It's late and I'm sorta freaking out a little... so sorry in advance.
Short story
-----------------------------------------------------------------------------------------------------------
Why am i getting 20+ [LAN access from remote] connections an hour in my router log.
Too a local ip of 192.168.1.9 that i cannot find actually connected to my network?!? through a port 38753 that i cannot find any info on.
These are coming from ip's all over the world.
-----------------------------------------------------------------------------------------------------------
Long Story
I've ran my network setup for about 2 years the exact way it is now.
cable modem(CableAmerica)>>> netgear router WGR614v10>>> Linksys E1000 v1 Router *working as a wireless Access point for extended range*
works great no troubles, 2 households sharing.
Last week the connection at the linksys was erratic. (webpages would load slow for 15minutes, then go back to normal for ?? 30min 1hr? same-thing with youtube vids, and online games)
I reset the router. But it kept doing it, so assumed my sister (the netgear) was downloading or watching something. (it never behaved like this before though) so i shrugged it off a few days.
so few days go by and it gets worse. (now its slow 15minutes, normal 5mins?)
I check my sisters computer(on the netgear). its acting exactly the same. obviously I unhooked the routers and plug the cable modem direct. It appeared to act the same, so i told her the cable connection is screwed up. maybe damaged line or the modems going bad?
So She's going to call cable america have them check it out. (who knows when that will be or if they figure anything out*im kinda shooting in the dark thats it on there end*)
So im not totally convinced its the cable company's issue just cause it persisted after I plugged the modem direct.
so im looking through the netgear and find a *Logs* Feature
In there is this (I assume it's ok to post random ip's that are remote accessing my local network)
[LAN access from remote] from 125.25.48.211:52586 to 192.168.1.9:38753 Saturday, Dec 10,2016 00:04:06
[LAN access from remote] from 125.25.48.211:1024 to 192.168.1.9:38753 Saturday, Dec 10,2016 00:04:06
[LAN access from remote] from 110.169.68.192:1024 to 192.168.1.9:38753 Saturday, Dec 10,2016 00:02:57
[LAN access from remote] from 79.132.48.199:14777 to 192.168.1.9:38753 Friday, Dec 09,2016 23:59:30
[LAN access from remote] from 79.132.48.199:50055 to 192.168.1.9:38753 Friday, Dec 09,2016 23:59:30
[Admin login] from source 192.168.1.18, Friday, Dec 09,2016 23:59:29
I'm the admin login, and it shows the correct local ip for me as 192.168.1.18.
but i cannot find this 192.168.1.9.
i scanned my network with eset and there is no 192.168.1.9 showing up?? even my access point shows up as 192.168.1.2.
But i have no clue what device is assigned 9?
i searched the web to see what freakin port 38753 is and i didn't find anything.
so i blocked port 38753 tcp/udp for all ip's on the network.
and its still showing [LAN access from remote] to that ip and port!!
ontop of that the ip's its coming from are from like France and HongKong. I just checked a few cause theres so many.
But when i saw HongKong i freaked cause i just got a email from steam a few days ago telling me someone from hongkong tried logging in to my account and i should update my security.
idk whats going on maybe i'm paranoid, i'm going to bed. *Smashes head on desk and hits submit *
Update: I turned off UPNP on the Netgear. and the [LAN access from remote]'s stopped. but within 30 minutes i got this in the logs
[DoS attack: FIN Scan] attack packets in last 20 sec from ip [151.101.44.166], Saturday, Dec 10,2016 01:52:52
then this several hours later
[DoS attack: IP Spoof] attack packets in last 20 sec from ip [192.168.1.108], Saturday, Dec 10,2016 07:58:07
---------------------------------------------------------------------------^from a local ip? I dont see 108 on my network though.
[DoS attack: FIN Scan] attack packets in last 20 sec from ip [172.217.0.6], Saturday, Dec 10,2016 13:12:09
[DoS attack: FIN Scan] attack packets in last 20 sec from ip [172.217.0.3], Saturday, Dec 10,2016 13:11:57
------------------------------------------------------------------------------^ip is from google in atlanta?
Short story
-----------------------------------------------------------------------------------------------------------
Why am i getting 20+ [LAN access from remote] connections an hour in my router log.
Too a local ip of 192.168.1.9 that i cannot find actually connected to my network?!? through a port 38753 that i cannot find any info on.
These are coming from ip's all over the world.
-----------------------------------------------------------------------------------------------------------
Long Story
I've ran my network setup for about 2 years the exact way it is now.
cable modem(CableAmerica)>>> netgear router WGR614v10>>> Linksys E1000 v1 Router *working as a wireless Access point for extended range*
works great no troubles, 2 households sharing.
Last week the connection at the linksys was erratic. (webpages would load slow for 15minutes, then go back to normal for ?? 30min 1hr? same-thing with youtube vids, and online games)
I reset the router. But it kept doing it, so assumed my sister (the netgear) was downloading or watching something. (it never behaved like this before though) so i shrugged it off a few days.
so few days go by and it gets worse. (now its slow 15minutes, normal 5mins?)
I check my sisters computer(on the netgear). its acting exactly the same. obviously I unhooked the routers and plug the cable modem direct. It appeared to act the same, so i told her the cable connection is screwed up. maybe damaged line or the modems going bad?
So She's going to call cable america have them check it out. (who knows when that will be or if they figure anything out*im kinda shooting in the dark thats it on there end*)
So im not totally convinced its the cable company's issue just cause it persisted after I plugged the modem direct.
so im looking through the netgear and find a *Logs* Feature
In there is this (I assume it's ok to post random ip's that are remote accessing my local network)
[LAN access from remote] from 125.25.48.211:52586 to 192.168.1.9:38753 Saturday, Dec 10,2016 00:04:06
[LAN access from remote] from 125.25.48.211:1024 to 192.168.1.9:38753 Saturday, Dec 10,2016 00:04:06
[LAN access from remote] from 110.169.68.192:1024 to 192.168.1.9:38753 Saturday, Dec 10,2016 00:02:57
[LAN access from remote] from 79.132.48.199:14777 to 192.168.1.9:38753 Friday, Dec 09,2016 23:59:30
[LAN access from remote] from 79.132.48.199:50055 to 192.168.1.9:38753 Friday, Dec 09,2016 23:59:30
[Admin login] from source 192.168.1.18, Friday, Dec 09,2016 23:59:29
I'm the admin login, and it shows the correct local ip for me as 192.168.1.18.
but i cannot find this 192.168.1.9.
i scanned my network with eset and there is no 192.168.1.9 showing up?? even my access point shows up as 192.168.1.2.
But i have no clue what device is assigned 9?
i searched the web to see what freakin port 38753 is and i didn't find anything.
so i blocked port 38753 tcp/udp for all ip's on the network.
and its still showing [LAN access from remote] to that ip and port!!
ontop of that the ip's its coming from are from like France and HongKong. I just checked a few cause theres so many.
But when i saw HongKong i freaked cause i just got a email from steam a few days ago telling me someone from hongkong tried logging in to my account and i should update my security.
idk whats going on maybe i'm paranoid, i'm going to bed. *Smashes head on desk and hits submit *
Update: I turned off UPNP on the Netgear. and the [LAN access from remote]'s stopped. but within 30 minutes i got this in the logs
[DoS attack: FIN Scan] attack packets in last 20 sec from ip [151.101.44.166], Saturday, Dec 10,2016 01:52:52
then this several hours later
[DoS attack: IP Spoof] attack packets in last 20 sec from ip [192.168.1.108], Saturday, Dec 10,2016 07:58:07
---------------------------------------------------------------------------^from a local ip? I dont see 108 on my network though.
[DoS attack: FIN Scan] attack packets in last 20 sec from ip [172.217.0.6], Saturday, Dec 10,2016 13:12:09
[DoS attack: FIN Scan] attack packets in last 20 sec from ip [172.217.0.3], Saturday, Dec 10,2016 13:11:57
------------------------------------------------------------------------------^ip is from google in atlanta?