Reply

Re: Double admin login entries in router log

MagikEraser
Aspirant

Double admin login entries in router log

I have a R6400V2 Router, updated it to V1.0.2.66_10.0.48. I fixed issues with "LAN access from remote" after I enabled a wireless camera. I have since disabled UPnP, changed passwords, rebooted and generally tightened up the router for access. I now dump the logs to my PC and review. My problem is: When I log in, I see a double entry for Admin. The only reference I found in the community was about two years ago referring the user to update the firmware. I believe this is the most current version and do not see any current entries in the user community regarding this issue. This may have been happening prior to the firmware update, but I am now taking a serious look at the logs. Immediately after a reboot... [Admin login] from source 192.168.1.2, Sunday, Jan 27,2019 16:00:08 [Admin login] from source 192.168.1.2, Sunday, Jan 27,2019 15:59:00 [Time synchronized with NTP server] Sunday, Jan 27,2019 15:57:54 [Internet connected] IP address: (my provider IP), Sunday, Jan 27,2019 15:57:54 [Internet disconnected] Sunday, Jan 27,2019 15:57:53 Has this router been hacked? Help!! V/R Bill
Message 1 of 15
DarrenM
NETGEAR Moderator

Re: Double admin login entries in router log

If you look under your attached devices what device is given the ip address of 192.168.1.2?

 

DarrenM

Message 2 of 15
MagikEraser
Aspirant

Re: Double admin login entries in router log

Looking at the access control list, advanced tab, (access control is on, and block all new devices from connecting is selected) 192.168.1.2 is one of two wireless cameras.  The second wireless camera is 192.168.1.5

 

When I look in the Basic Tab, attached devices, it shows the same.  However last week I printed out  the connected devices and there was no .2 IP address... 

Is it usual for the wireless devices to change IP's?  If so should I set them at a static address?

 

The reason for the 'sudden' concern was I happened to check the log and noticed (in addition to DOS and attempts) buried in the list was LAN access from remote with two different addresses each time the router was rebooted.  When I checked the IP's one was Russian, and the other was Chinese with 23172 and 24177 port #'s..  Panic mode...

I don't have any state secrets on my PC but I do occasional work in addition to my personal and financial info.

 

V/R

Bill

 

Message 3 of 15
DarrenM
NETGEAR Moderator

Re: Double admin login entries in router log

I think it is just a false issue that is being caused by your cameras. And yes devices if they go offline and something else comes online they can change Ip address unless you do reserve that IP address for a certain device.

 

DarrenM

Message 4 of 15
MagikEraser
Aspirant

Re: Double admin login entries in router log

Unsure why this is a 'false' event?    In any event, I disabled (blocked) cameras, rebooted PC, rebooted router (same time) and waited...  I got one login, great!   While I was looking at the logs, my login timed out (seemed rather quickly) I logged back in and the second login appears again even with cameras blocked.  Does anyone have an idea, before I start looking for another router?

 

Another irritating NETGEAR problem is on reboot it fails to send the log file to my email and flushes the previous log file entries.  All I end up with is below! Is this normal operation for NETGEAR?

 

V/R

Bill

 

 

[Admin login] from source 192.168.1.6, Thursday, Jan 31,2019 12:52:49
[Admin login] from source 192.168.1.6, Thursday, Jan 31,2019 12:52:22
[Admin login] from source 192.168.1.6, Thursday, Jan 31,2019 12:44:20
[DHCP IP: (192.168.1.7)] to MAC address 60:F1:89:6E:15Smiley Very Happy1, Thursday, Jan 31,2019 12:35:04
[DHCP IP: (192.168.1.6)] to MAC address 00:27:0E:09:8D:EB, Thursday, Jan 31,2019 12:34:30
[Time synchronized with NTP server] Thursday, Jan 31,2019 12:33:17
[Internet connected] IP address: (Provider IP), Thursday, Jan 31,2019 12:33:17
[Internet disconnected] Thursday, Jan 31,2019 12:33:16
[DHCP IP: (192.168.1.5)] to MAC address 9C:B6:54:57Smiley Very HappyA:73, Thursday, Jan 31,2019 12:33:14
[DHCP IP: (192.168.1.4)] to MAC address A4:4C:C8:76:BE:9A, Thursday, Jan 31,2019 12:33:12
[DHCP IP: (192.168.1.3)] to MAC address 08:EA:40:C6:76:50, Thursday, Jan 31,2019 12:33:10
[DHCP IP: (192.168.1.2)] to MAC address 08:EA:40:BC:16:AF, Thursday, Jan 31,2019 12:33:10
[OPENVPN] NTP sync time failed. Get correct system time then reconnect. Thursday, Jan 31,2019 12:33:09
[Initialized, firmware version: V1.0.2.66_10.0.48] Thursday, Jan 31,2019 12:33:08

Message 5 of 15
MagikEraser
Aspirant

Re: Double admin login entries in router log

For some reason a couple characters turned into smiley faces.. sigh...

[Admin login] from source 192.168.1.6, Thursday, Jan 31,2019 12:52:49
[Admin login] from source 192.168.1.6, Thursday, Jan 31,2019 12:52:22
[Admin login] from source 192.168.1.6, Thursday, Jan 31,2019 12:44:20
[DHCP IP: (192.168.1.7)] to MAC address 60:F1:89:6E:15Smiley Very Happy1, Thursday, Jan 31,2019 12:35:04
[DHCP IP: (192.168.1.6)] to MAC address 00:27:0E:09:8D:EB, Thursday, Jan 31,2019 12:34:30
[Time synchronized with NTP server] Thursday, Jan 31,2019 12:33:17
[Internet connected] IP address: (Provider IP), Thursday, Jan 31,2019 12:33:17
[Internet disconnected] Thursday, Jan 31,2019 12:33:16
[DHCP IP: (192.168.1.5)] to MAC address 9C:B6:54:57Smiley Very HappyA:73, Thursday, Jan 31,2019 12:33:14
[DHCP IP: (192.168.1.4)] to MAC address A4:4C:C8:76:BE:9A, Thursday, Jan 31,2019 12:33:12
[DHCP IP: (192.168.1.3)] to MAC address 08:EA:40:C6:76:50, Thursday, Jan 31,2019 12:33:10
[DHCP IP: (192.168.1.2)] to MAC address 08:EA:40:BC:16:AF, Thursday, Jan 31,2019 12:33:10
[OPENVPN] NTP sync time failed. Get correct system time then reconnect. Thursday, Jan 31,2019 12:33:09
[Initialized, firmware version: V1.0.2.66_10.0.48] Thursday, Jan 31,2019 12:33:08

 

Message 6 of 15
MagikEraser
Aspirant

Re: Double admin login entries in router log

Why does the logfile get cleared on reboot?

 

I changed passwords again and now get Admin login plus a failed login?  Does anyone have any idea what is going on?

 

[Admin login] from source 192.168.1.6, Monday, Feb 04,2019 10:03:56

[Admin login failure] from source 192.168.1.6, Monday, Feb 04,2019 10:03:37

 

V/R

Bill

Message 7 of 15
IrvSp
Master

Re: Double admin login entries in router log


@MagikEraser wrote:

Why does the logfile get cleared on reboot?

 

I changed passwords again and now get Admin login plus a failed login?  Does anyone have any idea what is going on?

 

[Admin login] from source 192.168.1.6, Monday, Feb 04,2019 10:03:56

[Admin login failure] from source 192.168.1.6, Monday, Feb 04,2019 10:03:37

 

V/R

Bill


Because a REBOOT clears NVRAM area that holds the temporary storage.

 

I suspect the first (timestamp) login is from whatever is on 192.168.1.6 is using the OLD P/W and then the real one. Task Manager might show something running, or even in the STARTUP tab. Wondering if you have the NETGEAR GENIE app on Windows running?

Message 8 of 15
MagikEraser
Aspirant

Re: Double admin login entries in router log

I waited awhile and loged back in and the double log in is back...

 

[Admin login] from source 192.168.1.6, Monday, Feb 04,2019 11:24:47
[Admin login] from source 192.168.1.6, Monday, Feb 04,2019 11:24:30

 

HELP...

Message 9 of 15
MagikEraser
Aspirant

Re: Double admin login entries in router log

Thank you for the clarification on log file clearing I kind of figured something like that.  I have the log emailed every two weeks, but before I manually reboot I will email the log.

 

The double login is back as mentioned previously.

I had a couple web pages open, and was checking entries in the control panel for 'unusual' entries.  Newest are IP Camera 3.1 (for IP cameras I just installed), PIE Free (drawing/picture editing), No-IP DUC (dynamic DNS service), and AL open (audio support, but I don't recall adding any games...)

 

 

 

Message 10 of 15
MagikEraser
Aspirant

Re: Double admin login entries in router log

No NETGEAR Genie running

Message 11 of 15
IrvSp
Master

Re: Double admin login entries in router log

How is 192.168.1.6 connected? Wireless? USB AC Adapter? Running on W10 Pro?

 

Just curious. I get a lot of entries like the for IP Address requests. That this group of sequential log entries:

 

[DHCP IP: (192.168.1.45)] to MAC address 24:05:0F:F6Smiley Very Happy3:44, Sunday, Feb 03,2019 20:17:46
[DHCP IP: (192.168.1.45)] to MAC address 24:05:0F:F6Smiley Very Happy3:44, Sunday, Feb 03,2019 20:17:36
[DHCP IP: (192.168.1.45)] to MAC address 24:05:0F:F6Smiley Very Happy3:44, Sunday, Feb 03,2019 20:15:48
[DHCP IP: (192.168.1.45)] to MAC address 24:05:0F:F6Smiley Very Happy3:44, Sunday, Feb 03,2019 20:14:27
[DHCP IP: (192.168.1.45)] to MAC address 24:05:0F:F6Smiley Very Happy3:44, Sunday, Feb 03,2019 20:14:04
[DHCP IP: (192.168.1.45)] to MAC address 24:05:0F:F6Smiley Very Happy3:44, Sunday, Feb 03,2019 20:13:52
[DHCP IP: (192.168.1.45)] to MAC address 24:05:0F:F6Smiley Very Happy3:44, Sunday, Feb 03,2019 20:13:37
[DHCP IP: (192.168.1.45)] to MAC address 24:05:0F:F6Smiley Very Happy3:44, Sunday, Feb 03,2019 20:13:26
[DHCP IP: (192.168.1.45)] to MAC address 24:05:0F:F6Smiley Very Happy3:44, Sunday, Feb 03,2019 20:12:37
[DHCP IP: (192.168.1.45)] to MAC address 24:05:0F:F6Smiley Very Happy3:44, Sunday, Feb 03,2019 20:11:24

These are all a USB Wireless AC adapter coming back from Sleep on a W10 Pro PC. Same adapter moved to a W10 HOME PC would only give one enter when coming out of sleep.

 

Wondering if this is the same? I never use that PC to go to the router though?

Message 12 of 15
IrvSp
Master

Re: Double admin login entries in router log

@MagikEraser,

 

I can CONFIRM this is a W10 PRO problem. See below, 2 PC's logged into ADMIN. 192.168.1.45 is the W10 PRO PC, 192.168.1.50 is the W10 HOME PC.

 

[Admin login] from source 192.168.1.50, Monday, Feb 04,2019 16:49:19
[Admin login] from source 192.168.1.45, Monday, Feb 04,2019 16:48:17
[Admin login] from source 192.168.1.45, Monday, Feb 04,2019 16:47:52

 

Look familiar?

Message 13 of 15
MagikEraser
Aspirant

Re: Double admin login entries in router log

Looks familiar, except... I only have one PC logged in.  My PC is hardwired (ethernet cable directly to the router).  The other devices are two IP cameras (which I disabled) one laptop (powered on but not logged in), and a cell phone.

V/R
Bill

Message 14 of 15
IrvSp
Master

Re: Double admin login entries in router log

Is  the PC a W10 Pro versions? I can't run that desktop wired, but 2 USB devices on it seem to do it, but not when on a W10 Home PC?

Message 15 of 15
Top Contributors
Discussion stats
  • 14 replies
  • 1723 views
  • 0 kudos
  • 3 in conversation
Announcements