites.Which router log shows these messages? I thought that I have my Orbi logging "everything", but I do not see messages about sites being allowed.
- It is the logs from the Orbi.
Ggogo2368 wrote:
It is the logs from the Orbi.Well, damn. I have collected the entire Orbi log starting last March, and I have collected no records like these. I thought that my log was set to record everything possible. What must be set to get these items in the log? Here's what my log setup looks like now:
Ggogo2368 wrote:
several ipv6 addresses appeared (which I have ipv6 off at the router)My impression may be incorrect, however I believe that Orbi support for IPv6 has no effect on other devices inside the LAN. i.e. if a device in the LAN is set up to support IPv6, it will merrily blast away with IPv6 packets, especially broadcast packets. When I put Wireshark in promiscuous mode and capture only IPv6 packets, there are devices on my network generating packets. I believe the default for a lot of devices is to support both IPv4 and IPv6 (it certainly is for Windows)
