Results 1 to 14 of 14

Thread: Un-authroised DHCP entries appearing in secured WL500g-deluxe

  1. #1
    Join Date
    Jul 2004
    Location
    Berkshire
    Posts
    16

    Un-authroised DHCP entries appearing in secured WL500g-deluxe

    Anyone have ideas on the following :

    Setup
    WL500g-d running 1.9.4.6 WPA-PSK and WDS to a WL500g running 1.9.4.6 in AP mode. ESSID is hidden.

    Cable ------ WL500g-d ------------ WDS ------------WL500g AP Hybrid

    The setup works, DHCP works, lan access or Wlan access works form both.

    I have restricted access also using MAC addresses.


    PROBLEM
    Each morning when I check my router, I am noticing 2 DHCP enties which should not be possible they are not from my physical networknor are they in my ( short ) list of allowable MAC addresses.
    How can DHCP be allocating an IP to these MAC's when they shouldnt be able to get in in the first place?

    I have tried the following :
    - turn off the second WL500g, but in the morning they are still there and have been reallocated ip's.
    - turned on logging accept & denied, searched for the ip in the list but dont see any.
    - Blocked all mac's, even tested trying to get my PDA & Laptop to connect and that doesnt work I cant get an ip so how the hell are the two entries below getting in and getting one allocated.

    Here's my DHCP list, each morning there are two entries I can account for.
    Code:
    Host Name       Mac Address       IP Address      Lease
    Qtek_2020i      00:09:21:D4:44:1E 192.168.1.3     36029 secs ( My PDA )
                    00:0E:A6:98:A8:9C 192.168.1.4     20898 secs ( WL500G )
    fujit-lxp       00:0B:5D:78:BB:E8 192.168.1.6     70805 secs ( My Laptop )
                    E1:6C:D6:AE:52:90 192.168.1.8     Expired ( ????? )
                    E9:EB:B3:A6:DB:3C 192.168.1.9     Expired ( ???? )
    The Leases with time against them are from the previous day. Which is also odd as the unknown ones are Expired. ( I have tired rebooting the router and makeing sure everything is clear.)

    The only assumptions I can make is that it WDS, but that shouldnt be possible either as I do not allow anonymous and have specificied the MAC of the WL500G in the WL500g-d and visa-versa.

    I really do not like the thought of someone getting into my network considering I work in security )

    Any ideas would be gratefully recieved.

    Cheers.
    My Kit :
    Asus Wl-500w 1.9.8.2 & WL500gd 1.9.4.6 ( WPA-PSK, WDS, Samba, DM, FTP, Epson PhotoStylus RX620 )
    Samsung X30 Centrino 1.7, 1Gb, 60Gb, 2200BG - Fujitsu 7010S 1.6, 1Gb, 60Gb, 2200BG - Cisco Cat 4003 - Network Appliance NAS/SAN F270 2TB

  2. #2
    hello psylockex,

    first of all, i would suggest you to ping the 2 unknown ips to see if they are alive

    second, try to do a FULL port scan on both machines, that would help to identify what they are if they have anything opened (if they are alive, of course)

    also, make sure they have no current link to the router (netstat -an)

    please post a reply
    thanx

  3. #3
    Join Date
    Jul 2004
    Location
    Berkshire
    Posts
    16
    Hi Nerodark,

    I have checked already that no crrent connections to these ip's, I am scripting something to monitor my network tonight as these only appear in the early hours of the morning......I checked up to 10pm last night and nothing, check this morning two expired leases.........this is the fun part the first 3 octets of the mac define company make etc if registered and official ones are only just hitting AA's I believe so these appear to have been "created" also if the lease time on the router is 24hrs and my lease from the night before hasnt run out........how can a device get a lease and then expire between 10pm and 6am ? And nothing in the logs Wierd, something funky is going on.

    I will go down your suggested route and take everything off my network and monitor for any activity tonight.

    I will post what I find.

    btw Do you knowof any weaknesses in wds ?

    Cheers
    My Kit :
    Asus Wl-500w 1.9.8.2 & WL500gd 1.9.4.6 ( WPA-PSK, WDS, Samba, DM, FTP, Epson PhotoStylus RX620 )
    Samsung X30 Centrino 1.7, 1Gb, 60Gb, 2200BG - Fujitsu 7010S 1.6, 1Gb, 60Gb, 2200BG - Cisco Cat 4003 - Network Appliance NAS/SAN F270 2TB

  4. #4
    Join Date
    Jul 2004
    Location
    Berkshire
    Posts
    16
    Ok I'm baffled, nothing online and only one router, mac filtered,not been online today and I see under dhcp leases. NetSaint never saw anything.
    Code:
    Host Name       Mac Address       IP Address      Lease
    zinc            00:0E:35:0B:FC:AE 192.168.1.2     85278 secs
    garyr-lxp       00:0B:5D:78:BE:B8 192.168.1.3     84224 secs
                    E1:6C:D6:AE:52:90 192.168.1.4     Expired
                    E9:EB:B3:A6:DB:3C 192.168.1.5     Expired
    System log shows
    Code:
    Sep 30 18:34:37  filter: UDP connection denied to 239.255.255.250:1900 from 192.168.1.1:1900 
    Sep 30 18:34:37  filter: UDP connection denied to 239.255.255.250:1900 from 192.168.1.1:1900 
    Sep 30 18:34:37  filter: UDP connection denied to 239.255.255.250:1900 from 192.168.1.1:1900 
    Sep 30 18:34:46  filter: UDP connection accepted to 192.168.1.255:138 from 192.168.1.6:138 
    Sep 30 18:34:57  filter: UDP connection denied to 239.255.255.250:1900 from 192.168.1.1:1900 
    Sep 30 18:34:57  filter: UDP connection denied to 239.255.255.250:1900 from 192.168.1.1:1900 
    Sep 30 18:34:57  filter: UDP connection denied to 239.255.255.250:1900 from 192.168.1.1:1900 
    Sep 30 18:34:57  filter: UDP connection denied to 239.255.255.250:1900 from 192.168.1.1:1900 
    Sep 30 18:34:57  filter: UDP connection denied to 239.255.255.250:1900 from 192.168.1.1:1900 
    Sep 30 18:34:57  filter: UDP connection denied to 239.255.255.250:1900 from 192.168.1.1:1900 
    Sep 30 18:34:57  filter: UDP connection denied to 239.255.255.250:1900 from 192.168.1.1:1900 
    Sep 30 18:34:57  filter: UDP connection denied to 239.255.255.250:1900 from 192.168.1.1:1900 
    Sep 30 18:34:57  filter: UDP connection denied to 239.255.255.250:1900 from 192.168.1.1:1900 
    Sep 30 20:12:34  ntp client: time is synchronized to time.nist.gov 
    Sep 30 22:12:38  ntp client: time is synchronized to time.nist.gov 
    Oct  1 00:12:41  ntp client: time is synchronized to time.nist.gov 
    Oct  1 02:12:44  ntp client: time is synchronized to time.nist.gov 
    Oct  1 04:12:47  ntp client: time is synchronized to time.nist.gov 
    Oct  1 06:12:49  ntp client: time is synchronized to time.nist.gov 
    Oct  1 08:12:52  ntp client: time is synchronized to time.nist.gov 
    Oct  1 10:12:55  ntp client: time is synchronized to time.nist.gov 
    Oct  1 12:12:58  ntp client: time is synchronized to time.nist.gov 
    Oct  1 14:13:01  ntp client: time is synchronized to time.nist.gov 
    Oct  1 16:13:04  ntp client: time is synchronized to time.nist.gov 
    Oct  1 18:13:07  ntp client: time is synchronized to time.nist.gov 
    Oct  1 20:13:10  ntp client: time is synchronized to time.nist.gov 
    Oct  1 22:13:13  ntp client: time is synchronized to time.nist.gov
    Any one any ideas ?
    My Kit :
    Asus Wl-500w 1.9.8.2 & WL500gd 1.9.4.6 ( WPA-PSK, WDS, Samba, DM, FTP, Epson PhotoStylus RX620 )
    Samsung X30 Centrino 1.7, 1Gb, 60Gb, 2200BG - Fujitsu 7010S 1.6, 1Gb, 60Gb, 2200BG - Cisco Cat 4003 - Network Appliance NAS/SAN F270 2TB

  5. #5
    this is very stange...
    can it be some sort of "virtual" network card in your pc?
    can it be a virus?

    anyway:
    If you only need 2 ip's then allow only 2 in the dhcp and network settings...

    If I were you , I would make a script to scan the network 24/7 to check for "unwanted guests"... and in case that happens send a warning...
    (like a sms to your mobile...)
    [ WL-500G | fw: 1.9.2.7-7f ]

  6. #6
    Very interesting idea!
    Could u give me such a script to send sms to my mobile if anything happens at my router!
    And couldu give me a faq how to install this script?

    Many Thx!

    Shawn

  7. #7
    you can easily send sms by email from your asus router

    some carriers allow their members to do it
    the email for a cell phone would be in this format: <cell phone number>@<service.carrier.net>

    i have a cell phone activated with Bell and my sms email would be:
    1234567890@1x.bell.ca

    you can get the correct email by browsing the cell's filesystem with a data cable and look in the files

    so to achieve what you are trying to do you could use the "sendmail" binary offered in the estmp package i think

    hope this helped!
    Last edited by nerodark; 02-10-2005 at 18:16.

  8. #8
    Join Date
    Jul 2004
    Location
    Berkshire
    Posts
    16
    Hi Nerodark,

    That is exactly what NetSaint(Nagios) does, there were no other devices except the FC4 linux box which is not the problem as the problem was there before I build the linux box. It was only built to monitor this problem.

    So all I have is :

    internet ----- C/Modem ---------asus---------netsaint montoring

    I have Wireless MAC filtering ON
    I have LAN/WAN MAC filtering ON
    I am recording Accepted / Denied Connections.
    ( Nothing in the logs )

    The only place this must be happening is on the WL500G-d.

    The Default DHCP lease is 24hrs..........so if I log off at 10pm Saturday night and back on 6am sunday morning.....HOW can the spurious DHCP entries occur and have EXPIRED in an 8 hour period Not Possible!

    NetSaint was set to monitor my DHCP range 2-10 and NEVER SAW A THING in fact apart from the asus router itself NOTHING was seen.

    So the asus must have allocated them itself which is concerning.

    My final attack is reboot the asus leave it on. Disconnect EVERYTHING all PCs Cable Modem and then in themorning I will connect in and look then.......if they are there THEN is can only be the ASUS........BIG problems.
    My Kit :
    Asus Wl-500w 1.9.8.2 & WL500gd 1.9.4.6 ( WPA-PSK, WDS, Samba, DM, FTP, Epson PhotoStylus RX620 )
    Samsung X30 Centrino 1.7, 1Gb, 60Gb, 2200BG - Fujitsu 7010S 1.6, 1Gb, 60Gb, 2200BG - Cisco Cat 4003 - Network Appliance NAS/SAN F270 2TB

  9. #9
    @nerodark

    Ok! I knew that my mobiel phone must be activated to recieve sms e-mails!
    But how can i realize to send sms e-mail by my asus router?

    I am new and dont know how to set up my asus router to send sms e-mails!

    Could u give me a step by step documentation to realize this?

    That would be great!

    Many Thanks!

    Shawn

  10. #10
    I personally use variation of following script to send mail for various monitored events:
    Code:
    SERVER=smtp.yourisp.com
    FROM="\"Router reporter\" <reporter@my.router>"
    TO="you@your.mail.com"
    /usr/sbin/mini_sendmail -s$SERVER $TO <<EOM
    From: $FROM
    To: $TO
    Subject: Alert or whatever
    
    Body of message.
    EOM
    Adjust SERVER, TO (and maybe FROM) variables to suit your environment Note the empty line before the message body and do not forget EOM mark at the end of message.

  11. #11
    Join Date
    Jul 2004
    Location
    Berkshire
    Posts
    16
    Ok, it looks like most of these responses should be in a thread of their own, sort of moved away from the problem at hand.

    UPDATE:

    -No PC's attached what so ever.

    WL500G-d ---------> CableModem -------> Internet

    - No Wireless
    - No other physical attachment

    and I STILL get the same spurious MAC addresses in DHCP!!!!!

    I have checked that I can not get into the router if my mac address is not in the filtered list. Even stops me getting a DHCP address, So why do I get these :
    Code:
    Host Name       Mac Address       IP Address      Lease
    garyr-lxp       00:0B:5D:78:BE:B9 192.168.1.4     82631 secs
                    E1:6C:D6:AE:52:90 192.168.1.5     Expired  <-------?
                    E9:EB:B3:A6:DB:3C 192.168.1.6     Expired  <-------?
    After all my testing it seems to point to the WL500G-d as I removed evrything from the router and rebooted and left over night with no wireless and low and behold this morning there they are "expired" Should not be possible.


    Now has anyone any ideas?

    Cheers
    My Kit :
    Asus Wl-500w 1.9.8.2 & WL500gd 1.9.4.6 ( WPA-PSK, WDS, Samba, DM, FTP, Epson PhotoStylus RX620 )
    Samsung X30 Centrino 1.7, 1Gb, 60Gb, 2200BG - Fujitsu 7010S 1.6, 1Gb, 60Gb, 2200BG - Cisco Cat 4003 - Network Appliance NAS/SAN F270 2TB

  12. #12
    Quote Originally Posted by psylockex View Post
    Ok, it looks like most of these responses should be in a thread of their own, sort of moved away from the problem at hand.

    UPDATE:

    -No PC's attached what so ever.

    WL500G-d ---------> CableModem -------> Internet

    - No Wireless
    - No other physical attachment

    and I STILL get the same spurious MAC addresses in DHCP!!!!!

    I have checked that I can not get into the router if my mac address is not in the filtered list. Even stops me getting a DHCP address, So why do I get these :
    Code:
    Host Name       Mac Address       IP Address      Lease
    garyr-lxp       00:0B:5D:78:BE:B9 192.168.1.4     82631 secs
                    E1:6C:D6:AE:52:90 192.168.1.5     Expired  <-------?
                    E9:EB:B3:A6:DB:3C 192.168.1.6     Expired  <-------?
    After all my testing it seems to point to the WL500G-d as I removed evrything from the router and rebooted and left over night with no wireless and low and behold this morning there they are "expired" Should not be possible.


    Now has anyone any ideas?

    Cheers
    Has this ever been explained anywhere on the net? Today I found that same exact mac address (with no computer name) somehow assigned a local ip by my router's (Dlink DIR-655) dhcp server. It did not appear to be wireless. Full security is of course in place (wpa2, mac address filtering, etc.). So what in the heck could it be?! Is there some kind of NAT hack that makes this possible? At least nothing seemed to be going on with that address (no connections and no settings changed). WEIRD!

    UPDATE! -- Seems the fake mac's are from whatever ms thing in 2003, vista, and maybe xp-sp3. How it essentially bypasses the router's mac filtering to get a local ip assigned is still baffling, though! Got to find info on this somewhere at the ms site....
    Last edited by IntelliMoo; 04-06-2008 at 12:43.

  13. #13
    what about some Virtual machine?

    http://www.coffer.com/mac_find/?stri...3AAE%3A52%3A90
    http://www.coffer.com/mac_find/?stri...3AA6%3ADB%3A3C

    no vendor found, so some "fake MAC"

  14. #14

    Same MAc Address

    Have anyone found a solution to this issue. I have an att 2wire wireless router showing the exact same 2 mac addresses. This should not be possable which we all agree.

Similar Threads

  1. DNS entries
    By jonasdiemer in forum WL-500g Q&A
    Replies: 7
    Last Post: 06-07-2005, 15:54
  2. asus wl-500G deluxe, dhcp problem
    By aslepet in forum WL-500g Q&A
    Replies: 1
    Last Post: 21-06-2005, 13:10
  3. Asus WL500g verkopen en WL500g deluxe kopen?
    By Red devil in forum Dutch Discussion - Nederlands
    Replies: 2
    Last Post: 31-05-2005, 15:33
  4. [WL-500g Deluxe] European WL500g Deluxe first pics
    By Antiloop in forum WL-500gx Pics & Specs
    Replies: 36
    Last Post: 31-03-2005, 13:45
  5. Editing entries in iptables
    By LaB in forum WL-500g Q&A
    Replies: 4
    Last Post: 17-06-2004, 22:58

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •