AnsweredAssumed Answered

Help Decipher Router Logs & Stop Hacker

Question asked by Jeanne Meier on Mar 14, 2016

Hi,

I am trying to get information on a device that is connecting to my internet router.

 

I know for certain that my router is hacked. My quest, before blocking the device, is to see if I can get more information on it and/or information regarding the websites the device connecting to &/or what files are being downloaded.

 

 

Firstly, there's two unauthorized devices:

 

     #1  MAC ADDY:   00:12:7b:54:2d:d9  - Some type of Android device from VIA Technologies

     #2  MAC ADDY:   d0:5f:b8:3c:db:ef    - Reports on logs as "NXP4330", appears to be by Texas Instruments

 

 

I use a Pace 50331NV router with AT&T internet. It seems that most sniffer programs do not like this router, and syslog is just uncooperative. The latter is a nice way of saying that neither I nor AT&T's support know how to configure the syslogs properly.  There is a screen to enable it, but it requires that I provide a server address and port. There is a port recommendation of 514, but I have no clue what the server address would be. I tried using the IP assigned to the offender but I don't see anything in the logs. Not sure if this server address should be my main (private) IP or a www server. If it just needs a webhost, I can provide that. At any rate, with the assumption that the syslogs are not available and  the sniffers that I have found do not really give any clear cut data (ie, what sites are being visited), I am at a total loss.

 

So that's the main issue.

 

Second to this, on hunch I did a reverse IP search on my system. If I put in the main IP of my router it returns with another IP; I presume these are my public and private IP's. ??  However, if I reverse search the specific IP he is connecting to, (only one of his devices show me an IP), some of the reverse IP checkers show two websites being hosted from it. He has been connecting to 192.168.1.71, and, for example, yougetsignal.com shows that this IP is hosting 27e.net and vz.lt. I don't understand how this is possible.

 

I'm thoroughly confused. Hope someone may be able to lead me in the right direction. It isn't as easy as just changing the passwords. When I was with Verizon his device would show in the logs but not on the "connected screen", so I couldn't block him. I changed the password repeatedly and even replaced the entire MI-FI device to no avail. Then I changed to AT&T and it's the same thing. AT&T will allow me to block him by his mac address, but I want to see what he is doing first - if at all possible. Seeing what he is accessing is a huge thing, as there is a whole lot more to what has been happening than what I've mentioned here.  In short though, I'm suspecting, he is or has been in my computers, thereby able to see password changes and other things.

 

Hoping you can advise, thank you!

Outcomes