Solved I think someone may have remote access to my router?

May 29, 2013 at 10:33:23
Specs: Windows 7
I've been really paranoid about this kind of stuff lately and I checked my logs today after what I thought was a DDoS attack and found that this was popping up

[LAN access from remote] from 166.137.184.232:38378 to 192.168.1.3:12046 Wednesday, May 29,2013 09:24:28
[LAN access from remote] from 188.176.85.202:51075 to 192.168.1.3:12046 Wednesday, May 29,2013 09:24:17[LAN access from remote] from 216.203.109.28:57990 to 192.168.1.3:12046 Wednesday, May 29,2013 09:19:47
[LAN access from remote] from 173.19.3.111:14717 to 192.168.1.3:12046 Wednesday, May 29,2013 09:19:36
[LAN access from remote] from 76.29.98.61:2971 to 192.168.1.3:12046 Wednesday, May 29,2013 09:19:29[LAN access from remote] from 200.205.95.10:6322 to 192.168.1.3:12046 Wednesday, May 29,2013 09:17:20
[LAN access from remote] from 177.76.75.99:1024 to 192.168.1.3:12046 Wednesday, May 29,2013 09:15:02
[LAN access from remote] from 66.83.159.2:53855 to 192.168.1.3:12046 Wednesday, May 29,2013 09:13:43
[LAN access from remote] from 66.83.159.2:53852 to 192.168.1.3:12046 Wednesday, May 29,2013 09:13:42
[LAN access from remote] from 187.76.155.118:46264 to 192.168.1.3:12046 Wednesday, May 29,2013 09:13:23
[LAN access from remote] from 177.106.217.231:38625 to 192.168.1.3:12046 Wednesday, May 29,2013 09:13:05

Now, I use TeamSpeak, Skype, I play video games etc. But does this "LAN acces from remote" mean someone is remotely accessing my stuff? And is it possible for them to steal things like passwords etc. from this?


See More: I think someone may have remote access to my router?

Report •


#1
May 29, 2013 at 12:23:06
Try running the Shields Up "all service ports" test. They should all show as stealthed (green):
https://www.grc.com/x/ne.dll?bh0bkyd2

Always pop back and let us know the outcome - thanks


Report •

#2
May 29, 2013 at 12:45:07
This most likely refers to someone connecting to a game you're hosting.

The log shows: 192.168.1.3:12046

A quick google search of "what runs on port 12046 " returns hits on a game called Second Life. Sound familiar? All those entries you posted point at that same IP and port number.

It's likely not someone hacking you but if you're not playing Second Life or some other game on the computer with IP 192.168.1.3 and you're not running TS server on it, then you need to do as Derek mentioned and run the Shield's Up test.

It matters not how straight the gate,
How charged with punishments the scroll,
I am the master of my fate;
I am the captain of my soul.

***William Henley***


Report •

#3
May 29, 2013 at 12:48:18
✔ Best Answer
But does this "LAN acces from remote" mean someone is remotely accessing my stuff?
The log appears to say traffic was routed to 192.168.1.3 because it tried to access port 12046. To find out what was being accessed:
1) Find 192.168.1.3
2) Open a Command Prompt, as Administrator, if applicable
3) Run netstat -abn
4) Look for port 12046, and see what program has it open
5) Review what data this program has access to, and its function.

And is it possible for them to steal things like passwords etc. from this?
Possible? Yes. Probable? Doubt it.

How To Ask Questions The Smart Way


Report •

Related Solutions

#4
May 29, 2013 at 15:45:00
It came back and said that it didn't respond or something like that and then in blue text underneath said (That's good news!). Does this mean I'm safe? Recently I've been targeted for DDoS attacks (Which I wasn't actually DDoSed) and from a different person they said they can "Fry my router and get every password/creditcard/SSN etc ever sent through it" Is that even possible? Can they get everything ever sent through a router?

Report •

#5
May 29, 2013 at 15:57:32
Congratulations, you've just been taken in by a child's temper tantrum. Next time he throws a hissy fit, refer him to some image from this site: http://www.tumblr.com/tagged/whatev...

How To Ask Questions The Smart Way


Report •

#6
May 29, 2013 at 15:58:12
Was it the "all service ports" test that you ran? If so, for the best results it should have said all the ports were STEALTHED and the little boxes should have been green. This means that not only were the ports closed but they were hidden so that they didn't even appear to exist.

If the above was the case my guess is that it was simply ports that were opened for some activity such as gaming.

Keep an eye on the log and see what is going on when they appear.

Always pop back and let us know the outcome - thanks


Report •

#7
May 29, 2013 at 21:46:52
Just to add to what Derek already said (as in, read his post carefully and make sure you do what he says)...

I've been targeted for DDoS attacks (Which I wasn't actually DDoSed) and from a different person they said they can "Fry my router and get every password/creditcard/SSN etc ever sent through it" Is that even possible? Can they get everything ever sent through a router?

I wouldn't worry too much about the threats, it all sounds like hot air to me.

I noticed you never did answer my question about gaming so I'm going to ask it one more time. Do you run any games in host/server mode on your computer (192.168.1.3) that external users connect to? Or, do you run any other software in host/server mode (like Team Speak)?

One last question, have you ever created any port forwards on your router?

It matters not how straight the gate,
How charged with punishments the scroll,
I am the master of my fate;
I am the captain of my soul.

***William Henley***


Report •

#8
May 29, 2013 at 22:34:01
I closed all my forwarded ports today (I had them opened to play Cry of Fear Co-op but it never worked so I never actually hosted a server on the game). I run Teamspeak, but I do not host a server on my machine. The ports for the game Cry of Fear had been opened for I'd say 3-5 days, all within the days I had the threats. I was not hosting the servers though, it was simply a Teamspeak community for the gaming community I play in. I do not play Second life by the way, and I saw that port was connected to Second life and could not find out how that attachment was made which concerned me a bit.

On the topic of the all port scans, I scanned it but for some reason it won't finish all the way to 1056, but all the ones that showed up were green (stealthed).

I've got another question pertaining to hacking routers. Is there a way that hackers can hack my router, and make it divert traffic containing credit cards and other important things to their internet and they steal my information from that or would that require a keylogger or some other malware? I know most hacking is social engineering, but the software side of it can be very scary. I've recently found out a lot about I.D. theft too and it's scary stuff...

Sorry if I'm overreacting a bit I've got paranoid schizophrenia so all this talk about frying my stuff and stealing important stuff is very scary to me and I need some form of self assurance. Unfortunately this often involved scaring me even more.


Report •

#9
May 30, 2013 at 07:19:29
You can always go through your router settings to see if they look OK. It should be fairly clear if there have been any added entries but I doubt it is the case.

No idea why that scan didn't complete - it should have done. Unplug the router from the power then restore it and give it a few minutes to fully start up again. Restart the computer and retry the scan.

Always pop back and let us know the outcome - thanks


Report •

#10
May 30, 2013 at 07:32:01
I've got another question pertaining to hacking routers. Is there a way that hackers can hack my router, and make it divert traffic containing credit cards and other important things to their internet and they steal my information from that or would that require a keylogger or some other malware?

Not likely. I suppose it is possible if you're running a router with linux based firmware but something like this would typically be accomplished through a trojan of some sort that resides on the computer you do all your online activities with.

Ensure you have "remote management" and "wireless management" turned off for the router and then the only way to manage it is through a computer that is plugged into one of the LAN ports on the router.

It matters not how straight the gate,
How charged with punishments the scroll,
I am the master of my fate;
I am the captain of my soul.

***William Henley***


Report •

#11
May 30, 2013 at 09:43:29
Wait? I guess the scan did complete and the 1056th port didn't show up because at the bottom it said this

"Your system has achieved a perfect "TruStealth" rating. Not a single packet — solicited or otherwise — was received from your system as a result of our security probing tests. Your system ignored and refused to reply to repeated Pings (ICMP Echo Requests). From the standpoint of the passing probes of any hacker, this machine does not exist on the Internet. Some questionable personal security systems expose their users by attempting to "counter-probe the prober", thus revealing themselves. But your system wisely remained silent in every way. Very nice."

However, at the top it still says it's being carefully examined? Odd? I thought it would show just 1 square in a final row which would be the 1056th port, but it doesn't show up I guess. Apparently I've got a perfect TruStealth rating.

Question. Is there really people who can scan the entire country for ports 0-1056 to be open to attack their victims?

Also, I've disabled Wireless/remote management of my router, so now my computer is the only computer in the house who can manage it.


Report •

#12
May 30, 2013 at 10:04:29
Yes, the "being examined" text remains and it adds the information under the block of ports when finished. It examines 1056 ports including 0, so 1055 is the last one. Whatever, that's the result you wanted.

They don't scan manually they use computers.

Always pop back and let us know the outcome - thanks


Report •

#13
May 30, 2013 at 11:50:33
So do you reckon that I'm safe?

Report •

#14
May 30, 2013 at 12:09:11
Probably. I don't see any danger signs, at least.

How To Ask Questions The Smart Way


Report •

#15
May 30, 2013 at 12:30:12
Looks fine to me too but as I said before keep an eye on the log and then you might be able to find out what you were doing when the entries arrived.

Always pop back and let us know the outcome - thanks


Report •

#16
May 30, 2013 at 13:18:30
Yesterday I saw something pop up "ICMP_echo_req" keep popping up from many different IPs, but I also disabled UPnP as well because I thought that might make me very vulnerable... Is it safe to have UPnP enabled, and is that what's causing ICMP_echo_req? What is ICMP_echo_req? I tried googling it but nothing really came up.

I just checked the logs to find this

[DoS attack: Smurf] attack packets in last 20 sec from ip [190.196.105.255], Thursday, May 30,2013 11:44:20
[DoS attack: Smurf] attack packets in last 20 sec from ip [190.196.105.255], Thursday, May 30,2013 11:43:36


Report •

#17
May 30, 2013 at 14:52:55
That echo request is just someone "pinging" you. Nothing to worry about, your firewall did its stuff and blocked it.

Similarly the DoS attack was blocked. Often this is just precautionary (ie suspected). If a webpage has stacks of links (such as Google images) the firewall blocks traffic for a while to protect you in case it is an attack. Maybe its best not to look at the logs after all LOL, they are mainly for info. Just let your firewall get on with its job.

I doubt having UPnP enabled has any bearing on the above but if you can live with it disabled then it can't be a bad thing. Folk don't worry so much about UPnP as they used to - there are far worse things about these days. It's a bit like saying it is safer to never go online or switch on the computer. Maybe, but it would be a bit dull.

Always pop back and let us know the outcome - thanks


Report •


Ask Question