Router Log my network got hacked! :(

Joined
Feb 6, 2003
Messages
5,788
Reaction score
4
Hi everyone had a little problem here.

Some people came over and used my laptop for which I thought was for accessing the internet.


This was last night, I woke up in the morning my sister was telling me that the wireless signal strength was very low and she kept on getting disconnected from the wireless network.

I had a look and realised that my network was "unsecured."
Then I looked in the router settings and see that the secuirity was disabled.
It was originally wep I think, it was disabled but my password was written there.

I didn't have my mac addresses assigned to the router and my admin page was easy to access because of a saved password. (But it wasn't the default password)

Is there any way to work out who accessed my files overnight?
Ot when my security was disabled? Any type of log before I point fingers at some people?

I was sharing some personal files over the network and am worried someone has copied them. right now I feel upset and very hurt more like a breach of privacy.

What have I learnt?
Don't save your password on the admin page
don't share personal files.


I am on sky broadband using a netgear dg384
is there anyway someone could have changed the settings so that they could access my shared files from their home pc
as oppposed to sitting outsiede my house using a laptop?
 
Joined
Feb 6, 2003
Messages
5,788
Reaction score
4
HEre is something I just saw:


Sat, 2000-01-01 00:00:57 - Administrator login successful - IP:192.168.0.2
Sat, 2000-01-01 00:01:17 - Initialize LCP.
Sat, 2000-01-01 00:01:17 - LCP is allowed to come up.
Sat, 2000-01-01 00:01:18 - LCP down.
Sat, 2000-01-01 00:01:25 - Initialize LCP.
Sat, 2000-01-01 00:01:25 - LCP is allowed to come up.
Sat, 2000-01-01 00:01:32 - CHAP authentication success
Sat, 2000-01-01 00:01:43 - Send out NTP request to time-g.netgear.com
Tue, 2007-07-31 09:27:03 - Receive NTP Reply from time-g.netgear.com
Tue, 2007-07-31 10:06:29 - Administrator login successful - IP:192.168.0.4
Tue, 2007-07-31 09:25:20 - Router start up
Tue, 2007-07-31 10:53:13 - Administrator login successful - IP:192.168.0.4
Tue, 2007-07-31 11:34:08 - Administrator login successful - IP:192.168.0.4
 

Me__2001

Internet Junkie
Joined
Apr 5, 2004
Messages
4,354
Reaction score
1
that to me looks like your router has rebooted, set the time then someone has logged in

what PC's do those IP's refer to ?
 
Last edited:
Joined
Feb 6, 2003
Messages
5,788
Reaction score
4
Me__2001 said:
that to me looks like your router has rebooted, set the time then someone has logged in

what PC's do those IP's refer to ?

Hi itsme

that ip address I think is my laptop
but I will check

what alarms me is this and I dont get it:

Sat, 2000-01-01 00:01:43 - Send out NTP request to time-g.netgear.com
Tue, 2007-07-31 09:27:03 - Receive NTP Reply from time-g.netgear.com
Tue, 2007-07-31 10:06:29 - Administrator login successful - IP:192.168.0.4


see the date in the top line what the heck is that?

also that 10:06am was definetly not me logging on because I got up at very late at 1030am today.


these two bottomon ones were me though:

Tue, 2007-07-31 10:53:13 - Administrator login successful - IP:192.168.0.4
Tue, 2007-07-31 11:34:08 - Administrator login successful - IP:192.168.0.4

(If that is the ip address for my laptop)

I don't get why the router does not show what happened if nething yesterday?

also if it did reboot my network name stayed the same and my password for both the admin page and the access to the wireless network did not change either.
I would assume both of these would become default if somehow my router had reset itself.

p.s perhaps my router time settings are from a different part of the world maybe that could explain something I will check this when I can.

Damn I still feel upset and hurt
 

Ian

Administrator
Joined
Feb 23, 2002
Messages
19,873
Reaction score
1,499
psd99 said:
what alarms me is this and I dont get it:

Sat, 2000-01-01 00:01:43 - Send out NTP request to time-g.netgear.com
Tue, 2007-07-31 09:27:03 - Receive NTP Reply from time-g.netgear.com
Tue, 2007-07-31 10:06:29 - Administrator login successful - IP:192.168.0.4


see the date in the top line what the heck is that?

I don't think that the top line is anything to worry about - it seems as though your router was reset (and it didn't know the time). It did a NTP request to the netgear timeservers to get the current timestamp, and sync'd your router to use the current time.

It does look like an admin has logged in, but you may be able to find out more by using your browsers history and the system event logs. I'd ask whoever it was using your laptop what they were up to?
 

Me__2001

Internet Junkie
Joined
Apr 5, 2004
Messages
4,354
Reaction score
1
the router sync's with a netgear server periodically to set the time and date, it's nothing to worry about as ian said, mine does exactly the same
 
Joined
Feb 6, 2003
Messages
5,788
Reaction score
4
Ian Cunningham said:
I don't think that the top line is anything to worry about - it seems as though your router was reset (and it didn't know the time). It did a NTP request to the netgear timeservers to get the current timestamp, and sync'd your router to use the current time.

It does look like an admin has logged in, but you may be able to find out more by using your browsers history and the system event logs. I'd ask whoever it was using your laptop what they were up to?

Hi admin could u expand on what you mean by the router looks like it was reset?

How do I access the system even logs?

I just seen on the internet explorer history that someone did log onto my router admin page and I am very sure I didnt access that yesterday!


Damn it looks like they did do this
:(


if the router was reset would it normally reset the network name and the passowrd I had in admin page and wireless network?
 

Ian

Administrator
Joined
Feb 23, 2002
Messages
19,873
Reaction score
1,499
No the network name and password wouldn't normally reset - unless they did a hard reset (actually on the router, by holding the reset button).

Everything you need to know on event viewer is here, and it explains how to view and understand them :) :

http://support.microsoft.com/kb/308427
 
Joined
Feb 6, 2003
Messages
5,788
Reaction score
4
My friends did

I heard them talking about doing this to our other mate a while back.
but I rang them today they both seem like they didn't do anything to it. Well so that is what they said to me. I think I should not accuse someone without proof too.

I don't get why it went from secure to unsecured overnight
has this ever happend to anyone before?

I do now remember logging onto the router page to check my internet connection but NOT disable the security! :(
 
Joined
Feb 6, 2003
Messages
5,788
Reaction score
4
Me__2001 said:
the router sync's with a netgear server periodically to set the time and date, it's nothing to worry about as ian said, mine does exactly the same


yes but would that be a legitimate explanation for my network being unsecure?
 

Ian

Administrator
Joined
Feb 23, 2002
Messages
19,873
Reaction score
1,499
psd99 said:
My friends did

I heard them talking about doing this to our other mate a while back.
but I rang them today they both seem like they didn't do anything to it.

If they've done it before then why not again? Perhaps I'm being cynical, but if they are good friends then I'd be inclined to believe them - if they can be idiots I'd disbelieve them and find new mates :confused:

Try looking at your event logs and see if the PC was on and active at the times the router was logged in to. If it was, it must have been done from there (as changing the security settings like that would force the laptop to reconnect).
 

Ian

Administrator
Joined
Feb 23, 2002
Messages
19,873
Reaction score
1,499
psd99 said:
yes but would that be a legitimate explanation for my network being unsecure?

I really can't see how - it's a bit daft if the security turns off automatically? I think it was probably done on purpose.
 
Joined
Feb 6, 2003
Messages
5,788
Reaction score
4
Hi I am in the page right now
the laptop was definetly on


they are good friends, but perhaps they didn't think it would hurt me so much.
they were planning on doing this do someone else but don't think they did it..


right i see this:

Event Type: Information
Event Source: W32Time
Event Category: None
Event ID: 35
Date: 30/07/2007
Time: 20:42:24
User: N/A
Computer: LAPPY
Description:
The time service is now synchronizing the system time with the time source time.windows.com (ntp.m|0x1|192.168.0.3:123->207.46.130.100:123).

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


Event Type: Information
Event Source: Tcpip
Event Category: None
Event ID: 4201
Date: 30/07/2007
Time: 20:42:06
User: N/A
Computer: LAPPY
Description:
The system detected that network adapter Broadcom 802.11a/b/g WLAN - Packet Scheduler Miniport was connected to the network, and has initiated normal operation over the network adapter.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 00 00 00 00 02 00 50 00 ......P.
0008: 00 00 00 00 69 10 00 40 ....i..@
0010: 02 00 00 00 00 00 00 00 ........
0018: 00 00 00 00 00 00 00 00 ........
0020: 00 00 00 00 00 00 00 00 ........


then this

Event Type: Information
Event Source: Tcpip
Event Category: None
Event ID: 4202
Date: 30/07/2007
Time: 20:41:11
User: N/A
Computer: LAPPY
Description:
The system detected that network adapter Broadcom 802.11a/b/g WLAN - Packet Scheduler Miniport was disconnected from the network, and the adapter's network configuration has been released. If the network adapter was not disconnected, this may indicate that it has malfunctioned. Please contact your vendor for updated drivers.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 00 00 00 00 02 00 50 00 ......P.
0008: 00 00 00 00 6a 10 00 40 ....j..@
0010: 02 00 00 00 00 00 00 00 ........
0018: 00 00 00 00 00 00 00 00 ........
0020: 00 00 00 00 00 00 00 00 ........


this was all at the time I think my laptop was used


but this looks like it has happened more than these two times after looking at the log
 
Joined
Sep 17, 2005
Messages
1,934
Reaction score
0
The in built wireless security like WEP or WAP or whatever its called is easily hacked if the person knows what they are doing.

They could have sat outside you house and done it, or it could even have been somebody a few houses away.
 
Joined
Feb 6, 2003
Messages
5,788
Reaction score
4
PotGuy said:
The in built wireless security like WEP or WAP or whatever its called is easily hacked if the person knows what they are doing.

They could have sat outside you house and done it, or it could even have been somebody a few houses away.



so what do you suggest I do with the security then?

I have unshared all my personal files
for a start

changed router password
and wireless network password too
 
Joined
Feb 6, 2003
Messages
5,788
Reaction score
4
Ian Cunningham said:
If they've done it before then why not again? Perhaps I'm being cynical, but if they are good friends then I'd be inclined to believe them - if they can be idiots I'd disbelieve them and find new mates :confused:

Try looking at your event logs and see if the PC was on and active at the times the router was logged in to. If it was, it must have been done from there (as changing the security settings like that would force the laptop to reconnect).



good friends are hard to find. These are good friends that is why I feel very alarmed.

I posted the event logs I seen tell me what you think
I am going to resort to a logging system that will log everything on my networks
 

V_R

¯\_(ツ)_/¯
Moderator
Joined
Jan 31, 2005
Messages
13,572
Reaction score
1,888
psd99 said:
so what do you suggest I do with the security then?
I turn off the wireless if i aint using it, and use WPA-PSK if its available. I also have DHCP off and use static IP on the two pc's. I also have to register a new pc on the router before it can access the network, not sure if it can be done on the netgears though... Thats about as much as can be done, the alternative is to hardwire all the pcs and turn off wireless altogether.

Good guide here...

http://www.dslzoneuk.net/guides.php
 
Last edited:

Ian

Administrator
Joined
Feb 23, 2002
Messages
19,873
Reaction score
1,499
I agree with V_R on those options - I don't go as far as disabling wireless, but I do the rest and use MAC address filtering for any item that accesses it :)
 
Joined
Feb 6, 2003
Messages
5,788
Reaction score
4
Thanks guys

the mac address registering I don't think works on netgear
but ill look again

wap -psk is available will use this.


unfortnetly it would be difficult to turn off the wireless as all devices are wireless but this can be changed to cater for this.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top