NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Orbi RBK50 - Noob question --> Am I being hacked?
Hello there
First up, apology for this long post. Am trying to describe as best to my limited technical ability as possible without putting any assumptions onto the issue.
I own the below Netgear Orbi products:
| |||||||||||||||||||
|
A day or two ago, I started getting intermittent drop-outs. Tried rebooting the router numerous times to no avail. I decided to check logs and noticed the below. My technical knowledge is as good as my three year old trying to learn his alphabets, hence I purchased the Orbi for ease of setup and usage. Please bear with my noobish and long winded questions, thanks!
Key questions:
- Am I being hacked or compromised? Or is it just the router doing its thing?
- The CCTVs firmwares are not updated (tl;dr purchased from China, unfortunately the units firmware cant be updated. mistake made 6 years ago ...). Is it a possibility the firmware could be over-written with a malicious firmware that allows backdoor?
- I have blocked the wired Hikvision CCTV cameras and blocked the wired CCTVs on Orbi dashboard (for a piece of mind). The logs are still showing LAN access from remote and ARP Attack from random sources. What do these mean?
- I have a habit of having my PC running 24/7 for ease of access but running Malwarebytes and Windows Defender didnt find any virus or malware. Should I try turning off each PC/ laptop in the house to see if it would stop the ARP Attacks?
- This Netgear forum post had a similar ARP attack but it was solved simply by unplugging some switches and connecting the satelites. Is it as simple as that?
- On Wikipedia, ARP Spoofing mentioned something like "ARP spoofing attacks can be run from a compromised host on the LAN, or from an attacker's machine that is connected directly to the target LAN.". No (hopefully) I dont have a stranger connecting their machine physically to my network so could it be that one of my connected devices may have been hacked? I have several iOS, Android, laptops, networked printers, streaming media players such as Apple TV and Chromecasts, networked TVs etc all connected to the network. Could it be one of them? Another possibility could be that the CCTV system and the NVR might not be the culprit since the IP addresses could have been spoofed. And since I have physically powered down the NVR still kept seeing remote LAN access to the NVR confuses me even more!
- Before I go about finding another CCTV system solution (which easily cost several thousands of dollars that I dont have spare lying around at the moment), who is the probable culprit?
A few background notes to complement the below log:
- 192.168.1.10 is a wired connection to a Hikvision NVR (security camera recorder)
- The NVR is configured to NOIP Free DDNS service (but its been like a year since I am able to log in remotely outside of my home network. I still regularly log into NOIP in order to maintain the free DNS)
- The moment I saw the remote login to the NVR (earlier), I changed the password of the NVR. It didnt stop the remote login (based on the log entry) so I powered it off. After the NVR is turned off, the log still shows "LAN access from remote" entry which I had no idea why
- The security CCTVs are all PoE but as they are all spread around the property, even though they are techically physically linked by RJ45 cables back to the NVR, most are still powered and connected to my network
As of posting, the logs are still showing random remote log and DoS Attack ARP Attacks. Thanks in advance for any help that comes along, much appreciated. Stay safe =)
-------- Logs --------
[DoS Attack: ARP Attack] from source: 192.168.1.26, Friday, July 17, 2020 19:35:53
[DoS Attack: ARP Attack] from source: 192.168.1.1, Friday, July 17, 2020 19:32:02
[DoS Attack: ARP Attack] from source: 192.168.1.86, Friday, July 17, 2020 19:31:54
[LAN access from remote] from 195.54.160.21:60446 to 192.168.1.10:80, Friday, July 17, 2020 19:30:01
[DoS Attack: ARP Attack] from source: 192.168.1.26, Friday, July 17, 2020 19:24:49
--truncated time stamp to keep within the 20K word limit--
[DoS Attack: ARP Attack] from source: 192.168.1.1, Friday, July 17, 2020 19:12:13
[Access Control] Device Unknown with MAC address 64:DB:**:**:**:** is blocked to access the netw, Friday, July 17, 2020 19:11:55
[Access Control] Device Unknown with MAC address 18:68:**: **:**:** is blocked to access the netw, Friday, July 17, 2020 19:11:54
[DoS Attack: ARP Attack] from source: 192.168.1.26, Friday, July 17, 2020 19:11:00
--truncated time stamp to keep within the 20K word limit--
[DoS Attack: ARP Attack] from source: 192.168.1.28, Friday, July 17, 2020 19:04:49
[admin login] from source 192.168.1.37, Friday, July 17, 2020 19:03:54
[DoS Attack: ARP Attack] from source: 192.168.1.28, Friday, July 17, 2020 19:01:57
[LAN access from remote] from 167.172.214.196:57216 to 192.168.1.10:80, Friday, July 17, 2020 19:01:52
[LAN access from remote] from 167.172.214.196:56472 to 192.168.1.10:80, Friday, July 17, 2020 19:01:51
[LAN access from remote] from 167.172.214.196:55832 to 192.168.1.10:80, Friday, July 17, 2020 19:01:49
[DoS Attack: ARP Attack] from source: 192.168.1.28, Friday, July 17, 2020 19:00:30
[LAN access from remote] from 51.254.59.113:35282 to 192.168.1.10:80, Friday, July 17, 2020 18:59:57
[LAN access from remote] from 51.254.59.113:35281 to 192.168.1.10:80, Friday, July 17, 2020 18:59:56
[DoS Attack: ARP Attack] from source: 192.168.1.28, Friday, July 17, 2020 18:57:11
[DoS Attack: ARP Attack] from source: 192.168.1.28, Friday, July 17, 2020 18:56:06
[LAN access from remote] from 220.133.56.93:33811 to 192.168.1.10:80, Friday, July 17, 2020 18:55:09
[DoS Attack: ARP Attack] from source: 192.168.1.28, Friday, July 17, 2020 18:52:49
[DoS Attack: ARP Attack] from source: 192.168.1.23, Friday, July 17, 2020 18:52:00
--truncated time stamp to keep within the 20K word limit--
[DoS Attack: ARP Attack] from source: 192.168.1.10, Friday, July 17, 2020 18:45:52
[LAN access from remote] from 195.54.160.21:51702 to 192.168.1.10:80, Friday, July 17, 2020 18:44:58
[DoS Attack: ARP Attack] from source: 192.168.1.10, Friday, July 17, 2020 18:43:40
[DoS Attack: ARP Attack] from source: 192.168.1.37, Friday, July 17, 2020 18:43:34
--truncated time stamp to keep within the 20K word limit--
[DoS Attack: ARP Attack] from source: 192.168.1.28, Friday, July 17, 2020 18:35:08
[DoS Attack: ARP Attack] from source: 192.168.1.10, Friday, July 17, 2020 18:35:01
[admin login] from source 192.168.1.37, Friday, July 17, 2020 18:34:52
[DoS Attack: ARP Attack] from source: 192.168.1.28, Friday, July 17, 2020 18:33:42
--truncated time stamp to keep within the 20K word limit--
[DoS Attack: ARP Attack] from source: 192.168.1.10, Friday, July 17, 2020 18:30:22
[DoS Attack: SYN/ACK Scan] from source: 47.75.19.48, port 80, Friday, July 17, 2020 18:30:18
[DoS Attack: ARP Attack] from source: 192.168.1.10, Friday, July 17, 2020 18:30:14
--truncated time stamp to keep within the 20K word limit--
[DoS Attack: ARP Attack] from source: 192.168.1.28, Friday, July 17, 2020 18:26:30
[admin login] from source 192.168.1.37, Friday, July 17, 2020 18:25:32
[LAN access from remote] from 51.254.59.112:34070 to 192.168.1.10:80, Friday, July 17, 2020 18:25:16
[DoS Attack: ARP Attack] from source: 192.168.1.28, Friday, July 17, 2020 18:24:53
[DoS Attack: ARP Attack] from source: 192.168.1.10, Friday, July 17, 2020 18:24:44
[DoS Attack: ARP Attack] from source: 192.168.1.28, Friday, July 17, 2020 18:23:26
[LAN access from remote] from 218.161.112.58:54860 to 192.168.1.10:80, Friday, July 17, 2020 18:22:41
[LAN access from remote] from 218.161.112.58:43480 to 192.168.1.10:80, Friday, July 17, 2020 18:22:40
[DoS Attack: ARP Attack] from source: 192.168.1.28, Friday, July 17, 2020 18:22:22
--truncated time stamp to keep within the 20K word limit--
[DoS Attack: ARP Attack] from source: 192.168.1.10, Friday, July 17, 2020 18:20:27
[LAN access from remote] from 93.62.253.231:47323 to 192.168.1.10:80, Friday, July 17, 2020 18:19:01
[admin login] from source 192.168.1.22, Friday, July 17, 2020 18:18:55
[DoS Attack: ARP Attack] from source: 192.168.1.28, Friday, July 17, 2020 18:18:52
--truncated time stamp to keep within the 20K word limit--
[DoS Attack: ARP Attack] from source: 192.168.1.10, Friday, July 17, 2020 18:03:57
[DoS Attack: ARP Attack] from source: 192.168.1.28, Friday, July 17, 2020 18:02:31
[LAN access from remote] from 83.97.20.21:31242 to 192.168.1.10:80, Friday, July 17, 2020 18:01:38
[DoS Attack: ARP Attack] from source: 192.168.1.28, Friday, July 17, 2020 18:01:28
[DoS Attack: ARP Attack] from source: 192.168.1.10, Friday, July 17, 2020 18:01:10
[DoS Attack: SYN/ACK Scan] from source: 51.178.182.22, port 443, Friday, July 17, 2020 18:00:35
[DoS Attack: ARP Attack] from source: 192.168.1.28, Friday, July 17, 2020 17:59:24
[DoS Attack: ARP Attack] from source: 192.168.1.10, Friday, July 17, 2020 17:58:49
[DoS Attack: ARP Attack] from source: 192.168.1.28, Friday, July 17, 2020 17:57:45
[DoS Attack: ACK Scan] from source: 69.171.250.61, port 5222, Friday, July 17, 2020 17:57:45
[DoS Attack: ARP Attack] from source: 192.168.1.28, Friday, July 17, 2020 17:57:44
[DoS Attack: ARP Attack] from source: 192.168.1.23, Friday, July 17, 2020 17:57:36
--truncated time stamp to keep within the 20K word limit--
[DoS Attack: ARP Attack] from source: 192.168.1.28, Friday, July 17, 2020 17:55:51
[DoS Attack: ACK Scan] from source: 69.171.250.61, port 5222, Friday, July 17, 2020 17:55:42
[DoS Attack: ARP Attack] from source: 192.168.1.17, Friday, July 17, 2020 17:55:11
[DoS Attack: ARP Attack] from source: 192.168.1.10, Friday, July 17, 2020 17:55:01
[DoS Attack: ARP Attack] from source: 192.168.1.28, Friday, July 17, 2020 17:54:33
[DoS Attack: ARP Attack] from source: 192.168.1.23, Friday, July 17, 2020 17:54:13
[DoS Attack: ARP Attack] from source: 192.168.1.10, Friday, July 17, 2020 17:53:43
[LAN access from remote] from 83.97.20.31:43048 to 192.168.1.10:80, Friday, July 17, 2020 17:53:42
[DoS Attack: ACK Scan] from source: 69.171.250.61, port 5222, Friday, July 17, 2020 17:53:39
[DoS Attack: ARP Attack] from source: 192.168.1.10, Friday, July 17, 2020 17:52:42
[DoS Attack: ARP Attack] from source: 192.168.1.17, Friday, July 17, 2020 17:52:37
[DoS Attack: ARP Attack] from source: 192.168.1.28, Friday, July 17, 2020 17:52:30
[DoS Attack: ACK Scan] from source: 69.171.250.61, port 5222, Friday, July 17, 2020 17:51:36
[DoS Attack: ARP Attack] from source: 192.168.1.28, Friday, July 17, 2020 17:49:36
[DoS Attack: ACK Scan] from source: 69.171.250.61, port 5222, Friday, July 17, 2020 17:49:33
[DoS Attack: ARP Attack] from source: 192.168.1.28, Friday, July 17, 2020 17:47:30
[DoS Attack: ACK Scan] from source: 69.171.250.61, port 5222, Friday, July 17, 2020 17:47:30
[DoS Attack: ARP Attack] from source: 192.168.1.28, Friday, July 17, 2020 17:46:09
--truncated time stamp to keep within the 20K word limit--
[DoS Attack: ARP Attack] from source: 192.168.1.28, Friday, July 17, 2020 17:42:37
[LAN access from remote] from 89.248.162.247:51493 to 192.168.1.10:80, Friday, July 17, 2020 17:42:32
[DoS Attack: ARP Attack] from source: 192.168.1.28, Friday, July 17, 2020 17:41:51
--truncated time stamp to keep within the 20K word limit--
[DoS Attack: ARP Attack] from source: 192.168.1.28, Friday, July 17, 2020 17:36:52
[LAN access from remote] from 114.35.32.78:45836 to 192.168.1.10:80, Friday, July 17, 2020 17:36:48
[DoS Attack: ARP Attack] from source: 192.168.1.28, Friday, July 17, 2020 17:36:48
[LAN access from remote] from 114.35.32.78:4282 to 192.168.1.10:80, Friday, July 17, 2020 17:36:47
[DoS Attack: ARP Attack] from source: 192.168.1.28, Friday, July 17, 2020 17:35:34
--truncated time stamp to keep within the 20K word limit--
[DoS Attack: ARP Attack] from source: 192.168.1.28, Friday, July 17, 2020 17:32:08
[DoS Attack: ACK Scan] from source: 69.171.250.15, port 443, Friday, July 17, 2020 17:31:44
[DoS Attack: ARP Attack] from source: 192.168.1.28, Friday, July 17, 2020 17:31:09
[DoS Attack: ARP Attack] from source: 192.168.1.28, Friday, July 17, 2020 17:30:54
[DoS Attack: ARP Attack] from source: 192.168.1.17, Friday, July 17, 2020 17:30:47
[DoS Attack: ARP Attack] from source: 192.168.1.10, Friday, July 17, 2020 17:30:28
[LAN access from remote] from 185.202.2.147:1268 to 192.168.1.10:80, Friday, July 17, 2020 17:30:19
[DoS Attack: ARP Attack] from source: 192.168.1.28, Friday, July 17, 2020 17:30:12
--truncated time stamp to keep within the 20K word limit--
[DoS Attack: ARP Attack] from source: 192.168.1.17, Friday, July 17, 2020 17:22:29
[DoS Attack: ACK Scan] from source: 69.171.250.20, port 443, Friday, July 17, 2020 17:22:26
[DoS Attack: ARP Attack] from source: 192.168.1.17, Friday, July 17, 2020 17:21:59
[DoS Attack: ACK Scan] from source: 52.9.108.157, port 8245, Friday, July 17, 2020 17:21:56
[DoS Attack: ARP Attack] from source: 192.168.1.17, Friday, July 17, 2020 17:21:01
--truncated time stamp to keep within the 20K word limit--
[DoS Attack: ARP Attack] from source: 192.168.1.10, Friday, July 17, 2020 17:16:59
[DoS Attack: ACK Scan] from source: 54.70.156.78, port 443, Friday, July 17, 2020 17:16:54
[DoS Attack: ARP Attack] from source: 192.168.1.28, Friday, July 17, 2020 17:16:43
[LAN access from remote] from 110.172.141.221:37447 to 192.168.1.10:80, Friday, July 17, 2020 17:16:29
[LAN access from remote] from 110.172.141.221:7495 to 192.168.1.10:80, Friday, July 17, 2020 17:16:28
[DoS Attack: ARP Attack] from source: 192.168.1.10, Friday, July 17, 2020 17:15:22
[DoS Attack: ARP Attack] from source: 192.168.1.28, Friday, July 17, 2020 17:15:13
5 Replies
Oh, my. What a mess! The root problem (dropouts) is one that I have no experience with, and can offer no advice. My Orbi runs for months and (as far as I can determine) never drops WiFi or loses internet. Sorry.
As for the log entries:
- All those DoS entries of various kinds are completely normal. There are people who constantly scan every IP address on the internet looking for open ports. The Orb firmware has routines which count certain attempts to connect to certain ports as "attacks" and logs them. There is an option to stop the logging process.
- The Orbi firewall does not respond to any of these attempts, whether they are logged or not. As a primitive analogy, robots call my telephone dozens of times a day. I look at the caller ID, see that I do not recognize the caller, and do not answer. I COULD record each of these numbers and report them as "attacks".
- The "LAN access from remote" is a puzzle. Since the NVR has an entry at NoIP, this indicates (to me) that at one time the NVR was set up to be accessed from the internet, almost certainly to a web server (port 80). How was that done? Was a port "opened" to the NVR 192.168.1.10 for port 80? Unless you did something, it should be impossible to reach the NVR from the internet.
Once again, I am not convinced that the issues reported in the Orbi log are responsible for the problem.
Hello there
Thanks for replying.
Yes its a mess. Your reply somehow eased my concerns that I was being hacked (even though I'm a nobody lol).
Thanks for your analogy, I have a better understanding now that the log entries are pretty normal or harmless in any sense to be concerned with.
I was continuing my shallow research and installed XArp and noted that it was my main PC that raised an ARP attack alert showing "IpFilter: ip addresss lies in the multicast range". A few searches on Google and I cant seem to grasp a basic understanding of what that alert meant.
Anyways, I also went ahead to activate Netgear Armor and it didnt prompt me on anything hairy on the security front so I assume its just me panicking when I first saw the log entries.
Yep, I believe the security guy who installed the NVR did open the port to NOIP when the system was first installed. It was done to allow me to access the CCTV cameras when I am outside of my home network. Unfortunately ever since I changed to Orbi, I have not been able to access my CCTV cameras from outside anymore.
Yea I do not understand why the log entries contain LAN access from remote via the NVR even when the NVR is physically powered off. I assume the NVR IP address is spoofed, hence the ARP Attacks are showing a spoof IP address such as the NVR. <-- this is my understanding which I hope is correct. I might just pay for a NVR upgrade instead of changing the NVR + CCTV cameras system altogether just for a piece of mind then.
For closure; can I take it as the log entries are indeed normal and my home network was not compromised?
Thanks!
I did another test earlier today.
On my PC which is LAN'ed directly to the Orbi router, I used an Internet Connectivity Monitor to monitor drop-outs.
Over the course of 4-5 hours (usually evenings my time since the dropouts started a few days ago), the LAN connected PC only had a quick dropout whilst on wireless devices (3 iPads, 1 Android and 2 iPhones - yep dont judge, got a big fam) I am experiencing dropout mania every few minutes to <30 minutes. The dropout period is around 1-2 mins. At times, the dropouts are every few minutes. Sometimes the kids managed a couple of Peppa Pig episodes before the dreaded endless circle "buffering icon".
Tomorrow I am going to try and see if I can get more info of dropouts during the day. Maybe also proceed to resetting the router + the two other satelites. Been reading on other posts on the Orbi wifi dropping off and it seems to be a persistent problem. My warranty is nearing its end (Dec this year) so hopefully I can get it sorted one way or another before the warranty runs out and them turning to be very expensive bricks.
PS: Netgear doesnt provide tech support and relies on community forum for "charitable" support from volunteers (from what I understand). How does one actually go about raising a ticket and perhaps an RMA?
FURRYe38 Hey buddy, saw in alot of posts you were helping troubleshoot RBK50 dropouts. What do you make out of my issue?
Does the RBK50 degrade over time? I have had the setup for over a year with no issue and the dropouts only occured like 3-4 days ago. I have not added any hardware onto the network. I saw your troubleshoot steps and might probably run through them tomorrow when I get a chance but to be honest, if my setup has worked for over a year, I cant seem to think of any other reason that might have caused the dropouts other than a degradation of some form on either the FW or the HW.
My ISP (NBN in Australia) connection is rock solid as I tried doing speed and ping tests repeatedly to isolate the issue from the connection part.
Thoughts?
