Question Possible home network intrusion ?

[woot]

So i came home and noticed that my modem's internet light is blinking at a fast rate and the WLAN light is blinking sporadically, none of my devices where connected at the time and i don't have any appliances that can connect to it and there was no one else in the house.

Could this mean someone is using my wifi ?
I cant log into my modem because i forgot the password.

 

[LinuxDevice]

Most modems have something like a pinhole that you can use to reset the device from locally (and then assign a new password). Wi-Fi is terribly insecure even in its most secure setup, so what you are saying is plausible. There are a lot of other reasons such traffic might show up which is unrelated to any break-in (e.g., DHCP lease expiration and reassignment).

 

[woot]

Wi-Fi is terribly insecure even in its most secure setup, so what you are saying is plausible

this is somewhat troubling, i guess i should start unplugging my modem when i'm not home

 

[USAFRet]

So i came home and noticed that my modem's internet light is blinking at a fast rate and the wlan light is blinking sporadically, none of my devices where connected at the time and i don't have any appliances that can connect to it and there was no one else in the house, could this mean someone is using my wifi, i cant log into my modem because i forgot the password.

That could easily be just a lack of connection to homebase, and the router is trying.

 

[woot]

That could easily be just a lack of connection to homebase, and the router is trying.

well, i connected a device soon after i saw that and the internet was working fine.

 

[USAFRet]

well, i connected a device soon after i saw that and the internet was working fine.

Find the RESET button on the router, do that.
After, change the SSD ID and WPA 2 password.
And write them down!

 

[evermorex76]

What model of modem and which specific light was it? They usually have many, like a "link" light, "uplink" and "downlink", plus "data transfer" indicators. It could just as easily have been someone hammering your IP address with traffic which the router was just dropping after it was received, with no actual intrusion having occurred. If the LAN or Wi-Fi indicator lights weren't flashing at the same time, then there was no traffic inside your network.

 

[woot]

What model of modem and which specific light was it? They usually have many, like a "link" light, "uplink" and "downlink", plus "data transfer" indicators. It could just as easily have been someone hammering your IP address with traffic which the router was just dropping after it was received, with no actual intrusion having occurred. If the LAN or Wi-Fi indicator lights weren't flashing at the same time, then there was no traffic inside your network.

SmartRg505, a DSL modem, is does not have any lights that are labelled link or uplink or downlink or data transfer, also what do you mean by "hammering my IP address?, is that an attempt at an intrusion?, also im only using WLAN, no wired connections.

 

[evermorex76]

SmartRg505, a DSL modem, is does not have any lights that are labelled link or uplink or downlink or data transfer, also what do you mean by "hammering my IP address?, is that an attempt at an intrusion?, also im only using WLAN, no wired connections.

Could be a random DDoS attempt, or trying to abuse some known or suspected vulnerability with connection attempts (like a buffer overflow that would cause the device to suddenly accept a login attempt from the outside to access the router's administrative interface so they could upload compromised firmware).

The manual is here and page 7 has the LED info, although they quite helpfully (/s) don't show a specific model and where the lights are physically so I can't say exactly what your model has. https://www.lmi.net/wp-content/uploads/Gateway_User_Manual_v3_5.pdf

The WLAN light blinking sporadically could just be normal activity of an access point that is receiving signals/packets that aren't actually making a data connection, or that is just sending out the normal beacons, or maybe is doing a channel scan. I don't know about your device specifically and whether it would blink while a mobile device was trying to connect but didn't have the password, for example.

The Internet light blinking can mean the DSL authentication is in process, but that could be a slow blink or a fast blink, and might be very brief or might take a while. I have no experience with your device so really only you would be able to say if it was different this time. That light can also indicate actual traffic passing, so it could have been malicious coming from the Internet, or maybe the router was trying to do a firmware update. You have NO devices at home that would be connected when you're outside the house? No computer, no smart TV, no security camera? Nobody else in the house could have left a laptop or mobile phone behind when they went out?

Since you had no way to log into it to check on what devices may have been associated on the Wi-Fi, you've got no way to troubleshoot this. As @USAFRet said, reset it, and create a long and strong password for the management interface and a long and strong password with a new wireless SSID. Hold the reset button for 6 to 20 seconds. Longer than that goes into a deeper reset mode. Note that you MAY need to contact your ISP to get the DSL connection configured again, unless you have the information sent to you when you signed up. The default credentials for the web interface are admin/admin.

If you want to be a little paranoid/security-conscious you can log in regularly and monitor for current associated devices, and the system and security logs (which likely don't go very far back) might catch association attempts or management login attenpts. Even knowing that someone did manage to crack your Wi-Fi password won't help you DO anything about it other than change the password and SSID every time, although you could configure it for a hidden SSID which makes it somewhat harder to break into.

 

[woot]

Could be a random DDoS attempt, or trying to abuse some known or suspected vulnerability with connection attempts (like a buffer overflow that would cause the device to suddenly accept a login attempt from the outside to access the router's administrative interface so they could upload compromised firmware).

The manual is here and page 7 has the LED info, although they quite helpfully (/s) don't show a specific model and where the lights are physically so I can't say exactly what your model has. https://www.lmi.net/wp-content/uploads/Gateway_User_Manual_v3_5.pdf

The WLAN light blinking sporadically could just be normal activity of an access point that is receiving signals/packets that aren't actually making a data connection, or that is just sending out the normal beacons, or maybe is doing a channel scan. I don't know about your device specifically and whether it would blink while a mobile device was trying to connect but didn't have the password, for example.

The Internet light blinking can mean the DSL authentication is in process, but that could be a slow blink or a fast blink, and might be very brief or might take a while. I have no experience with your device so really only you would be able to say if it was different this time. That light can also indicate actual traffic passing, so it could have been malicious coming from the Internet, or maybe the router was trying to do a firmware update. You have NO devices at home that would be connected when you're outside the house? No computer, no smart TV, no security camera? Nobody else in the house could have left a laptop or mobile phone behind when they went out?

Since you had no way to log into it to check on what devices may have been associated on the Wi-Fi, you've got no way to troubleshoot this. As @USAFRet said, reset it, and create a long and strong password for the management interface and a long and strong password with a new wireless SSID. Hold the reset button for 6 to 20 seconds. Longer than that goes into a deeper reset mode. Note that you MAY need to contact your ISP to get the DSL connection configured again, unless you have the information sent to you when you signed up. The default credentials for the web interface are admin/admin.

If you want to be a little paranoid/security-conscious you can log in regularly and monitor for current associated devices, and the system and security logs (which likely don't go very far back) might catch association attempts or management login attenpts. Even knowing that someone did manage to crack your Wi-Fi password won't help you DO anything about it other than change the password and SSID every time, although you could configure it for a hidden SSID which makes it somewhat harder to break into.

Thanks for the detailed reply, i used Nirsofts https://www.nirsoft.net/ very user friendly netwatcher program and didn't see any other devices, although it scanned only from 1-254, so i'm just going to do what was suggested earlier and reset the modem just in case, maybe someone is hiding their devices from network scanners or something.

 

[bill001g]

If you are really paranoid you just turn the wifi radios off when you are not using wifi.

Someone has to be pretty close to your house to get a usable signal. Look at all the posts on this forum with people having issues to get usable coverage inside their house.

There is one major security issue with wifi that allows even a simple cell phone to crack it. Once it is cracked changing the passwords does no good.

There is a idiotic feature called WPS. This is used by so called "smart" devices to connect to a wifi network. Since you can't just log into a smart lightbulb and put in a SSID and password they use this WPS feature. Unfortantly this feature is turned on by default on many router even though the router manufactures know a cell phone can crack it in less than 30 seconds now days.

Check the wifi setting and disable the WPS if it is active.

After this is off change the wifi password. Now if you see a van parked in from of your house with government plates it is time to worry. In theory at least good wifi passwords can be cracked in less than a week using a super computer.

 

[woot]

If you are really paranoid you just turn the wifi radios off when you are not using wifi.

Someone has to be pretty close to your house to get a usable signal. Look at all the posts on this forum with people having issues to get usable coverage inside their house.

There is one major security issue with wifi that allows even a simple cell phone to crack it. Once it is cracked changing the passwords does no good.

There is a idiotic feature called WPS. This is used by so called "smart" devices to connect to a wifi network. Since you can't just log into a smart lightbulb and put in a SSID and password they use this WPS feature. Unfortantly this feature is turned on by default on many router even though the router manufactures know a cell phone can crack it in less than 30 seconds now days.

Check the wifi setting and disable the WPS if it is active.

After this is off change the wifi password. Now if you see a van parked in from of your house with government plates it is time to worry. In theory at least good wifi passwords can be cracked in less than a week using a super computer.

i don't have any wifi radios, the only devices i own that use wifi is my smartphone and my computer, WPS is off and has been off since before i made this thread, i changed the password to a really complicated one with over 20 random letters and numbers, and in my jurisdiction, government vehicles use ordinary plates.

The only thing is before this, i was using my modems MAC address as the default wifi password, but as i understand, all modems including those of the same model, have unique MAC addresses, also can someone completely hide their device from being seen by modem logs and network scanners/analyzers?

 

[bill001g]

I meant the wifi radio chips in the router. Obviously if your disable the wifi on the router nobody can hack you but then you can use it either. There are business that turn off the wifi outside of normal business hours.

Hide from network scanners it is likely possible. Not real hard to just not respond to any traffic other than the router/modem. You could even do it with simple firewall setting in windows.

Depends on the logs the router keeps. There is always a list of mac address and which port the mac address came in on even on a very simple switch. Question would be does the device actually have a way for you to display it. Your average users have no clue what a mac address even is so most routers do not have this feature. All depends how fancy the router is.

The way networks are secured in corporate environments is to use 802.1x. Almost all home routers support this on the wifi and it is generally called enterprise mode rather than the pre shared keys. It is also supported on ethernet ports but not on home router unless you run third party firmware.


802.1x when implemented using certificates is almost immune to hacking. Every device must have a registered certificate to connect and these are almost impossible to spoof. In addition every single user has a unique userid and password rather than using the SSID and shared passwords. Since most times this is all integrated with the microsoft domain servers the users just have to remember their main windows login if and password and all the rest work transparently. It is actually simpler because the users do not have to know anything about the wifi.
This also prevents users from connecting their privately owned devices to wifi since even though they have their domain login they do not have the certificate.

You can paritally implement this with a simple radius server. Microsoft wants to much money for a domain server license. Since there is almost no traffic going to the radius server people use raspberry pi.

BUT nobody is going to hack your network. What they going steal...your porn collections . At most it would be neighorhood children whose parents have their routers setup to block accecss to the internet. The kids try to hack into the neighbors just to use the internet they don't actually care to attack the other machines in the house.

 

[woot]

I meant the wifi radio chips in the router. Obviously if your disable the wifi on the router nobody can hack you but then you can use it either. There are business that turn off the wifi outside of normal business hours.

Hide from network scanners it is likely possible. Not real hard to just not respond to any traffic other than the router/modem. You could even do it with simple firewall setting in windows.

Depends on the logs the router keeps. There is always a list of mac address and which port the mac address came in on even on a very simple switch. Question would be does the device actually have a way for you to display it. Your average users have no clue what a mac address even is so most routers do not have this feature. All depends how fancy the router is.

The way networks are secured in corporate environments is to use 802.1x. Almost all home routers support this on the wifi and it is generally called enterprise mode rather than the pre shared keys. It is also supported on ethernet ports but not on home router unless you run third party firmware.


802.1x when implemented using certificates is almost immune to hacking. Every device must have a registered certificate to connect and these are almost impossible to spoof. In addition every single user has a unique userid and password rather than using the SSID and shared passwords. Since most times this is all integrated with the microsoft domain servers the users just have to remember their main windows login if and password and all the rest work transparently. It is actually simpler because the users do not have to know anything about the wifi.
This also prevents users from connecting their privately owned devices to wifi since even though they have their domain login they do not have the certificate.

You can paritally implement this with a simple radius server. Microsoft wants to much money for a domain server license. Since there is almost no traffic going to the radius server people use raspberry pi.

BUT nobody is going to hack your network. What they going steal...your porn collections . At most it would be neighorhood children whose parents have their routers setup to block accecss to the internet. The kids try to hack into the neighbors just to use the internet they don't actually care to attack the other machines in the house.

My router is not that fancy, it can do logs, there is a security log, but there is never anything on it, there is also a system log that works and has settings which include:

Log level: emergency, alert, critical, error, warning, notice, informational, debugging.

Display level: all the same selectables as above ^^^

Mode: local, remote, both.

 

[bill001g]

Your general user takes his router out of the box plugs it in and does nothing else. They do not care about any features or display in the router.

That is why routers now come with unique default wifi names and passwords. They used to leave them linksys/linksys.

The router maker will not spend time adding features for less than 1% of the users who might use it.

 

[Ralston18]

@ woot

"I cant log into my modem because i forgot the password".

As I understand the posts thus far you have not reset the modem (modem/router) to the factory default configuration settings.

Why not?

 

[woot]

@ woot

"I cant log into my modem because i forgot the password".

As I understand the posts thus far you have not reset the modem (modem/router) to the factory default configuration settings.

Why not?

i did already, but the main reason i made the thread is to find out why my modem lights are blinking like there is data transfer going on, despite all my devices/appliances being offline, sometimes i come home to find all the lights solid or they blink a few times like once every 10 seconds, particularly the internet and WLAN lights, now the internet light continuously blinks.

 

[bill001g]

Hard to say exactly ,since they do not document real well what the flash rate means.

Are you sure your devices are really "offline". Are they turn off or disconnected. A browser that appears to be doing nothing many times is loading advertising almost constantly.

It can also just be spam traffic being dropped by your router. The hacker are constantly scanning IP addresses looking for some exploit....kinda like the constant spam call you get on the phone telling you car warranty is expired. The NAT is dropping the traffic but the physical port still receives it which will cause the light to flash.

 

[woot]

Hard to say exactly ,since they do not document real well what the flash rate means.

Are you sure your devices are really "offline". Are they turn off or disconnected. A browser that appears to be doing nothing many times is loading advertising almost constantly.

It can also just be spam traffic being dropped by your router. The hacker are constantly scanning IP addresses looking for some exploit....kinda like the constant spam call you get on the phone telling you car warranty is expired. The NAT is dropping the traffic but the physical port still receives it which will cause the light to flash.

by offline i mean the device is not powered on or the wifi on the device is turned off.

 

[bill001g]

Maybe find the option in the router to turn the lights off then they won't bother you. By default the router prevent any unauthorized access.

 

[evermorex76]

Just a question, when you arrive home, is your mobile phone not immediately connecting to the Wi-Fi, before you can even reach your router to see the lights?