NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Forum Discussion

IED's avatar
IED
Tutor
Nov 19, 2017
Solved

Rogue network device getting past R6400?

Router: R6400 (Firmware v1.0.1.26_1.0.19).  

PC's:  Windows 7 & Windows 10.

 

I have an odd problem.  I'm seeing a rogue network device intermittantly appear.  It shows as a iControl RC8025 Camera, serial number 12345678.   No IP address.   However I own nothing like it.

 

Using netstat when the "camera" is visible, shows a line similar to:

   Proto   Local Address                Foreign Address       State

   TCP    192.168.1.103:2869     192.168.1.1:33824    TIME_WAIT

 

The local address is my computer (not specific to one -- they all see it) on a UPNP port.   The foreign address is my R6400, but the port changes every time.

 

The R6400 has UPNP disabled, remote management disabled, vpn service disabled, DDNS disabled,  WPS disabled, etc...    

 

Did the virus scan, etc...  Nothing.    Even reinstalled a machine with a clean install & saw it happening there.

 

My guess is something is sneaking past the R6400 somehow.   Anyone have suggestions on how to fix this?   It's a little unsettling to think someone is worming through.

 

Thanks!

-- Ian

 

Security
Troubleshooting
  • TheEther's avatar
    TheEther
    Nov 22, 2017
    What you are seeing is probably due to the Windows implementation of WPS. The feature is called Windows Connect Now and it's designed to facilitate quick and easy connection with Wi-Fi devices. Just because Windows can see the device does NOT mean that it has infiltrated your network. Many people have encountered this. Usually, the rogue device is a nearby smart phone.

    You can fix this by stopping and disabling the Windows Connect Now service.

7 Replies

    • IED's avatar
      IED
      Tutor
      Nov 19, 2017

      I changed the wifi password, twice (forgot to mention that).  Within minutes the bogus camera reappeared.   Thus my original post.

      You got me thinking again though, so I disabled wifi entirely.   No more camera!   Aha!

      Sounds like someone found my router WPS pin.   However "Enable Router PIN" is definately unchecked.   Oddly "Wifi Protected Setup" still showed as Configured on the router status page though.

      So I cleared the WPS "Keep Existing Wireless Settings" checkboxes (WPS now "Not Configured"),  changed my wifi password a third time, changed the router password, and
      rebooted the R6400.

      I've renabled wifi & so far so good.  A netstat polling script hasent spotted anything yet.

      Does beg the question how someone reaquired my wifi password though.   Maybe the WPS isn't actually disabled when "Enable Router Pin" is unchecked?  

      -- Ian

       

    • IED's avatar
      IED
      Tutor
      Nov 20, 2017

      The RC8025 rogue camera is back.   It shows up for a couple minutes, disappears, appears again...    Argh.

       

      I've set access control to block all new connections.   Added an access block for the reported mac address.   No help.   See attached device properties capture (assuming that provides any insight).

       

      How in the heck is this thing getting in??  

       

      Maybe its time to invest in a different brand of router... 

      -- Ian

       

      • TheEther's avatar
        TheEther
        Guru
        Nov 21, 2017
        Where are you seeing this rogue device? In the router's Attached Devices screen? On a Windows machine's Network window? Something else?