Monday, 30 April 2018

networking - My Mac trying to connect to a possible intruder's machine, that is not in the network anymore


I just asked a question I think someone else has access to my wireless network. What next?. I have changed wireless security to WPA2, changed the password, disabled file sharing etc as =suggested in the answers. I even restarted my modem to that the DCHP leases expire. (Being a old modem, there is no option, at least from what can see, to reset leases)


Now, out of curiosity I downloaded Wireshark to see what is really happening on my network.


I still see 192.168.1.6 doing something on the network. Worse, I see my machine, 192.168.1.2 talking to it!
Wireshark


Now,



  1. How is this possible? The modem's DCHP leases say there is no 192.168.1.6.

  2. Could it be that my Mac somehow remembers a old address and tries to connect to it? Then why is there an response?

  3. Why would my mac connect at all? File sharing is off. Web sharing is off. Is this something to worry about or am I freaking out without reason?



Answer





  1. How is this possible? The modem's DCHP leases say there is no 192.168.1.6.



DHCP just assigns IP addresses. It is completely advisory, and any host may choose its own address with or without DHCP.



2.Could it be that my Mac somehow remembers a old address and tries to connect to it? Then why is there an response? 3. Why would my mac connect at all? File sharing is off. Web sharing is off. Is this something to worry about or am I freaking out without reason?



From what we can see in this part, your Mac initiates a TCP connection and wants to speak NetBIOS. NetBIOS is often used for name resolution, not necessarily file sharing. Your Mac indeed remembered the NetBIOS remote endpoint and now connects to it. 192.168.1.6 speaks NetBIOS, but refuses the connection. That traffic in itself is not a problem.



possible intruder's machine



First, find out the router's IPv4 address. It's probably 192.168.1.1, but if it's .6, the mystery is solved. Then, disable WLAN temporarily and connect via cable. Make sure no other computer is connected, neither via cable nor WLAN (WiFi LED should be off). Then, set a new WPA2 password, first on the router, and then on all machines. Check the IP addresses on all machines connected to the network to make sure 192.168.1.6 is not an ancient file-server in your closet. If you can still detect the intruder (and I'd wager you're facing a misconfiguration, not an intruder - a knowledgeable intruder would probably not speak NetBIOS), ask a new question and make sure your computers are not compromised.


No comments:

Post a Comment

Where does Skype save my contact's avatars in Linux?

I'm using Skype on Linux. Where can I find images cached by skype of my contact's avatars? Answer I wanted to get those Skype avat...