Reply

1000v2-Log explanation please

GoGuard
Luminary

1000v2-Log explanation please

I apologize if I am posting in the wrong forum. Searched around a little and since I didn't find a forum for my model #, figured this one looked like the best choice.

Installed the router in the last week. Have had no problems whatsoever and prior to this using an older router, we were having to reboot the modem and router every two days and haven't at all since I installed this WNR1000v2 which is what is written on the box.

I am posting tonight for two issues, one hasn't seemed to affect me but I see people posting so I wonder if I should anticipate any problems. I had a firmware update available notice in the last day or two, think it was yesterday and I updated it. I can't see where to tell you what version I have and might not be an issue but wanted to mention it.

I am on Windows 7 - 32 bit. Don't know that it matters.

The reason I am posting is I have a friend of mine who thinks my computer is connected to his and I noticed he emailed a log from my router today to himself, which I'm AM NOT connected to him in any way unless a ghost did it as I haven't the foggiest idea nor inclination to connect to his network. And if I wanted to try, I would tell him then have to go to forums for help. BUT, I noticed the log looked different than it did the first day I installed it and just wondering if anyone can explain it in more detail.

AND because I don't care if he looks at anything on my router at any time but I don't want him changing anything so I would like to be sitting here when he's looking at it so I would like to change the router login password. Can you please tell me where I do that at?

But below is the log I just copied. Any help explaining it would be greatly appreciated.

[WLAN access rejected: incorrect security] from MAC address 00:23:4e:35:cc:c6, Friday, November 09,2012 19:18:18
[WLAN access rejected: incorrect security] from MAC address 00:17:c4:fd:34:b4, Friday, November 09,2012 19:12:57
[UPnP set event: del_nat_rule] from source 10.0.0.43 Friday, November 09,2012 19:12:07
[WLAN access rejected: incorrect security] from MAC address 00:17:c4:fd:34:b4, Friday, November 09,2012 19:10:31
[DHCP IP: 10.0.0.43] to MAC address 00:23:4e:35:cc:c6, Friday, November 09,2012 19:10:30
[WLAN access rejected: incorrect security] from MAC address 00:17:c4:fd:34:b4, Friday, November 09,2012 19:07:59
[admin login] from source 10.0.0.42, Friday, November 09,2012 19:07:58
[WLAN access rejected: incorrect security] from MAC address 00:17:c4:fd:34:b4, Friday, November 09,2012 19:02:32
[admin login] from source 10.0.0.42, Friday, November 09,2012 19:02:31
[WLAN access rejected: incorrect security] from MAC address 00:17:c4:fd:34:b4, Friday, November 09,2012 18:56:04
[DoS Attack: RST Scan] from source: 65.200.212.211, port 80, Friday, November 09,2012 18:55:32
[DoS Attack: ACK Scan] from source: 65.200.212.211, port 80, Friday, November 09,2012 18:55:32
[WLAN access rejected: incorrect security] from MAC address 00:17:c4:fd:34:b4, Friday, November 09,2012 18:50:54
[DoS Attack: RST Scan] from source: 65.200.212.211, port 80, Friday, November 09,2012 18:50:42
[DoS Attack: ACK Scan] from source: 65.200.212.211, port 80, Friday, November 09,2012 18:50:42
[WLAN access rejected: incorrect security] from MAC address 00:17:c4:fd:34:b4, Friday, November 09,2012 18:47:01
[UPnP set event: add_nat_rule] from source 10.0.0.42 Friday, November 09,2012 18:45:24
[DHCP IP: 10.0.0.42] to MAC address c8:0a:a9:44:b6:25, Friday, November 09,2012 18:40:59
[DHCP IP: 10.0.0.2] to MAC address 5c:0a:5b:98:98:0b, Friday, November 09,2012 18:37:12
[Time synchronized with NTP server] Friday, November 09,2012 17:38:15
[admin login] from source 10.0.0.42, Friday, November 09,2012 17:16:18
[DoS Attack: RST Scan] from source: 65.200.212.212, port 80, Friday, November 09,2012 17:09:25
[DoS Attack: ACK Scan] from source: 65.200.212.212, port 80, Friday, November 09,2012 17:09:25
[DoS Attack: RST Scan] from source: 65.200.212.212, port 80, Friday, November 09,2012 15:55:59
[DoS Attack: ACK Scan] from source: 65.200.212.212, port 80, Friday, November 09,2012 15:55:59
[DoS Attack: RST Scan] from source: 65.200.212.212, port 80, Friday, November 09,2012 15:54:19
[DoS Attack: ACK Scan] from source: 65.200.212.212, port 80, Friday, November 09,2012 15:54:19
[DoS Attack: RST Scan] from source: 65.200.212.212, port 80, Friday, November 09,2012 15:54:04
[DoS Attack: ACK Scan] from source: 65.200.212.212, port 80, Friday, November 09,2012 15:54:04
[Internet connected] IP address: 68.184.169.99, Friday, November 09,2012 15:49:32
[UPnP set event: add_nat_rule] from source 10.0.0.42 Friday, November 09,2012 15:48:28
[UPnP set event: del_nat_rule] from source 10.0.0.42 Friday, November 09,2012 15:48:28
[UPnP set event: add_nat_rule] from source 10.0.0.42 Friday, November 09,2012 15:48:22
[DHCP IP: 10.0.0.42] to MAC address c8:0a:a9:44:b6:25, Friday, November 09,2012 15:48:17
[DHCP IP: 10.0.0.2] to MAC address 5c:0a:5b:98:98:0b, Friday, November 09,2012 15:22:57
[DHCP IP: 10.0.0.43] to MAC address 00:23:4e:35:cc:c6, Friday, November 09,2012 14:10:47
[Internet connected] IP address: 68.184.169.99, Friday, November 09,2012 11:49:31
[admin login] from source 10.0.0.42, Friday, November 09,2012 10:35:51
[Internet connected] IP address: 68.184.169.99, Friday, November 09,2012 07:49:30
[DoS Attack: RST Scan] from source: 65.200.212.212, port 80, Friday, November 09,2012 05:26:49
[DoS Attack: ACK Scan] from source: 65.200.212.212, port 80, Friday, November 09,2012 05:26:49
[WLAN access rejected: incorrect security] from MAC address 5c:0a:5b:98:98:0b, Friday, November 09,2012 05:18:05
[DoS Attack: RST Scan] from source: 65.200.212.212, port 80, Friday, November 09,2012 04:28:06
[DoS Attack: ACK Scan] from source: 65.200.212.212, port 80, Friday, November 09,2012 04:28:06
[DoS Attack: RST Scan] from source: 65.200.212.212, port 80, Friday, November 09,2012 04:16:49
[DoS Attack: ACK Scan] from source: 65.200.212.212, port 80, Friday, November 09,2012 04:16:49
[DoS Attack: RST Scan] from source: 65.200.212.212, port 80, Friday, November 09,2012 04:16:44
[DoS Attack: ACK Scan] from source: 65.200.212.212, port 80, Friday, November 09,2012 04:16:44
[UPnP set event: add_nat_rule] from source 10.0.0.42 Friday, November 09,2012 04:11:56
[Internet connected] IP address: 68.184.169.99, Friday, November 09,2012 03:49:30
[LAN access from remote] from 90.56.166.186:8650 to 10.0.0.43:62994, Friday, November 09,2012 01:49:44
[Internet connected] IP address: 68.184.169.99, Thursday, November 08,2012 23:49:30
[DoS Attack: RST Scan] from source: 24.187.238.243, port 59518, Thursday, November 08,2012 23:37:33
[LAN access from remote] from 78.240.59.177:51413 to 10.0.0.43:62994, Thursday, November 08,2012 20:54:29
[LAN access from remote] from 79.205.98.103:6881 to 10.0.0.43:62994, Thursday, November 08,2012 20:38:09
[LAN access from remote] from 184.97.200.212:38466 to 10.0.0.43:62994, Thursday, November 08,2012 20:38:06
[LAN access from remote] from 211.97.167.122:11935 to 10.0.0.43:62994, Thursday, November 08,2012 20:38:06
[LAN access from remote] from 66.61.81.175:43383 to 10.0.0.43:62994, Thursday, November 08,2012 20:38:02
[LAN access from remote] from 80.26.82.251:6881 to 10.0.0.43:62994, Thursday, November 08,2012 20:37:59
[LAN access from remote] from 187.14.40.224:23353 to 10.0.0.43:62994, Thursday, November 08,2012 20:37:50
[LAN access from remote] from 111.74.31.222:54695 to 10.0.0.43:62994, Thursday, November 08,2012 20:37:49
[LAN access from remote] from 122.151.177.12:11961 to 10.0.0.43:62994, Thursday, November 08,2012 20:37:41
[LAN access from remote] from 188.25.151.213:46135 to 10.0.0.43:62994, Thursday, November 08,2012 20:37:40
[LAN access from remote] from 189.12.44.81:32743 to 10.0.0.43:62994, Thursday, November 08,2012 20:37:38
[LAN access from remote] from 180.194.144.76:6809 to 10.0.0.43:62994, Thursday, November 08,2012 20:37:30
[LAN access from remote] from 60.29.24.20:22537 to 10.0.0.43:62994, Thursday, November 08,2012 20:37:20
[LAN access from remote] from 217.78.224.9:11967 to 10.0.0.43:62994, Thursday, November 08,2012 20:37:18
[LAN access from remote] from 187.146.105.11:23684 to 10.0.0.43:62994, Thursday, November 08,2012 20:37:08
[LAN access from remote] from 41.182.37.189:56665 to 10.0.0.43:62994, Thursday, November 08,2012 20:36:59
[LAN access from remote] from 186.212.228.25:24165 to 10.0.0.43:62994, Thursday, November 08,2012 20:36:49
[LAN access from remote] from 123.238.232.254:30002 to 10.0.0.43:62994, Thursday, November 08,2012 20:36:45
[LAN access from remote] from 201.13.49.132:59696 to 10.0.0.43:62994, Thursday, November 08,2012 20:36:44
[LAN access from remote] from 120.61.163.177:10028 to 10.0.0.43:62994, Thursday, November 08,2012 20:36:30
[LAN access from remote] from 68.98.17.13:26071 to 10.0.0.43:62994, Thursday, November 08,2012 20:36:25
[LAN access from remote] from 77.109.244.131:55475 to 10.0.0.43:62994, Thursday, November 08,2012 20:36:25
[LAN access from remote] from 86.62.94.210:57858 to 10.0.0.43:62994, Thursday, November 08,2012 20:36:07
[LAN access from remote] from 77.44.188.245:55251 to 10.0.0.43:62994, Thursday, November 08,2012 20:35:35
[LAN access from remote] from 189.144.197.209:22780 to 10.0.0.43:62994, Thursday, November 08,2012 20:35:31
Message 1 of 6
Joe_
Luminary

Re: 1000v2-Log explanation please

1. The correct forum for the WNR1000v2 is the one labeled RangeMax Routers. It wasn't set up to intuitively for older models.

2. Whenever you do a firmware update, it is always recommended that you reset the router via the pinhole. After that, re-enter all your settings.

3. Get the manuals for your router and read up to learn about your equipment. Click on Downloads at the top of this page and enter your router's model number and you will see the manuals that are available for your router.

4. One of the manuals should be able to tell you how to find out your firmware's version number. Otherwise, with a little snooping around in your router's admin functions you should find it. (Just don't make any changes unless you know what they are for).

5. It would be a bit much to explain everything on the log, however I would say the following:
a. Those entries with: WLAN access rejected: incorrect security; DoS Attack: RST Scan; DoS Attack: ACK Scan; LAN access from remote ...are among the disturbing ones. Mind you, some of the other log entries may be connected in some way to form a pattern. You could search the Internet with these terms to learn more.

b. I see IP addresses from different subnets, e.g. 10.0.0.42 and 68.184.169.99. Do you know which subnet your network is using? The reason is if it's 10.0.0.xx then your router is plugged up behind another device that uses the default subnet of 192.168.1.xx. Exactly how your router is hooked up could be significant in determining what your issue is. From Start on your PC type command prompt, hit Enter, then type ipconfig/all and hit Enter again. You should see what IP addresses you have. Exit the Command Prompt when you are done.

c. How, in the first place, did you get or intercept an email of the log since (even though it is purportedly from your router) he sent it to himself? Can you confirm all these MAC addresses on the log are yours? Did you look at the logs in your router to see if you could confirm that something is amiss?


The best advice would be to read up the manuals and learn about your router. After, you should reset your router and start afresh. Choose a different SSID and passphrase. Ensure you change the Admin Password so no one can hijack your network.

If you still aren't able to grasp what needs to be done to secure your network, then you will have to enlist the help of someone who can help you.
Message 2 of 6
GoGuard
Luminary

Re: 1000v2-Log explanation please

I found my firmware version: Firmware Version V1.0.0.12NA and I have the download page open on another tab and will figure out which one I need and download.

I did notice one of those IP addresses that is recurring is my security suite domain so that makes me feel better.

What I don't understand is when you say my router looks like it's behind something. I don't know how to check that but I did check my wiring. I have the cable wire into the modem and a Ethernet (?) cable going from the modem to the router and then another cable connecting the router to the back of the computer and everything else is wireless.

And I just changed to this router a week or so ago but when I do the ipconfig I see several references to my older Belkin router but they say "media disconnected" and I references to "tunnels" connected to the old Belkin. Is there a way I can get rid of any references to the Belkin?

And what I meant by him emailing a log, is he just got on my computer and copied the log and pasted it into an email and emailed it to himself, so it wasn't anything automatic or done from elsewhere.

I do want to understand why he says his computer is showing my computer is connect"ING" to his and he feels like his network has been comprised. So hopefully I can learn a lot about this quickly. Don't know if we just don't know what we are looking at or if someone is really messing with us, but I wouldn't have the first clue how to do that, nor would I want too.

I do have some experience in IT, just kind of a jack of all trades, master of none, meaning I think I know more than many averages users out there but in a lot of areas, even after sitting a week in the network certification classes (never taking the test tho) among others, I just have a general understanding how things work, but couldn't do them myself at all.

Thank you for your reply and guidance(!) and I do want to understand this about my router behind something so I'm wanting to get that straight first.
Message 3 of 6
Joe_
Luminary

Re: 1000v2-Log explanation please

The log you posted (if, according to you it is from your router,) shows, for example, an IP address of 10.0.0.43 among others. Netgear routers normally use a network with IP addresses 192.168.1.xx. If the modem you are hooking up the router to is using the 192.168.1.xx range, it changes the router's own to use 10.0.0.xx to avoid conflicts. This isn't too much of an issue to be concerned about, but sometimes it's indicative that a user may have set up his router incorrectly by connecting it to a combination modem/router without putting the latter into "bridged" mode. Putting a unit into bridged mode means disabling the router functions so that it only acts as a modem.

If you are uncertain about whether your "modem" is in fact a "combination modem/router", you could look up manual or other associated documentation. For some of this, you may have to search on the Internet. If it is a combo unit, then look up the instructions on how to put it into bridged mode. As I said before, this may not be something to be too concerned about since you "seemed" to not have any problems connecting to the internet, etc. (At least, you didn't mention any such issues in your posts.)

What I would be more concerned about in the log are all those entries that say "LAN access from remote". These entries mean that someone has been accessing your network from a remote location. For example:
[LAN access from remote] from 180.194.144.76:6809 to 10.0.0.43:62994, Thursday, November 08,2012 20:37:30
means...
Someone from 180.194.144.76:6809 was accessing IP address 10.0.0.43:62994 on so and so date at so and so time.
The numbers after the colon [:] are the port numbers that were used.
Therefore, is IP address 10.0.0.43 one that is assigned to a device on your network?


Now, some people do access their network from a remote location when doing so serves some useful function. BUT, if you are sure it isn't you and you have never done that, then I would say you have a problem. Those "remote access" entries, in conjunction with the other type of entries which I mentioned in my previous post hint at something suspicious.

The reason why I said:
Can you confirm all these MAC addresses on the log are yours?

... is only MAC addresses that belong to devices that are yours, should be shown on the log as connecting successfully. All other MACs that you don't know should be rejected (as shown in the first 2 entries in the log).

Now, did you really read what I said in my previous post?
The best advice would be to read up the manuals and learn about your router. After, you should reset your router and start afresh. Choose a different SSID and passphrase. Ensure you change the Admin Password so no one can hijack your network.

If you still aren't able to grasp what needs to be done to secure your network, then you will have to enlist the help of someone who can help you.

'Nuff said.
Message 4 of 6
jmizoguchi
Virtuoso

Re: 1000v2-Log explanation please

[DoS Attack: RST Scan] from source: 65.200.212.212, port 80, Friday, November 09,2012 17:09:25


This logs means source IP 65.x IP has tried to use Port 80 and has "Denied" access

[LAN access from remote] from 184.97.200.212:38466 to 10.0.0.43:62994, Thursday, November 08,2012 20:38:06


Usually these type of logs means that including malware or any application that you may run and/or run in background has been access your network.

First is to find 10.0.0.43 IP and you want to put some software firewall on this PC if this is computer and watch more logs and find out application that may associated


[UPnP set event: add_nat_rule] from source 10.0.0.42 Friday, November 09,2012 04:11:56


This log shows IP device 10.0.0.42 requested ports on via application communicating in UPnP protcol which many of application now days do that to request the router to open the port upon need it. UPnP also has time out value in the router settings.

[WLAN access rejected: incorrect security] from MAC address 5c:0a:5b:98:98:0b, Friday, November 09,2012 05:18:05


You will probably going to see with any wifi devices around you that try to access intentionally or just happens someone is mistaken trying etc.

As long you have WPA2 encryption key you should be "okay" since WPA2 is most secure at this time and takes week(s) to hack.

If you are getting these logs then you may want to hide the SSID if "all" your wifi devices can connect that way. Hiding the SSID can be useful for normal user but for other who are more advanced still can but key is WPA2.
VPN Case Study

VPNCASESTUDY.COM

"Our Second To None VPN Related Setup Case Study[/COLOR][/URL]

"One Stop Solution To Your Netgear VPN Connectivity"

*Visit the site for Non-VPN related Doc & Links* [Windows & Mac user/support]





June Mizoguchi-
Message 5 of 6
GoGuard
Luminary

Re: 1000v2-Log explanation please

Thank you both! Haven't had much online access and just now reading your replies and do have my manual downloaded to my computer now. Will do some intense studying over next couple of days and then will come back and hopefully understand every reply better!
Message 6 of 6
Top Contributors
Discussion stats
  • 5 replies
  • 3142 views
  • 0 kudos
  • 3 in conversation
Announcements

Orbi WiFi 6E