- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
Home network security issues
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Home network security issues
Sorry for the lengthy message but this is very frustrating and I’m at my wits end here!
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Home network security issues
If you really believe all your computer are infected and being controlled, you should shut all of them down and disconncect them from the network. Then take one of them and wipe the hard drive and re-install your Operating System (Windows or Mac). If that computer now behaves normally then you know that it was some sort of malware or virus. If the computer still has problems as you described, it is not compromised.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Home network security issues
What Firmware is currently loaded?
What is the Mfr and model# of the ISP modem the NG router is connected too?
What browser are you using? Does this happen with other browsers like IE11, Firefox or Opera?
Is Remote Management enabled on the RBR? I would disable this if it's enabled and you don't need any remote access.
Be sure you have setup a new PW for the RBRs log in page. Don't give it out to anyone.
Besure you have setup a custom SSID name and PW for the wifi.
@Ggogo2368 wrote:
Need help with a lot of issues on my home network. Using the Orbi RBR50 with one satellite and the Orbi outdoor extender. I have contacted Gearhead support numerous times without resolution (do not believe they understand what it is I’m trying to explain is happening - I’m not a techie person); however, I believe my home network is comprised or being controlled by someone inside my network through a computer on the network. Not sure of the correct terms so I apologize if this is worded incorrectly, but 4 other computers are unable to connect to any websites without getting certificate errors, unable to do any updates saying we do not permission or authorization, and based on the router logs, when any of these devices connect to the Wi-Fi; it immediately shows site allowed status.rapidssl.com followed by a bunch of ocsp.xxxx.com websites. I realize these are for certificates, but I have not purchased or authorized any wildcard subscription services. I was able to briefly access the suspected controller computer and run a shell command of Get-NetIPAddress and several ipv6 addresses appeared (which I have ipv6 off at the router) and a ::1 address showed, which I assume is a localhost. I did some digging and found that my iPhone is the ::1 localhost. How can this be shut down so I can reclaim control of my router, network, and the devices connected to it? Lastly, this address showed up today in the log as being accessed from that device. Does anyone know what it means? [site allowed: netgear-07a2d5b3-0d1e-49d4-9038-f3e9ce19f9ce.2d7d] from source 192.168.1.16,
Sorry for the lengthy message but this is very frustrating and I’m at my wits end here!
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Home network security issues
Once a computer is compromised and payload delivered, there is no sure way to remove all traces of the infection other than a total reformat and re-install. You can try downloading and installing anti-malware programs like Malwarebytes, but there is no sure way to know if everything was removed.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Home network security issues
This would be a last resort kind of thing. Even if the PCs are infected. Need to scan for infections first. Most of the time, malwarebytes can remove fully most infections. It works pretty good.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Home network security issues
He has already sought the services of a professional service and yes Malwarebytes is pretty good but doesn't guarantee all malware is removed. Like I said the only sure way is a reformat and re-install. Yes, anti-malware programs may get him going again but was that key logger released yesterday removed or is it just waiting for him to log into his bank and steal his credentials? Yes you can take shortcuts, but at your own risk.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Home network security issues
Lets see if he's got a problem first. I presume this maybe a browser or cookie issue. Lets see what they return with before taking drastic measures. Will be up to them as well.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Home network security issues
I’ve tried Chrome, Edge, and IE11. Do not use Firefox, Mozilla or opera.
Remote mgmt is not enabled and the login password for the admin page of the router has been changed numerous times. Guest network and home network have custom id’s and separate passwords. As much as I’d love to boot the suspected device off of the network and not allow reconnect - that isn’t an option at this point and I need to confirm 100% that my suspicions are in fact true before I take further action in that regard.
As to Jetdrive’s recommendation about shutting down everything and disconnecting them and wiping the hard drive, that was done to some extent on one of the devices; however it returned to its prior state after reconnecting. Another thing I’d like to mention is that I recently connected my iMac which hadn’t been on the network in this house yet. It started behaving just as the other PC’s do the minute I opened safari. I immediately disconnected this device from the network and unplugged it without ever opening a webpage. Just from opening safari browser triggered the router log trail of site allowed: status.rapidssl.com....followed by all the other ocsp ones I mentioned earlier.
And since sending my earlier message today. I’ve been gone from the house - no one is there, yet I’m getting this notification:
[site blocked: netgear-07a2d5b3-0d1e-49d4-9038-f3e9ce19f9ce.2d7d] from source 192.168.1.16, Thursday, December 19, 2019 14:01:45
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Home network security issues
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Home network security issues
You would think that the professional service that he paid for to help him with this issue would have done the troubleshooting with him already. I'm just saying taking the easy way out is not always the best way to go. He has several computers that all exhibit the same issues so it's hard to believe they all developed the same cookie issue at the same time and with different browsers.
I'll drop out of this discussion now.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Home network security issues
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Home network security issues
@Ggogo2368 wrote:
based on the router logs, when any of these devices connect to the Wi-Fi; it immediately shows site allowed status.rapidssl.com followed by a bunch of ocsp.xxxx.com websites.
Which router log shows these messages? I thought that I have my Orbi logging "everything", but I do not see messages about sites being allowed.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Home network security issues
@Ggogo2368 wrote:
several ipv6 addresses appeared (which I have ipv6 off at the router)
My impression may be incorrect, however I believe that Orbi support for IPv6 has no effect on other devices inside the LAN. i.e. if a device in the LAN is set up to support IPv6, it will merrily blast away with IPv6 packets, especially broadcast packets. When I put Wireshark in promiscuous mode and capture only IPv6 packets, there are devices on my network generating packets. I believe the default for a lot of devices is to support both IPv4 and IPv6 (it certainly is for Windows)
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Home network security issues
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Home network security issues
@Ggogo2368 wrote:
It is the logs from the Orbi.
Well, damn. I have collected the entire Orbi log starting last March, and I have collected no records like these. I thought that my log was set to record everything possible. What must be set to get these items in the log? Here's what my log setup looks like now:
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Home network security issues
OK. I have it now. When the advanced feature "Block Sites" is enabled, URL's get recorded in the Orbi log. I had not used that feature because I didn't want a log full of every URL every computer on my network went to.
So, how about putting "status.rapidssl.com" in the site block list?
(and see which computer complains)
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Home network security issues
I’m not a techie person at all - so trying to figure this whole thing out is a nightmare and very upsetting from my side.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Home network security issues
Can you find out which device has this IP address?
192.168.1.16
If you disconnect the RBR from the ISP modem, does problem still happen?
What happens if you completely disconnect ALL lan devices from the RBR and change the SSID name and PW on the RBR to something different? Save connecting just 1 wired PC to the RBR.
Seems like if it returned to it's prior state after connecting things back up, there is one device that seems to be causing this.
@Ggogo2368 wrote:
Using an Arris SB8200 - not one provided by the ISP.
I’ve tried Chrome, Edge, and IE11. Do not use Firefox, Mozilla or opera.
Remote mgmt is not enabled and the login password for the admin page of the router has been changed numerous times. Guest network and home network have custom id’s and separate passwords. As much as I’d love to boot the suspected device off of the network and not allow reconnect - that isn’t an option at this point and I need to confirm 100% that my suspicions are in fact true before I take further action in that regard.
As to Jetdrive’s recommendation about shutting down everything and disconnecting them and wiping the hard drive, that was done to some extent on one of the devices; however it returned to its prior state after reconnecting. Another thing I’d like to mention is that I recently connected my iMac which hadn’t been on the network in this house yet. It started behaving just as the other PC’s do the minute I opened safari. I immediately disconnected this device from the network and unplugged it without ever opening a webpage. Just from opening safari browser triggered the router log trail of site allowed: status.rapidssl.com....followed by all the other ocsp ones I mentioned earlier.
And since sending my earlier message today. I’ve been gone from the house - no one is there, yet I’m getting this notification:
[site blocked: netgear-07a2d5b3-0d1e-49d4-9038-f3e9ce19f9ce.2d7d] from source 192.168.1.16, Thursday, December 19, 2019 14:01:45
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Home network security issues
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Home network security issues
@Ggogo2368 wrote:
The device with 192.168.1.16 is the suspected device that has created the chaos on the network.
This device could be the bot on your network, which controls/affects your GW/Orbi hebavior. Do a hard reset, using a paper clip and stick to the back of both SB8200/Orbi for a good 60secs. Leave192.168.1.16 offline, then power SB8200/Orbi back on and start testing with a Mac client. Let us know if the problem persists. Trying to test with a known bad client (192.168.1.16) will always give the same expected bad result.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Home network security issues
I see that people have asked, "what device IS this?", but do not see a response. No one is trying to pry. Depending on what it is, there are diagnostics to determine which process within the device is trying to connect. For example, on a Windows computer, the netstat command will show all active TCP and UDP connections by process. https://www.cyberciti.biz/faq/windows-server-display-current-tcp-connections/
There could be some piece of software that was installed by accident, and deleting that software could cause this problem to go away.
There are similar tools available on other platforms.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Home network security issues
Actually, for Windows TCPView is even better. https://docs.microsoft.com/en-us/sysinternals/downloads/tcpview
It actually shows the name of the program which has opened the connection(s).
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Home network security issues
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Home network security issues
• What is the difference between WiFi 6 and WiFi 7?
• Yes! WiFi 7 is backwards compatible with other Wifi devices? Learn more