# my router got hacked



## zombine210

yesterday my laptop started losing connection to the router constantly reconnecting. i restarted the router and laptop and the problem persisted.

i also noted my android phone dropping connection. this morning i decided to troubleshoot and found this in the log:

[DHCP IP: 192.168.1.102] to MAC address c4:17:fe:21:15:41, Saturday, July 14,2012 12:02:36
[DHCP IP: 192.168.1.104] to MAC address 14:7d:c5:b6:8a:ef, Saturday, July 14,2012 12:00:28
[DHCP IP: 192.168.1.102] to MAC address c4:17:fe:21:15:41, Saturday, July 14,2012 11:50:08
[admin login] from source 192.168.1.105, Saturday, July 14,2012 11:46:53
[DHCP IP: 192.168.1.104] to MAC address 14:7d:c5:b6:8a:ef, Saturday, July 14,2012 11:09:38
[WLAN access rejected: incorrect security] from MAC address 14:7d:c5:b6:8a:ef, Saturday, July 14,2012 11:05:11
[DHCP IP: 192.168.1.104] to MAC address 14:7d:c5:b6:8a:ef, Saturday, July 14,2012 10:16:27
[DHCP IP: 192.168.1.106] to MAC address 00:12:7b:42:a3:14, Saturday, July 14,2012 10:14:51
[DHCP IP: 192.168.1.105] to MAC address 00:01:29:a3:cb:9b, Saturday, July 14,2012 10:14:08
[DHCP IP: 192.168.1.104] to MAC address 14:7d:c5:b6:8a:ef, Saturday, July 14,2012 06:11:03
[DHCP IP: 192.168.1.103] to MAC address 70:5a:b6:27:06:01, Saturday, July 14,2012 05:59:56
[DHCP IP: 192.168.1.104] to MAC address 14:7d:c5:b6:8a:ef, Saturday, July 14,2012 00:02:09
[DHCP IP: 192.168.1.102] to MAC address c4:17:fe:21:15:41, Friday, July 13,2012 23:53:50
[DHCP IP: 192.168.1.103] to MAC address 70:5a:b6:27:06:01, Friday, July 13,2012 23:53:45
[DHCP IP: 192.168.1.102] to MAC address c4:17:fe:21:15:41, Friday, July 13,2012 23:49:50
[DoS Attack: ACK Scan] from source: 68.142.122.70, port 80, Friday, July 13,2012 23:45:24
[Time synchronized with NTP server] Friday, July 13,2012 23:40:16
[Initialized, firmware version: V1.0.0.8] Friday, July 13,2012 23:40:14


i've since disabled the wireless radios and am working on wired mode only.

any ideas what to do??


----------



## zombine210

i filtered out my devices by MAC address and am left with this:

[admin login] from source 192.168.1.105, Saturday, July 14,2012 11:46:53
[WLAN access rejected: incorrect security] from MAC address 14:7d:c5:b6:8a:ef, Saturday, July 14,2012 11:05:11
[DHCP IP: 192.168.1.106] to MAC address 00:12:7b:42:a3:14, Saturday, July 14,2012 10:14:51
[DHCP IP: 192.168.1.103] to MAC address 70:5a:b6:27:06:01, Saturday, July 14,2012 05:59:56
[DHCP IP: 192.168.1.103] to MAC address 70:5a:b6:27:06:01, Friday, July 13,2012 23:53:45
[DoS Attack: ACK Scan] from source: 68.142.122.70, port 80, Friday, July 13,2012 23:45:24
[Time synchronized with NTP server] Friday, July 13,2012 23:40:16
[Initialized, firmware version: V1.0.0.8] Friday, July 13,2012 23:40:14


my guess is that WLAN access rejected entry is somebody trying to spoof one of my devices, since that belongs to my phone. don't know what the other two are.


----------



## johnb35

Your being DOS attacked.  Do you know if you are assigned a static ip address from your internet provider?  If not, unplug your modem and router for a 10 minutes and then plug it back in and see if you can get a different IP assigned.  Then increase the security on your router.  What level of security are you using?


----------



## NyxCharon

Problem is, if he's using WPA/WPA2, the second that network drops and comes back up, the handshake can be captured and there in.  There probably using a wifikiller to cause the drop, and then capturing the handshake.
(This is assuming it's in the local area, the DOS attack would thus be the wifi killer i mention) 

Just my .02


----------



## johnb35

Well, if he's being attacked through wireless then change the wireless password to something stronger maybe.  Change the SSID and don't broadcast the network name.


----------



## NyxCharon

johnb35 said:


> Well, if he's being attacked through wireless then change the wireless password to something stronger maybe.  Change the SSID and don't broadcast the network name.



Hiding the name is his best bet. Everything else doesn't matter. You don't need the password to capture the handshake,  so changing it won't do much.


----------



## zombine210

i updated the router to the latest firmware from netgear.
my passwords are very strong, imo, but i'll change them anyways.

my laptop was able to connect right away, but not my phone, it says it's not in range.
also, disabling ssid broadcast drops my laptop's connection.

right now i'm scanning my machines for malware and viruseees.


----------



## iMacG3

Have you recently been to any odd websites which may steal your wireless info? 
You could of gone to a site that steals i.p addresses. and hacks them to get password data, bank info and such.


----------

