D-Link Forums
The Graveyard - Products No Longer Supported => Routers / COVR => DIR-655 => Topic started by: Devyn on January 29, 2009, 04:51:17 PM
-
This forum is my last hope..i tried to ask to 2 different countries tech support, via mail and phone, posted on various forums but noone seems able to help me :( I'll tell you my problem...
i use wireless just with my notebook so i keep it off most of the time..and when it was off i saw those entries in logs:
Access denied to wireless system with MAC address 000D3AFF6801
Access denied to wireless system with MAC address 000D3AFF6802
Access denied to wireless system with MAC address 000D3AFF6803
.....
Access denied to wireless system with MAC address 000D3AFF6809
..what happened?? was wireless really off ? also, i checked under traffic statistics and no wireless data have been transmitted after my last poweroff (2 days before)..
Later i've resetted the router + upgraded to the latest firmware 1.22 (got it before it was deleted from ftp server)..after few minutes i got the same logs showing different mac addresses trying to connect to my router...but wireless radio was OFF ! also, the led for the wireless just glowed a little for less than one second and then nothing more,even if i was seeing in realtime logs... !
I tried various firmwares (latest 1.21 beta too) but i got always the same problem..
Just to be sure i tried searching myself for wireless signals with tools like wirelessmon, and i couldnt find mine (of course, wireless radio was OFF !!!!!)
Seems someone is trying to brute force my ap looking for the right mac address, isnt ?
other things:
+ i use vista x64 and occasionally ubuntu x64 (both clean)
+ i'm not sharing my ap with anyone
+ i see that this "problem" appears when im in mixed mode, when i use 802.11n only, everything is ok
+ of course those macaddresses are different from my macaddresses
-
I would say someone from the outside is trying to access you system.
When you say you turn off wireless where are you turning it off at? (On the wireless setup page or some other page in the router setup)
-
From the wireless setup page of course.. setup -> wireless settings -> manual wireless network setup
(and led doesnt glow..)
-
The mac address of the wireless system in question (000D3A...) corresponds to Microsoft Corporation. Unfortunately I cannot locate the specific Microsoft NIC which is tied to that identifier.
I tried a metacrawler search of that mac address but it appears that the only other occurrence of that number sequence was a post you made on dslreports.com.
The interesting part is the log shows the mac address changing with every attempt; and it looks like someone's trying to attack your wireless network.
Do you live in an apartment complex or high-rise with a number of other access points & people?
-
He was told in DSLReports the same thing about someone trying to access his network through his router.
Best thing to do is use Network Filtering and only allow the MAC address from your NIC cards on your home network to access the router only.
-
But... MAC addresses can be spoofed (faked). If you enable MAC filtering you will hold them off most of the times since it can take a long time to guess an authorized MAC address.
-
Thanks for replies.. i live in a flat but here i usually see just 2-3 accespoints, not so many people lives here..i've always used network filter allowing just my macaddresses..
I really don't know what to do..atm im keeping wireless off..and when i have to use it i use 802.11n only using wpa2.. but my laptop and other devices like nintendo ds or smartphone are wireless b/g .. :/ But here the main question is HOW IS POSSIBLE that someone is trying to hack my ap if wireless is off :S i really wish that dir-655 had a better logging system or something like that..i know i couldnt say that but ddwrt has it.. i have 11 years of warranty but i don't think that break my router and send it to dlink is the best solution..but seems the only one possible...right? :(
-
Thanks for replies.. i live in a flat but here i usually see just 2-3 accespoints, not so many people lives here..i've always used network filter allowing just my macaddresses..
I really don't know what to do..atm im keeping wireless off..and when i have to use it i use 802.11n only using wpa2.. but my laptop and other devices like nintendo ds or smartphone are wireless b/g .. :/ But here the main question is HOW IS POSSIBLE that someone is trying to hack my ap if wireless is off :S i really wish that dir-655 had a better logging system or something like that..i know i couldnt say that but ddwrt has it.. i have 11 years of warranty but i don't think that break my router and send it to dlink is the best solution..but seems the only one possible...right? :(
You cannot compare custom firmware like DDWRT, Tomato etc with the standard firmware. For one, those are only possible because the manufacturer uses a non-propriety (GPL) Linux which can be rewritten and altered. Only minority of routers use that. 'Normal' users (usually the majority of buyers) do not need the extended functionalities.
Looking at the MAC serials you are hit by a brute force MAC spoofing attack.You cannot prevent somebody from trying to hack your wireless signal. Not even with custom firmware.
Only one tip: If you turn off wireless radio, make sure to reboot.
-
Yes i reboot everytime i switch on/off wireless.
Best solution i found is to be 'hacked' and see who this guy is..i will try it in the next hours and i'll let you know..
-
guys this is crazy.. here logs in realtime, wireless radio OFF, wireless led not glowing and wireless data transmitted (under statistics) is 0 (of course i didnt use wireless since the last reboot) :
[INFO] Fri Jan 30 13:52:27 2009 Access denied to LAN system with MAC address 000D3ADB8206
[INFO] Fri Jan 30 13:52:23 2009 Above message repeated 23 times
[INFO] Fri Jan 30 13:52:23 2009 Access denied to LAN system with MAC address 000D3ADB8203
[INFO] Fri Jan 30 13:52:23 2009 Access denied to wireless system with MAC address 000D3ADB8202
[INFO] Fri Jan 30 13:52:23 2009 Above message repeated 2 times
[INFO] Fri Jan 30 13:52:23 2009 Access denied to LAN system with MAC address 000D3ADB8201
[INFO] Fri Jan 30 13:52:23 2009 Above message repeated 2 times
[INFO] Fri Jan 30 13:52:23 2009 Access denied to LAN system with MAC address 000D3ADB8200
-
(and just one device connected using a cable :S !!!!!!!!!!)
-
guys this is crazy.. here logs in realtime, wireless radio OFF, wireless led not glowing and wireless data transmitted (under statistics) is 0 (of course i didnt use wireless since the last reboot) :
[INFO] Fri Jan 30 13:52:27 2009 Access denied to LAN system with MAC address 000D3ADB8206
[INFO] Fri Jan 30 13:52:23 2009 Above message repeated 23 times
[INFO] Fri Jan 30 13:52:23 2009 Access denied to LAN system with MAC address 000D3ADB8203
[INFO] Fri Jan 30 13:52:23 2009 Access denied to wireless system with MAC address 000D3ADB8202
[INFO] Fri Jan 30 13:52:23 2009 Above message repeated 2 times
[INFO] Fri Jan 30 13:52:23 2009 Access denied to LAN system with MAC address 000D3ADB8201
[INFO] Fri Jan 30 13:52:23 2009 Above message repeated 2 times
[INFO] Fri Jan 30 13:52:23 2009 Access denied to LAN system with MAC address 000D3ADB8200
Hi Devyn,
Do you know your Mac Address for your computers?
Try this test:
Turn on the Wireless Radio and then connect to your Router from your Laptop. Note the time.
After you are connected, turn off the Wireless Radio and stop broadcasting your SSID Signal Name from your Wired Computer. Reboot the Router after saving your changes.
Go back to your Laptop and see if you can connect to your own network. If you can, then the Router is not turning off the Radio and the Router is defective.
If you can't, look at the logs and see if your Laptop's Mac Address is being listed as being blocked. If your Laptop's Mac Address is being listed in a Access denied to wireless system message or log entry, then the Radio is still on, and the Router is defective.
If not defective in the traditional sense, then the firmware has a major bug in it.
Is your Network Filter being used? It is located under Advanced. Are you using Network Magic or a similar program?
-
I will try now and i'll let you know. Of course i know each single macaddresses for any of my devices,i use network filter AND i reserve a specific IP for each device.No i dont use network magic. Ill try now to do what you told me..
-
I just tried what you suggested...i couldnt connect..also no wireless signals at all using wirelessmon... and logs dont show anything suspicious. Do you think firmware has a bug ? this could be very dangerous... because i changed many firmwares..
-
You could reflash to discard any errors during the upgrade (sometimes the old bits/data do not get erased like they should, this also can happen with BIOS updates so this is not a specific 655 issue)
-
i've reflashed many times..also downloading again firmwares..i dont think this can solve the issue .. :/ if i wont find a solution i will switch back to linksys, wont be as fast as dlink but at least i NEVER had a single problem for years
-
I hope you understand that there is no acute threat in what is happening.
The log you see is someone trying to get in through the cable connection with your WAN modem. It has nothing to do with wireless!
This will not be any different with a Linksys. There is no breach of security, this will or can happens to all those connected to the internet!
Just in case: Check if your internet router hasn't bee hijacked. Since wireless is turned off, it loioks like somebody is trying to access wireless through the modem from inside the LAN (I am not a script kiddie or hacker so I wouldn't know if this is possible though, just a hunch)
-
Through cable and wireless..but today is the first time i see the "intrusion" not just from wireless only..
-
Check you internet modem security (change password) and the logs to see if any 'external' devices have accessed it.
Do you share connection with neighbours? If so...well, you know what to do.
-
I dont share connection with neighbours. i dont have a modem, its a "own" device from my isp and it doesnt have any kind of interface or something..you just plug in the ethernet cable and you are connected..
-
You could call them and let them assign you a fresh IP. That should fix any wired attempts. I wouldn't be surprised if the wireless notices also disappeared.
-
Unfortunately this isn't possible..if it was id already done it.. :/
-
I just tried what you suggested...i couldnt connect..also no wireless signals at all using wirelessmon... and logs dont show anything suspicious. Do you think firmware has a bug ? this could be very dangerous... because i changed many firmwares..
Hi Devyn,
I just noticed your signature when you mentioned firmware. You are running Firmware 1.22. That was posted on D-Link Downloads and later removed because of problems.
Re-flash your Firmware to 1.21 with SecureSpot. This way it can be available to use, but you don't need to sign up for it. Just uncheck it when configuring the Router for use again.
-
i had this problem with different firmwares too.. 1.20 1.21 doesnt metter..
-
Unfortunately this isn't possible..if it was id already done it.. :/
Get another provider. If they can't do this they have really terrible service.
Getting a Securespot subscription might to the job, there's 30 days to try it out.
Otherwise: no solution besides keeping your WPA2 and MAC filtering turned on.
-
If you really wanted to figure out if it's something coming through your cable modem... Two tests:
One: (really easy)
Unplug your cable modem from the WAN port on your DIR-655 and see if the MAC spoofing continues. Should it stop, it's coming from the WAN. If it continues, then you're likely infected with something.
Two: (relatively advanced)
Download an application called "Wireshark" to a computer that you don't mind having unprotected access to the internet (read: have to potentially erase/restore), read the manual/help for a moment, then..
If you have a spare ethernet hub 10/100 sitting around (and it has to be a hub, not a switch), you can put the hub between your DIR-655 and cable modem. Also attach said computer. Fire up Wireshark, and start capturing packets. Record for a few minutes, unplug the ethernet cable, stop capturing.
Look through the log (filter) for the MAC address sequences and see if you can find an IP address as a source for the MAC spoofs. If there is a single IP address that keeps spitting out the MAC addresses, then you have found your attacker. File a complaint with your ISP.
You may also find other interesting things, maybe not. It's a crapshoot, though you'll get some interesting data, I'm sure.