× NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Orbi WiFi 7 RBE973
Reply

Home network security issues

Ggogo2368
Aspirant

Home network security issues

Need help with a lot of issues on my home network. Using the Orbi RBR50 with one satellite and the Orbi outdoor extender. I have contacted Gearhead support numerous times without resolution (do not believe they understand what it is I’m trying to explain is happening - I’m not a techie person); however, I believe my home network is comprised or being controlled by someone inside my network through a computer on the network. Not sure of the correct terms so I apologize if this is worded incorrectly, but 4 other computers are unable to connect to any websites without getting certificate errors, unable to do any updates saying we do not permission or authorization, and based on the router logs, when any of these devices connect to the Wi-Fi; it immediately shows site allowed status.rapidssl.com followed by a bunch of ocsp.xxxx.com websites. I realize these are for certificates, but I have not purchased or authorized any wildcard subscription services. I was able to briefly access the suspected controller computer and run a shell command of Get-NetIPAddress and several ipv6 addresses appeared (which I have ipv6 off at the router) and a ::1 address showed, which I assume is a localhost. I did some digging and found that my iPhone is the ::1 localhost. How can this be shut down so I can reclaim control of my router, network, and the devices connected to it? Lastly, this address showed up today in the log as being accessed from that device. Does anyone know what it means? [site allowed: netgear-07a2d5b3-0d1e-49d4-9038-f3e9ce19f9ce.2d7d] from source 192.168.1.16,

Sorry for the lengthy message but this is very frustrating and I’m at my wits end here!
Model: RBR50|Orbi AC3000 Tri-band WiFi Router
Message 1 of 41
Jetdrive
Luminary

Re: Home network security issues

If you really believe all your computer are infected and being controlled, you should shut all of them down and disconncect them from the network. Then take one of them and wipe the hard drive and re-install your Operating System (Windows or Mac). If that computer now behaves normally then you know that it was some sort of malware or virus. If the computer still  has problems as you described, it is not compromised. 

 

Message 2 of 41
FURRYe38
Guru

Re: Home network security issues

What Firmware is currently loaded?
What is the Mfr and model# of the ISP modem the NG router is connected too?

 

What browser are you using? Does this happen with other browsers like IE11, Firefox or Opera?

 

Is Remote Management enabled on the RBR? I would disable this if it's enabled and you don't need any remote access. 

 

Be sure you have setup a new PW for the RBRs log in page. Don't give it out to anyone. 

Besure you have setup a custom SSID name and PW for the wifi. 

 


@Ggogo2368 wrote:
Need help with a lot of issues on my home network. Using the Orbi RBR50 with one satellite and the Orbi outdoor extender. I have contacted Gearhead support numerous times without resolution (do not believe they understand what it is I’m trying to explain is happening - I’m not a techie person); however, I believe my home network is comprised or being controlled by someone inside my network through a computer on the network. Not sure of the correct terms so I apologize if this is worded incorrectly, but 4 other computers are unable to connect to any websites without getting certificate errors, unable to do any updates saying we do not permission or authorization, and based on the router logs, when any of these devices connect to the Wi-Fi; it immediately shows site allowed status.rapidssl.com followed by a bunch of ocsp.xxxx.com websites. I realize these are for certificates, but I have not purchased or authorized any wildcard subscription services. I was able to briefly access the suspected controller computer and run a shell command of Get-NetIPAddress and several ipv6 addresses appeared (which I have ipv6 off at the router) and a ::1 address showed, which I assume is a localhost. I did some digging and found that my iPhone is the ::1 localhost. How can this be shut down so I can reclaim control of my router, network, and the devices connected to it? Lastly, this address showed up today in the log as being accessed from that device. Does anyone know what it means? [site allowed: netgear-07a2d5b3-0d1e-49d4-9038-f3e9ce19f9ce.2d7d] from source 192.168.1.16,

Sorry for the lengthy message but this is very frustrating and I’m at my wits end here!

 

Message 3 of 41
Jetdrive
Luminary

Re: Home network security issues

Once a computer is compromised and payload delivered, there is no sure way to remove all traces of the infection other than a total reformat and re-install. You can try downloading and installing anti-malware programs like Malwarebytes, but there is no sure way to know if everything was removed. 

 

Message 4 of 41
FURRYe38
Guru

Re: Home network security issues

This would be a last resort kind of thing. Even if the PCs are infected. Need to scan for infections first. Most of the time, malwarebytes can remove fully most infections. It works pretty good. 

Message 5 of 41
Jetdrive
Luminary

Re: Home network security issues

He has already sought the services of a professional service and yes Malwarebytes is pretty good but doesn't guarantee all malware is removed. Like I said the only sure way is a reformat and re-install. Yes, anti-malware programs may get him going again but was that key logger released yesterday removed or is it just waiting for him to log into his bank and steal his credentials? Yes you can take shortcuts, but at your own risk.

 

 

 

Message 6 of 41
FURRYe38
Guru

Re: Home network security issues

Lets see if he's got a problem first. I presume this maybe a browser or cookie issue. Lets see what they return with before taking drastic measures. Will be up to them as well. 

Message 7 of 41
Ggogo2368
Aspirant

Re: Home network security issues

Using an Arris SB8200 - not one provided by the ISP.

I’ve tried Chrome, Edge, and IE11. Do not use Firefox, Mozilla or opera.

Remote mgmt is not enabled and the login password for the admin page of the router has been changed numerous times. Guest network and home network have custom id’s and separate passwords. As much as I’d love to boot the suspected device off of the network and not allow reconnect - that isn’t an option at this point and I need to confirm 100% that my suspicions are in fact true before I take further action in that regard.

As to Jetdrive’s recommendation about shutting down everything and disconnecting them and wiping the hard drive, that was done to some extent on one of the devices; however it returned to its prior state after reconnecting. Another thing I’d like to mention is that I recently connected my iMac which hadn’t been on the network in this house yet. It started behaving just as the other PC’s do the minute I opened safari. I immediately disconnected this device from the network and unplugged it without ever opening a webpage. Just from opening safari browser triggered the router log trail of site allowed: status.rapidssl.com....followed by all the other ocsp ones I mentioned earlier.

And since sending my earlier message today. I’ve been gone from the house - no one is there, yet I’m getting this notification:

[site blocked: netgear-07a2d5b3-0d1e-49d4-9038-f3e9ce19f9ce.2d7d] from source 192.168.1.16, Thursday, December 19, 2019 14:01:45
Message 8 of 41
Ggogo2368
Aspirant

Re: Home network security issues

Malwarebytes is installed but certainly isn’t doing its job. I have BitDefender installed as well but the exceptions keep getting changed, namely regarding certain certificates.
Message 9 of 41
Jetdrive
Luminary

Re: Home network security issues

You would think that the professional service that he paid for to help him with this issue would have done the troubleshooting with him already. I'm just saying taking the easy way out is not always the best way to go. He has several computers that all exhibit the same issues so it's hard to believe they all developed the same cookie issue at the same time and with different browsers. 

 

I'll drop out of this discussion now.

 

Message 10 of 41
Ggogo2368
Aspirant

Re: Home network security issues

I hope Jetdrive didn’t give up on this. I’m hopeful someone in this community can offer some insight and helpful solutions as the Arlo Gearhead Support (NETGEAR support) had no idea about what I was trying to explain to them. I tried to tell them I thought it was either a administrator controlled issue with unauthorized certificates, or something fishy going on where all the PC’s have the same certificates from the same issuing authorities yet they are not all windows 10 OS systems. Also, the system restore points on all of these devices were removed back to the same date, yet I am certain there were restore points in them prior to the dates now showing.
Message 11 of 41
CrimpOn
Guru

Re: Home network security issues


@Ggogo2368 wrote:
 based on the router logs, when any of these devices connect to the Wi-Fi; it immediately shows site allowed status.rapidssl.com followed by a bunch of ocsp.xxxx.com websites.

Which router log shows these messages?  I thought that I have my Orbi logging "everything", but I do not see messages about sites being allowed.

Message 12 of 41
CrimpOn
Guru

Re: Home network security issues


@Ggogo2368 wrote:
several ipv6 addresses appeared (which I have ipv6 off at the router)

My impression may be incorrect, however I believe that Orbi support for IPv6 has no effect on other devices inside the LAN.  i.e. if a device in the LAN is set up to support IPv6, it will merrily blast away with IPv6 packets, especially broadcast packets.  When I put Wireshark in promiscuous mode and capture only IPv6 packets, there are devices on my network generating packets.  I believe the default for a lot of devices is to support both IPv4 and IPv6 (it certainly is for Windows)

Message 13 of 41
Ggogo2368
Aspirant

Re: Home network security issues

It is the logs from the Orbi.
Message 14 of 41
CrimpOn
Guru

Re: Home network security issues


@Ggogo2368 wrote:
It is the logs from the Orbi.

Well, damn.  I have collected the entire Orbi log starting last March, and I have collected no records like these.  I thought that my log was set to record everything possible.  What must be set to get these items in the log?  Here's what my log setup looks like now:

LogSetup.PNG

Message 15 of 41
CrimpOn
Guru

Re: Home network security issues

OK.  I have it now.  When the advanced feature "Block Sites" is enabled, URL's get recorded in the Orbi log.  I had not used that feature because I didn't want a log full of every URL every computer on my network went to.

 

So, how about putting "status.rapidssl.com" in the site block list?

(and see which computer complains)

Message 16 of 41
Ggogo2368
Aspirant

Re: Home network security issues

status.rapidssl.com is on that list now. It seems there is always another wildcard ssl company in the wings waiting, or the name of the site changes slightly as was the case here, status.rapidssl changed to cdp.rapidssl, then crl.rapidssl before it started using a different site entirely.
I’m not a techie person at all - so trying to figure this whole thing out is a nightmare and very upsetting from my side.
Message 17 of 41
FURRYe38
Guru

Re: Home network security issues

Can you find out which device has this IP address?

192.168.1.16

 

If you disconnect the RBR from the ISP modem, does problem still happen? 

 

What happens if you completely disconnect ALL lan devices from the RBR and change the SSID name and PW on the RBR to something different? Save connecting just 1 wired PC to the RBR. 

 

Seems like if it returned to it's prior state after connecting things back up, there is one device that seems to be causing this.

 


@Ggogo2368 wrote:
Using an Arris SB8200 - not one provided by the ISP.

I’ve tried Chrome, Edge, and IE11. Do not use Firefox, Mozilla or opera.

Remote mgmt is not enabled and the login password for the admin page of the router has been changed numerous times. Guest network and home network have custom id’s and separate passwords. As much as I’d love to boot the suspected device off of the network and not allow reconnect - that isn’t an option at this point and I need to confirm 100% that my suspicions are in fact true before I take further action in that regard.

As to Jetdrive’s recommendation about shutting down everything and disconnecting them and wiping the hard drive, that was done to some extent on one of the devices; however it returned to its prior state after reconnecting. Another thing I’d like to mention is that I recently connected my iMac which hadn’t been on the network in this house yet. It started behaving just as the other PC’s do the minute I opened safari. I immediately disconnected this device from the network and unplugged it without ever opening a webpage. Just from opening safari browser triggered the router log trail of site allowed: status.rapidssl.com....followed by all the other ocsp ones I mentioned earlier.

And since sending my earlier message today. I’ve been gone from the house - no one is there, yet I’m getting this notification:

[site blocked: netgear-07a2d5b3-0d1e-49d4-9038-f3e9ce19f9ce.2d7d] from source 192.168.1.16, Thursday, December 19, 2019 14:01:45

 

 

Message 18 of 41
Ggogo2368
Aspirant

Re: Home network security issues

The device with 192.168.1.16 is the suspected device that has created the chaos on the network. The reason it says site blocked now is because I put the address it was accessing previously into the blocked site list in the Orbi under advanced settings. I can find no information anywhere on to what that site is though? That’s the frustrating part of this. Why would that device be accessing a NETGEAR site when there is only one admin user to its interface and that device is not one that ever accesses it - if that’s what the site is? I have reset the router many times, and the modem, rebooted the entire system- and nothing stops the activity I initially described. 😞
Message 19 of 41
FURRYe38
Guru

Re: Home network security issues

So what was this device? 

 

Message 20 of 41
SW_
Prodigy
Prodigy

Re: Home network security issues


@Ggogo2368 wrote:
The device with 192.168.1.16 is the suspected device that has created the chaos on the network.

This device could be the bot on your network, which controls/affects your GW/Orbi hebavior.  Do a hard reset, using a paper clip and stick to the back of both SB8200/Orbi for a good 60secs.  Leave192.168.1.16 offline, then power SB8200/Orbi back on and start testing with a Mac client.  Let us know if the problem persists.  Trying to test with a known bad client (192.168.1.16) will always give the same expected bad result.

Message 21 of 41
CrimpOn
Guru

Re: Home network security issues

I see that people have asked, "what device IS this?", but do not see a response.  No one is trying to pry.  Depending on what it is, there are diagnostics to determine which process within the device is trying  to connect.  For example, on a Windows computer, the netstat command will show all active TCP and UDP connections by process. https://www.cyberciti.biz/faq/windows-server-display-current-tcp-connections/ 

There could be some piece of software that was installed by accident, and deleting that software could cause this problem to go away.

There are similar tools available on other platforms.

Message 22 of 41
CrimpOn
Guru

Re: Home network security issues

Actually, for Windows TCPView is even better. https://docs.microsoft.com/en-us/sysinternals/downloads/tcpview 

It actually shows the name of the program which has opened the connection(s).

Message 23 of 41
Ggogo2368
Aspirant

Re: Home network security issues

Sorry for the slow response - been fighting network cutting in and out all day long. The “device” I refer to that I believe had created the issues is a Windows 10 PC. I have done the paper clip reset that was mentioned and unfortunately they did not resolve the issue. Like i have said, I’m not a computer person at all. My background is research...which I have tried to do and understand to no avail. What I think (and it’s a stretch at best), is the “device” has someone created some type of admin privileges and is controlling the network, the attached devices and their traffic. I don’t know the terminology for it, but I do not believe the certificates are authentic, in other words they are wildcard certificates from this RapidSSL, there are many instances of devices being on captive portal on my home network (mine and my daughters iPhone devices), which makes zero sense on my own home network? I’m baffled???
Message 24 of 41
Ggogo2368
Aspirant

Re: Home network security issues

I forgot to mention that I’ve contacted four system and computer management companies locally (I do work from home running two small businesses), and none of them are willing to assist since I’m not a multi million dollar company.
Message 25 of 41
Top Contributors
Discussion stats
  • 40 replies
  • 5654 views
  • 0 kudos
  • 6 in conversation
Announcements

Orbi WiFi 7