NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Home network security issues
Need help with a lot of issues on my home network. Using the Orbi RBR50 with one satellite and the Orbi outdoor extender. I have contacted Gearhead support numerous times without resolution (do not be...
What Firmware is currently loaded?
What is the Mfr and model# of the ISP modem the NG router is connected too?
What browser are you using? Does this happen with other browsers like IE11, Firefox or Opera?
Is Remote Management enabled on the RBR? I would disable this if it's enabled and you don't need any remote access.
Be sure you have setup a new PW for the RBRs log in page. Don't give it out to anyone.
Besure you have setup a custom SSID name and PW for the wifi.
Ggogo2368 wrote:
Need help with a lot of issues on my home network. Using the Orbi RBR50 with one satellite and the Orbi outdoor extender. I have contacted Gearhead support numerous times without resolution (do not believe they understand what it is I’m trying to explain is happening - I’m not a techie person); however, I believe my home network is comprised or being controlled by someone inside my network through a computer on the network. Not sure of the correct terms so I apologize if this is worded incorrectly, but 4 other computers are unable to connect to any websites without getting certificate errors, unable to do any updates saying we do not permission or authorization, and based on the router logs, when any of these devices connect to the Wi-Fi; it immediately shows site allowed status.rapidssl.com followed by a bunch of ocsp.xxxx.com websites. I realize these are for certificates, but I have not purchased or authorized any wildcard subscription services. I was able to briefly access the suspected controller computer and run a shell command of Get-NetIPAddress and several ipv6 addresses appeared (which I have ipv6 off at the router) and a ::1 address showed, which I assume is a localhost. I did some digging and found that my iPhone is the ::1 localhost. How can this be shut down so I can reclaim control of my router, network, and the devices connected to it? Lastly, this address showed up today in the log as being accessed from that device. Does anyone know what it means? [site allowed: netgear-07a2d5b3-0d1e-49d4-9038-f3e9ce19f9ce.2d7d] from source 192.168.1.16,
Sorry for the lengthy message but this is very frustrating and I’m at my wits end here!
Once a computer is compromised and payload delivered, there is no sure way to remove all traces of the infection other than a total reformat and re-install. You can try downloading and installing anti-malware programs like Malwarebytes, but there is no sure way to know if everything was removed.
This would be a last resort kind of thing. Even if the PCs are infected. Need to scan for infections first. Most of the time, malwarebytes can remove fully most infections. It works pretty good.
He has already sought the services of a professional service and yes Malwarebytes is pretty good but doesn't guarantee all malware is removed. Like I said the only sure way is a reformat and re-install. Yes, anti-malware programs may get him going again but was that key logger released yesterday removed or is it just waiting for him to log into his bank and steal his credentials? Yes you can take shortcuts, but at your own risk.
- Malwarebytes is installed but certainly isn’t doing its job. I have BitDefender installed as well but the exceptions keep getting changed, namely regarding certain certificates.
- Using an Arris SB8200 - not one provided by the ISP.
I’ve tried Chrome, Edge, and IE11. Do not use Firefox, Mozilla or opera.
Remote mgmt is not enabled and the login password for the admin page of the router has been changed numerous times. Guest network and home network have custom id’s and separate passwords. As much as I’d love to boot the suspected device off of the network and not allow reconnect - that isn’t an option at this point and I need to confirm 100% that my suspicions are in fact true before I take further action in that regard.
As to Jetdrive’s recommendation about shutting down everything and disconnecting them and wiping the hard drive, that was done to some extent on one of the devices; however it returned to its prior state after reconnecting. Another thing I’d like to mention is that I recently connected my iMac which hadn’t been on the network in this house yet. It started behaving just as the other PC’s do the minute I opened safari. I immediately disconnected this device from the network and unplugged it without ever opening a webpage. Just from opening safari browser triggered the router log trail of site allowed: status.rapidssl.com....followed by all the other ocsp ones I mentioned earlier.
And since sending my earlier message today. I’ve been gone from the house - no one is there, yet I’m getting this notification:
[site blocked: netgear-07a2d5b3-0d1e-49d4-9038-f3e9ce19f9ce.2d7d] from source 192.168.1.16, Thursday, December 19, 2019 14:01:45Can you find out which device has this IP address?
192.168.1.16
If you disconnect the RBR from the ISP modem, does problem still happen?
What happens if you completely disconnect ALL lan devices from the RBR and change the SSID name and PW on the RBR to something different? Save connecting just 1 wired PC to the RBR.
Seems like if it returned to it's prior state after connecting things back up, there is one device that seems to be causing this.
Ggogo2368 wrote:
Using an Arris SB8200 - not one provided by the ISP.
I’ve tried Chrome, Edge, and IE11. Do not use Firefox, Mozilla or opera.
Remote mgmt is not enabled and the login password for the admin page of the router has been changed numerous times. Guest network and home network have custom id’s and separate passwords. As much as I’d love to boot the suspected device off of the network and not allow reconnect - that isn’t an option at this point and I need to confirm 100% that my suspicions are in fact true before I take further action in that regard.
As to Jetdrive’s recommendation about shutting down everything and disconnecting them and wiping the hard drive, that was done to some extent on one of the devices; however it returned to its prior state after reconnecting. Another thing I’d like to mention is that I recently connected my iMac which hadn’t been on the network in this house yet. It started behaving just as the other PC’s do the minute I opened safari. I immediately disconnected this device from the network and unplugged it without ever opening a webpage. Just from opening safari browser triggered the router log trail of site allowed: status.rapidssl.com....followed by all the other ocsp ones I mentioned earlier.
And since sending my earlier message today. I’ve been gone from the house - no one is there, yet I’m getting this notification:
[site blocked: netgear-07a2d5b3-0d1e-49d4-9038-f3e9ce19f9ce.2d7d] from source 192.168.1.16, Thursday, December 19, 2019 14:01:45- The device with 192.168.1.16 is the suspected device that has created the chaos on the network. The reason it says site blocked now is because I put the address it was accessing previously into the blocked site list in the Orbi under advanced settings. I can find no information anywhere on to what that site is though? That’s the frustrating part of this. Why would that device be accessing a NETGEAR site when there is only one admin user to its interface and that device is not one that ever accesses it - if that’s what the site is? I have reset the router many times, and the modem, rebooted the entire system- and nothing stops the activity I initially described. :(
