I was browsing my home network router Linksys UI today and noticed 2 new devices attached to my network. The first thing that caught my eye was they both had the same name (Eye Care Center Check Out). Having no association with Eye Care Centers and being in a semi-rural, strictly residential, area, it definitely looked wrong. I recorded the MAC addresses of each, the first 8 characters of both were identical, only the last 4 characters were unique. Then I went to my MAC filtering to make sure they weren't listed - they were not. In the list of leased IP addresses, both MAC addresses were using the same IP lease which was registered to a LAN connection. I only have 2 LAN connections on the network so I checked the IPs of both and I had a PC using the same IP address as the 2 unknown MACs. I tried to shutdown the PC but it hung on "Disconnecting from network..." so I killed the power with a hard press of the power button. Even with the machine off, the connection didn't terminate. Finally, I unplugged the ethernet cable to terminate the connection of the unknown MACs and released the IP.
My take on all of this, is that either through a Trojan or by an external hack, some(one/thing) accessed my router (possibly through the required "Cloud Connect" they now use) and then used a PC connected to the LAN to work their way around the network. Whether this is the case or not, I do need to take precautionary measures to assure this doesn't happen. I've already multi-scanned the hosting PC for trojans but found nothing.
As mentioned above, I do use MAC filtering for all devices. IPv4 & IPv6 firewalls are enable at factory default settings. VPN Passthrough settings are enabled at factory default. DMZ is disabled and there is no Port forwarding. The wireless security is WPA2/WPA mixed personal.
My knowledge of security is very limited but I know enough to be walked through just about anything.
Thanks in advance for your help!
Compromised Linksys Smart WiFi EA3500 - using MAC filtering
- thechief
- RouterTech Team
- Posts: 12067
- Joined: Wed Feb 01, 2006 10:22 pm
- Location: England, the Centre of Africa
- Contact:
Re: Compromised Linksys Smart WiFi EA3500 - using MAC filter
Make sure that there is no WAN access to your router, and that no external ports are open. A good way to check this is to run the "shields up" test at grc.com
Do you have a static IP from your ISP?
Do you have a static IP from your ISP?
The Chief: Be sure to read the Firmware FAQ and do a Forum Search before posting!
No support via PM. Ask all questions on the open forum.
No support via PM. Ask all questions on the open forum.
Re: Compromised Linksys Smart WiFi EA3500 - using MAC filter
I don't know this router or the Linksys UI - but it is not unusual for an Ethernet router to have entries in the arp table for a cable modem and ISP Gateway - these may appear in the device list but are on the WAN port not the LAN.