I need some suggestions.
I have a standard Uverse ATT router and operate a minimal home network. My computers, cell phones, printer. Nothing special.
I run a freeware app called “Who’s on my WIFI” which is just portscan with a GUI.
It keeps detecting an unknown device active on my network. It is within my local IP range but it was not assigned by the router DHCP. So it is a static IP. All I know about it is the MAC address and the local IP address. I can ping the device and get a response.
My problem is I can’t identify it or get rid of it. I tried blocking it’s MAC address in the router table but that didn’t stop it.
I was sure blocking the MAC address would get rid of it. I don’t know enough about networks today to know what else to try.
Knowing the IP address and MAC address should nail what it is doing. An address at either end of the range 1-254 would suggest it is the router. Use a MAC address vendor lookup (such as this https://macvendors.com/ ) to find out who made it, and thus provide a good idea what it is.
A lot of routers can be taken over from the Internet side. Manufacturers have surprisingly often done amazingly stupid stuff. E.g., hardcoded root passwords, open “maintenance” ports, etc. (Reading Slashdot’s articles on these things is depressing.)
If it was your own router, I’d say check to see if your router has one of these problems. Download the latest firmware and install it from the LAN side. Etc. But if it’s AT&T’s then you have limited options.
Thanks!
I didn’t know about being able to look up MAC addresses. Though I should have. Makes sense.
I looked it up and it is the same manufacturer as the ATT router (ARIS). So I know where it is, just not what it is. The local IP is 192.168.1.68 so it isn’t living in a normal router space.
It pings, but does not respond to an http: query.
I will look through the router setup pages and see if I can find anything. And I will try to find a manual. That would be nice.
Thanks for your suggestions. If there is anyone with experience in ATT routers from ARIS, model BGW210-700 I would like to learn more about it.
As for scarier notions, I have changed all the passwords (of course), but didn’t reboot. I need to do that.
It turns out is almost certainly is in my router. I have no idea why or what it is.
the MAC address is only a couple of bits different from the router MAC.
Same manufacturer.
But what does it do? Turns out the software manual for this router has so far been successfully kept off the internet. All references to it go to the useless user manual.
Is your router broadcasting a second wifi signal, either for a “guest” network or for a AT&T free wifi hotspot? “Wifi Analyzer” is an Android app that you can use to see what’s out there, if you don’t have another means of checking.
Some devices (well, Tivos) grab two IP addresses. I don’t know why, but it took me a long time to figure out what was going on there.
Something you could do is block the MAC address and see what stops working. Just remember the next time something (network connected) in your house stops working, you unblock that MAC address before you spend too long troubleshooting.
Also, depending on your router, you may have the ability to block ALL new connections until you log in and OK them. That’s how I have mine set up. Although I tend to forget about that setting until I’ve spent 20 minutes trying to get a new device online.
What would the results be if you “borrowed” or otherwise had available another wifi device that you could static address the same address? would it boot it off?
Otherwise, if you don’t trust the ISP, get your own wifi router and program all your devices to use it. Cat6 it to the router and run your own security outside of the unsecure ISP device.
This is the sort of thing that gives me security nightmares. If my router is compromised then a whole lot of other stuff is in a bad, bad, place. One of the examples given in the article:
“It turns out anyone can get administrative access by hitting port 49955 with the username “tech” and no password.”
And this sort of thing is often seen on routers from all the major manufacturers. What is wrong with the people who make these?
Are you sure it’s not just the router itself, like maybe its 5GHz component? You can try disabling the 5GHz component and see if it goes away
If you’re really that concerned, just add another router in front of it (not the best practice, but it’s usually fine), or get your own DOCSIS 3 modem from a thrift store and tell your ISP to use that +your own router instead. The Google Wifi ones aren’t very feature-packed, but they seem to get the most regular and automatic security updates out of any that I’ve seen.
AT&T Internet (formerly known as AT&T U-verse) does not allow customers to supply their own modems. You have to use the AT&T-supplied modem. They do not charge a separate rental fee for the modem. You are free to attach your own router/wifi access point to their modem.
The legacy DSL service did allow you to purchase your modem.
You could try to turn off all circuit breakers except your router and gateway (if possible plug them into a dedicated outlet using a extention cord if needed). See if it appears. One by one turn on breakers till it does. If it did with the router breaker on, then use a extension cord to run it to another circuit and repeat.
Not sure if that will give you a answer, but should give you a better ideal.
Yeah. But didn’t you notice in the article that ARRIS takes security very seriously and is investigating the issues raised by the security researchers. Whether they actually do anything besides pick another port number to use as a hole, we shall see. Of course, all they have to do is update the firmware to do whatever they want including having the router ignore attempts to block ports, so there is nothing one can do to prevent the manufacturer from hacking into your network. We just have to trust them.
Nor do they allow customers to choose their own DNS server. Of course one can configure one’s computer to ignore the DNS supplied by the DHCP and use whatever one wants, but the DHCP in the router does not allow one to change the DNS server. Apparently the UVerse desktop boxes for the TVs need a specific DNS. On the ATT forum this was discussed and complained about until the moderator closed the thread. If one doesn’t like it, add your own router/DHCP. If your TV doesn’t work correctly, at least you know why.
It could very well be related to the 5 GHz radio. But I don’t think so. Without access to the documentation, I am making limited progress.
I am surprised by the different results I get from different tools. Depending on what freeware tool I use, I find that this mystery device doesn’t respond to http requests, does respond but doesn’t have a webpage to show, or that port 80 is active on this local address even though nothing useful comes back. The variety is due to the tools I am using, not the router. My best guess is that it is a blank web server. At least port 80 is active, but no http request return anything.