Home page logo
/

basics logo Security Basics mailing list archives

RE: Multiple Connection Attempts to Home Wireless Network
From: "Corey Watts-Jones" <cwattsjones () rogers com>
Date: Fri, 6 Jan 2006 08:22:26 -0500

Sometimes these things are even more innocuous than you've theorized too. My
former employer used to get a *large* number of entries in the log regarding
connection attempts and what we eventually boiled it down to was that users
with wireless enabled PDAs (we were in the financial district of a major
city) were almost always around and a lot of their devices were set up to
make connection attempts to any available wireless, encrypted or otherwise.

Thanks,

Corey Watts-Jones
Systems Support Specialist
BIT Incorporated

-----Original Message-----
From: Guru4u Support [mailto:support () guru4u co uk] 
Sent: Thursday, January 05, 2006 5:33 PM
To: Joe George
Cc: security-basics () securityfocus com
Subject: Re: Multiple Connection Attempts to Home Wireless Network

Thanks for your reply,

The 'attempts' seem to happen during the afternoon more often than not 
and now seem to have settled down to occurring around 1.00pm and 5.00pm, 
although the odd individual occurrence does appear.

Each time in the logs it shows 5 sets of repeated attempts (repeated 
usually 20 times) all around 5 minutes apart as below. I think you're 
quite right that if it was a war-driving attempt or an attempt to 
piggyback my Internet connection that they would have hit the unsecured 
network nearby.

I cannot report this to an ISP as all I have is the MAC address that is 
being blocked by my router (D-Link).

I dont think it is malicious but it is nice to hear others thoughts on 
the matter as I havent seen this behaviour before on my network.

[INFO] Sat Dec 31 20:38:38 2005 Access denied to wireless system with MAC
address 000C76C94BC4   
[INFO] Sat Dec 31 20:38:38 2005 Previous message repeated 20 times   
[INFO] Sat Dec 31 20:24:31 2005 Access denied to wireless system with MAC
address 000C76C94BC4   
[INFO] Sat Dec 31 20:24:31 2005 Previous message repeated 20 times   
[INFO] Sat Dec 31 20:22:11 2005 Access denied to wireless system with MAC
address 000C76C94BC4   
[INFO] Sat Dec 31 20:22:11 2005 Previous message repeated 20 times   
[INFO] Sat Dec 31 20:20:59 2005 Access denied to wireless system with MAC
address 000C76C94BC4   
[INFO] Sat Dec 31 20:20:59 2005 Previous message repeated 20 times   
[INFO] Sat Dec 31 20:18:38 2005 Access denied to wireless system with MAC
address 000C76C94BC4   

Many thanks,

Ed


Joe George wrote:

If malicious, my best guess is that someone is making some attempts to
connect while war-driving or a neighbor with the intent of giving you a
headache. Keep an eye out, but if there were something serious going on,
I think a hacker would enter through the easiest hole (i.e. your
neighbor w/ the unsecured network). 

If it is anything benign, my best guess is that one of your neighbors
wi-fi node is trying to make a connection, thinking it's their own only
to later realize whats going on and ceases. In other words, a user with
limited understanding of wireless (if the case, most likely the neighbor
with the unsecured network).

In the logs, do these attacks take place at similar times one the days
they occur? Do you have anything in the log about the device trying to
gain access?  I couldn't find the manufacturer based on what you
provided. Port scanning isn't really illegal (at least here in the USA),
but if consistently happening, from the same IP, I'd report the user for
abuse with the attached log for proof. 

Best,

Joe

-----Original Message-----
From: Guru4u Support [mailto:support () guru4u co uk] 
Sent: Thursday, January 05, 2006 4:19 PM
To: security-basics () securityfocus com
Subject: Multiple Connection Attempts to Home Wireless Network


Hi folks,

I would appreciate some thoughts on this.

I am running a small  home network with a D-Link DGL-4300 router. I have
MAC Address filtering enabled (both for wireless and wired clients) and
I  have two clients that connect wirelessly, one being a PSP and the
other an XBOX 360. As a side note for more information I have changed
the SSID name, enabled SPI and use WPA security, the network is also set
to visible.

My question is this, over the last few days i have noted in my router's
logs that a wireless client with an unauthorized MAC address is trying
to connect but being blocked. OK no so big a deal if it was a one off or
maybe occasionally but it is becoming more frequent and over the past
couple of days its been happening for the best part of each day and
stopping in the evening.

example of my log below:

[INFO] Mon Jan 02 15:50:07 2006 Previous message repeated 12 times
[INFO] Mon Jan 02 15:50:04 2006 Access denied to wireless system with
MAC address 000C76C94*** [INFO] Mon Jan 02 15:50:04 2006 Previous
message repeated 20 times [INFO] Mon Jan 02 15:46:34 2006 Access denied
to wireless system with MAC address 000C76C94*** [INFO] Mon Jan 02
15:46:34 2006 Previous message repeated 20 times [INFO] Mon Jan 02
15:43:02 2006 Access denied to wireless system with MAC address
000C76C94*** [INFO] Mon Jan 02 15:43:02 2006 Previous message repeated
20 times [INFO] Mon Jan 02 15:37:11 2006 Access denied to wireless
system with MAC address 000C76C94*** [INFO] Mon Jan 02 15:37:11 2006
Previous message repeated 20 times [INFO] Mon Jan 02 15:32:28 2006
Access denied to wireless system with MAC address 000C76C94***

These attempts seem to come mostly in the afternoon and recently seem to
hit in 5 minute bursts.

I can only detect two other wireless networks in range. One is
completely unsecured (i didnt connect but  my PSP showed it as having no
security) now that network has been secured and the other is secured
with WEP. I have no other wireless kit so it isnt something im my house.

I have also seen a few access denied to my LAN with various IP MAC
addresses, don't think this is related though.

[INFO] Sun Jan 01 14:38:34 2006 Access denied to LAN system with MAC
address EA1C1F677*** 

Does this sound like a hacking attempt or just another network or
wireless client been setup incorrectly or left on scanning for available
connection points? It seems like something scanning for another network
repeatedly?

Thanks in advance,

Ed

------------------------------------------------------------------------
---
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The Norwich
University program offers unparalleled Infosec management education and
the case study affords you unmatched consulting experience. 
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity
Planning, Computer Emergency Response Teams, and Digital Investigations.


http://www.msia.norwich.edu/secfocus
------------------------------------------------------------------------
----



__________ NOD32 1.1354 (20060105) Information __________

This message was checked by NOD32 antivirus system.
http://www.eset.com



 



---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Tailor your education to your own professional goals with degree 
customizations including Emergency Management, Business Continuity Planning,

Computer Emergency Response Teams, and Digital Investigations. 

http://www.msia.norwich.edu/secfocus
----------------------------------------------------------------------------




---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Tailor your education to your own professional goals with degree 
customizations including Emergency Management, Business Continuity Planning, 
Computer Emergency Response Teams, and Digital Investigations. 

http://www.msia.norwich.edu/secfocus
----------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault