[LAN access from remote] Ip's connecting to me from all over the world :/

yeliyayue

Distinguished
Dec 1, 2011
2
0
18,510
It's late and I'm sorta freaking out a little... so sorry in advance.

Short story
-----------------------------------------------------------------------------------------------------------
Why am i getting 20+ [LAN access from remote] connections an hour in my router log.
Too a local ip of 192.168.1.9 that i cannot find actually connected to my network?!? through a port 38753 that i cannot find any info on.
These are coming from ip's all over the world.
-----------------------------------------------------------------------------------------------------------
Long Story

I've ran my network setup for about 2 years the exact way it is now.

cable modem(CableAmerica)>>> netgear router WGR614v10>>> Linksys E1000 v1 Router *working as a wireless Access point for extended range*

works great no troubles, 2 households sharing.

Last week the connection at the linksys was erratic. (webpages would load slow for 15minutes, then go back to normal for ?? 30min 1hr? same-thing with youtube vids, and online games)

I reset the router. But it kept doing it, so assumed my sister (the netgear) was downloading or watching something. (it never behaved like this before though) so i shrugged it off a few days.

so few days go by and it gets worse. (now its slow 15minutes, normal 5mins?)

I check my sisters computer(on the netgear). its acting exactly the same. obviously I unhooked the routers and plug the cable modem direct. It appeared to act the same, so i told her the cable connection is screwed up. maybe damaged line or the modems going bad?
So She's going to call cable america have them check it out. (who knows when that will be or if they figure anything out*im kinda shooting in the dark thats it on there end*)

So im not totally convinced its the cable company's issue just cause it persisted after I plugged the modem direct.

so im looking through the netgear and find a *Logs* Feature

In there is this (I assume it's ok to post random ip's that are remote accessing my local network)

[LAN access from remote] from 125.25.48.211:52586 to 192.168.1.9:38753 Saturday, Dec 10,2016 00:04:06
[LAN access from remote] from 125.25.48.211:1024 to 192.168.1.9:38753 Saturday, Dec 10,2016 00:04:06
[LAN access from remote] from 110.169.68.192:1024 to 192.168.1.9:38753 Saturday, Dec 10,2016 00:02:57
[LAN access from remote] from 79.132.48.199:14777 to 192.168.1.9:38753 Friday, Dec 09,2016 23:59:30
[LAN access from remote] from 79.132.48.199:50055 to 192.168.1.9:38753 Friday, Dec 09,2016 23:59:30
[Admin login] from source 192.168.1.18, Friday, Dec 09,2016 23:59:29

I'm the admin login, and it shows the correct local ip for me as 192.168.1.18.

but i cannot find this 192.168.1.9.
i scanned my network with eset and there is no 192.168.1.9 showing up?? even my access point shows up as 192.168.1.2.
But i have no clue what device is assigned 9?
i searched the web to see what freakin port 38753 is and i didn't find anything.
so i blocked port 38753 tcp/udp for all ip's on the network.

and its still showing [LAN access from remote] to that ip and port!!

ontop of that the ip's its coming from are from like France and HongKong. I just checked a few cause theres so many.
But when i saw HongKong i freaked cause i just got a email from steam a few days ago telling me someone from hongkong tried logging in to my account and i should update my security.

idk whats going on maybe i'm paranoid, i'm going to bed. *Smashes head on desk and hits submit *


Update: I turned off UPNP on the Netgear. and the [LAN access from remote]'s stopped. but within 30 minutes i got this in the logs
[DoS attack: FIN Scan] attack packets in last 20 sec from ip [151.101.44.166], Saturday, Dec 10,2016 01:52:52

then this several hours later
[DoS attack: IP Spoof] attack packets in last 20 sec from ip [192.168.1.108], Saturday, Dec 10,2016 07:58:07
---------------------------------------------------------------------------^from a local ip? I dont see 108 on my network though.

[DoS attack: FIN Scan] attack packets in last 20 sec from ip [172.217.0.6], Saturday, Dec 10,2016 13:12:09
[DoS attack: FIN Scan] attack packets in last 20 sec from ip [172.217.0.3], Saturday, Dec 10,2016 13:11:57
------------------------------------------------------------------------------^ip is from google in atlanta?
 
Solution
Bots looking for an unsecured system to wreak havoc on or steal personal data is all too common these days, I get quite a few every week but my FW always blocks them. It's a sign of the times we live in.

As long as your firewall is blocking them there's no need to be concerned, if it's not blocking them you need to change your firewall software.

Bots looking for an unsecured system to wreak havoc on or steal personal data is all too common these days, I get quite a few every week but my FW always blocks them. It's a sign of the times we live in.

As long as your firewall is blocking them there's no need to be concerned, if it's not blocking them you need to change your firewall software.

 
Solution

yeliyayue

Distinguished
Dec 1, 2011
2
0
18,510
it looks like 192.168.1.9 might be my sisters roku box... I'm going to play with it tomorrow.

so theirs a chance just changing my firewall will atleast keep them from getting in?
I'm afraid somethings infected on the network giving them a backdoor of some sort.

I plan on getting new routers. i think the netgear is like 10years old :/

and installing a AV on my sisters computer. I noticed she has all kinds of widget crap in her browser(like ASK toolbar, and bunch of other stuff)

I'll update if something changes.
kinda looks like the slow internet might be unrelated to the network attacks. will update on that also

UPDATE: Changed wifi pass, forceing all wirless devices to Dc.
everything seems to be back to normal.
I disconnected the roku box that was using the 192.168.1.9 ip. and it stayed petty much the same.

So changing the pass and forcing dc's to all wireless devices doesn't tell me a whole lot :/ but at least i know its not on the cable company's end as far as the slowness is concerned.