How to get an IP from a device trying to log in my router?

[suchamoneypit]

Someone has been trying to log into my router for about a week now. A few days ago I changed my external IP, and this stopped whoever this is for around a day, but he's back at my IP getting rejected logins all day long as of this morning. All attempts are from one mac address. Is there any way I can do some trickery to get his IP figure out who it is (the only people who could get my IP go on my servers, and I have everyone's IP)? Im being DDOS'd in-between his series of login attempts which is the main cause of my annoyance. His/her mac address has already been blacklisted from logging in. I could change my IP again, but its annoying and not a permanent fix.

 

My password is complex and unique enough to me im not at all worried at them getting in.

[brwainer]

9 minutes ago, suchamoneypit said:

Someone has been trying to log into my router for about a week now. A few days ago I changed my external IP, and this stopped whoever this is for around a day, but he's back at my IP getting rejected logins all day long as of this morning. All attempts are from one mac address. Is there any way I can do some trickery to get his IP figure out who it is (the only people who could get my IP go on my servers, and I have everyone's IP)? Im being DDOS'd in-between his series of login attempts which is the main cause of my annoyance. His/her mac address has already been blacklisted from logging in. I could change my IP again, but its annoying and not a permanent fix.

MAC addresses aren't used on the internet. If the login attempt is coming from the internet, the only MAC your router would see would either be your modem or the first router in your ISP's network that you connect to (whatever device is the default gateway for your router). If the device is within your private network, then the MAC is all you need.

 

To find the IP that your router knows for a given MAC, you have to be able to check it's ARP table. Many routers don't have a way for you to view that, but we can help you check if you tell us the model.

 

The other thing you can check is the router's DHCP leases, but that can only give you the IP of devuce sthat got their IP from the router.

 

The final thought I have is that maybe the device is actually trying to join your wifi, not log into the router itself. Can you give us the full message from the log?

[suchamoneypit]

10 minutes ago, brwainer said:

MAC addresses aren't used on the internet. If the login attempt is coming from the internet, the only MAC your router would see would either be your modem or the first router in your ISP's network that you connect to (whatever device is the default gateway for your router). If the device is within your private network, then the MAC is all you need.

 

To find the IP that your router knows for a given MAC, you have to be able to check it's ARP table. Many routers don't have a way for you to view that, but we can help you check if you tell us the model.

 

The other thing you can check is the router's DHCP leases, but that can only give you the IP of devuce sthat got their IP from the router.

 

The final thought I have is that maybe the device is actually trying to join your wifi, not log into the router itself. Can you give us the full message from the log?

[WLAN access rejected: incorrect security] from MAC address a4:08:ea:19:d1:e0, Tuesday, June 14, 2016 

 

also occasionaly getting a lot of 

 

[LAN access from remote] from 112.118.185.192:58544 to 192.168.1.8:80, Tuesday, June 14, 2016 15:23:24

(the IP changes all the time)

 

 

I'm aware that the MAC address alone won't help me as it doesn't matter really on the internet, I was thinking more of getting whatever is trying to connect, to actually connect, and grabbing the IP then, and then kicking it off. So it appears from the message is is a wireless access attempt. I did check my ARP table using arp -a (windows) as well as looking at every device ever connected to my network via my router, and this MAC address has never connected.

[brwainer]

WLAN means wireless. So some device is trying to log onto your wifi and is getting bounced. Incorrect security either means it doesn't have the right password, or either doesn't support or isn't set up for the right protocol (e.g. WEP, WPA, etc). MAC addresses are assigned by blocks to manufacturers, the block a4:08:ea was assigned to "Murata Manufacturing Co., Ltd.  JP" in January 2015, so you are looking for some device that was made in Japan in the last year and a half.

 

EDIT: I missed the second error code you had when I first looked at it. That error is very interesting. It tells me that your ISP is actually routing traffic bound for an internal IP across their network to you - that is never supposed to happen, first off because ISPs are supposed to block that type of traffic, and second because of all their thousands or millions of users, why are they routing it to you? That is truly bizarre, and something you might want to talk to your ISP about. 

[suchamoneypit]

49 minutes ago, brwainer said:

 

 

EDIT: I missed the second error code you had when I first looked at it. That error is very interesting. It tells me that your ISP is actually routing traffic bound for an internal IP across their network to you - that is never supposed to happen, first off because ISPs are supposed to block that type of traffic, and second because of all their thousands or millions of users, why are they routing it to you? That is truly bizarre, and something you might want to talk to your ISP about. 

what specifically tells you this? I always had trouble googling what exactly this message means. I get it a lot . I would really like to know the specifics of whats happening networking wise that this message means. How do I even bring this up to my ISP if im not sure about it?

 

EDIT: this is an example of just now how many and often it occurs

 

EDIT 2: Could I use wireshark to capture and analyze these packets to figure out what they are? How would I do that?

[brwainer]

I won't go into details about my previous response, because it turns out my interpretation of the message was wrong. I looked it up and found this:

Quote

[LAN access from remote] is triggered anytime an external connection is routed into the internal network via a forwarded port. This can be either an explicit (ie: a specific port or range of ports set with port forwarding/port triggering) or automatic (ie: UPNP) route. Most of the time, this message indicates success, but if you have invalid port forwarding rules, this message will still appear even though the connection was not successful.

Source: http://superuser.com/questions/335728/interpreting-netgear-wireless-router-security-logs

 

So what this means, is that in your router you have a port forwarded to 192.168.1.8:80, and the router is logging every time this gets used. Botnets and other rogue agents constantly scan HTTP servers and other open ports on a wide range of IP addresses, looking for vulnerabilities in the web server that might allow them to take it over and use it for future attacks.

[Sintezza]

little question.

 

Do you maybe use Avast antivirus?

Because Avast does similar wonky things.

[suchamoneypit]

13 minutes ago, brwainer said:

I won't go into details about my previous response, because it turns out my interpretation of the message was wrong. I looked it up and found this:

Source: http://superuser.com/questions/335728/interpreting-netgear-wireless-router-security-logs

 

So what this means, is that in your router you have a port forwarded to 192.168.1.8:80, and the router is logging every time this gets used. Botnets and other rogue agents constantly scan HTTP servers and other open ports on a wide range of IP addresses, looking for vulnerabilities in the web server that might allow them to take it over and use it for future attacks.

hmm, that 192.168.1.8 address (the remote access using port 80 was being done on it) used to be my old internal IP address on which I ran a website I messed around with (it was port forwarded on port 443) that only me and 2 other close friends ever accessed.That is the only time that internal IP would be accepting external connections. Im not sure why any connections are being made to that IP anymore. That port isn't even forwarded.

[suchamoneypit]

3 minutes ago, Sintezza said:

little question.

 

Do you maybe use Avast antivirus?

Because Avast does similar wonky things.

no, I do not.

[Sintezza]

4 minutes ago, suchamoneypit said:

no, I do not.

 

Ah okay, because Avast antivirus has a new feuture build in.

To check for vulnerabilities on your network / router.

But never mind.

 

[brwainer]

5 minutes ago, suchamoneypit said:

hmm, that 192.168.1.8 address (the remote access using port 80 was being done on it) used to be my old internal IP address on which I ran a website I messed around with (it was port forwarded on port 443). Im not sure why any connections are being made to that IP anymore. That port isn't even forwarded.

Your logs suggest otherwise. I would make sure you don't have that IP set up anywhere anymore, like port forwarding, port range forwarding, and DMZ.

[suchamoneypit]

9 minutes ago, brwainer said:

Your logs suggest otherwise. I would make sure you don't have that IP set up anywhere anymore, like port forwarding, port range forwarding, and DMZ.

Yeah, interesting enough, I checked. 192.168.1.8 is not currently used by any device (which means it hasn't for weeks). I'm now confused on how and why connections are showing up in my logs to it, nothing is set up to direct traffic to it, and the address doesn't exist anymore on my network.

[brwainer]

As I said in my PM to you, but repeating here so anyone else can find it - it doesn't matter if the IP isn't present on your local network, your router is still trying to forward traffic to that specific IP. There isn't any way for outside devices to force your router to send traffic to that IP. Therefore there is some setting on your router that has that IP specified to forward traffic to it. If you can't find that setting, the best suggestion I can make is to factory reset your router.