Compromised Linksys Smart WiFi EA3500 - using MAC filtering

An area specifically for port forwarding, firewalls and other (on-line) security related issues.
Post Reply
TDD
Newbie
Newbie
Posts: 1
Joined: Tue Dec 10, 2013 8:11 pm

Compromised Linksys Smart WiFi EA3500 - using MAC filtering

Post by TDD » Tue Dec 10, 2013 8:46 pm

I was browsing my home network router Linksys UI today and noticed 2 new devices attached to my network. The first thing that caught my eye was they both had the same name (Eye Care Center Check Out). Having no association with Eye Care Centers and being in a semi-rural, strictly residential, area, it definitely looked wrong. I recorded the MAC addresses of each, the first 8 characters of both were identical, only the last 4 characters were unique. Then I went to my MAC filtering to make sure they weren't listed - they were not. In the list of leased IP addresses, both MAC addresses were using the same IP lease which was registered to a LAN connection. I only have 2 LAN connections on the network so I checked the IPs of both and I had a PC using the same IP address as the 2 unknown MACs. I tried to shutdown the PC but it hung on "Disconnecting from network..." so I killed the power with a hard press of the power button. Even with the machine off, the connection didn't terminate. Finally, I unplugged the ethernet cable to terminate the connection of the unknown MACs and released the IP.

My take on all of this, is that either through a Trojan or by an external hack, some(one/thing) accessed my router (possibly through the required "Cloud Connect" they now use) and then used a PC connected to the LAN to work their way around the network. Whether this is the case or not, I do need to take precautionary measures to assure this doesn't happen. I've already multi-scanned the hosting PC for trojans but found nothing.

As mentioned above, I do use MAC filtering for all devices. IPv4 & IPv6 firewalls are enable at factory default settings. VPN Passthrough settings are enabled at factory default. DMZ is disabled and there is no Port forwarding. The wireless security is WPA2/WPA mixed personal.

My knowledge of security is very limited but I know enough to be walked through just about anything.

Thanks in advance for your help!
User avatar
thechief
RouterTech Team
RouterTech Team
Posts: 12064
Joined: Wed Feb 01, 2006 10:22 pm
Location: England, the Centre of Africa
Contact:

Re: Compromised Linksys Smart WiFi EA3500 - using MAC filter

Post by thechief » Thu Dec 12, 2013 12:32 pm

Make sure that there is no WAN access to your router, and that no external ports are open. A good way to check this is to run the "shields up" test at grc.com

Do you have a static IP from your ISP?
The Chief: :afro: Be sure to read the Firmware FAQ and do a Forum Search before posting!
No support via PM. Ask all questions on the open forum.
mstombs
RouterTech Team
RouterTech Team
Posts: 3753
Joined: Wed Jan 10, 2007 11:54 pm

Re: Compromised Linksys Smart WiFi EA3500 - using MAC filter

Post by mstombs » Sun Dec 15, 2013 9:06 pm

I don't know this router or the Linksys UI - but it is not unusual for an Ethernet router to have entries in the arp table for a cable modem and ISP Gateway - these may appear in the device list but are on the WAN port not the LAN.
Post Reply