# Unknown computers on my network



## GrundLhaw (Mar 27, 2014)

Hi all, 
Three days ago, unknown computers started to show up on my network. They appear even if I connect with cable (wireless disabled) and with any computer (not specifically mine). 

The last four days, the only significant thing that happened is that I had my Internet speed doubled. (My ISP announced that it will double the internet speed of a category of customers in the first term of 2014).
So I suspect this has to do with my ISP but I am not sure.

I would like to know what could be happening, what can I do and what are the security risks.

I hope my post is clear. Thank you for your time.

Here are some details to help you understand.
*
Behavior of the computers* :

- The computers never appear on my router's dhcp list.
- There is computer A that always connect on 192.168.1.64, I cannot ping it, his info: device name : PC-9628........., mac address 00-A1-B0... (no corresponding network adapter), no other information

- The first day there was two computers, (never at the same time) , and then they disappeared and since there is a computer B. 
The computer B (like the first two computers) always connect on 192.168.1.2 if it is available, otherwise it doesn't. I can get the address 192.168.1.2 only if I connect to the router before it connects to the internet.
- I can ping computer B (response 20ms while my internet ping is ~45ms). 
- The computer B info: 
device name : INFO-394.... mac address : 00-E0-4C-.... (Realtek Network adapter) lan group : Workgroup, username: Sarah.
- Computer B connects more often than A. They both connect randomly but it seems they do not connect in the morning. 
- When they are connected, if I switch off and on my router they reconnect (appear on my network) instantly, but if I unplug the phone cable (connected to my router) and plug it again, it takes them many minutes to reconnect.
- Most of the time, I did not notice any drop in my internet, but yesterday night my ping rised and the internet speed significantly dropped a few hours after computers B and A connected . I do not know if it is related but I instantly turned off my router and went to sleep. Today morning no sign of them. 

- I thought that it might be just other customers, but I have serious doubts : the specific address, the computer A is not pingable and is less likely to belong to a person than B. Is a trick to double the internet speed or a security breach ?

*What I did and other security details : *

I use the software "Wireless Network Watcher" to monitor my network, I also used "NetScan" and 'IpScan".

I changed my router password (it was not a default password) and my wireless password. I was using a 10 digits (now 13) randomly generated password (using KeePass) with WPA2 + AES and I have mac filtering enabled. I enabled my router firewall.

I also scanned with various softwares my pc suspecting a rogue or somekind of infection but it was clean. I am on Windows 7, firewall enabled and I use Microsoft Security Essentials. I changed my network location from a home to a public network. 

They are not computers or devices belonging to someone at home or friends, I know all the devices that connect to my network. Plus I have been alone the whole week. 
My router, provided for free by the ISP, is from Shanghai DareGlobal Technologies Co., Ltd. 
I tried contacting the ISP but they did not answer. I do not think that they will be of any help.


----------



## Wand3r3r (Sep 17, 2010)

Welcome to TSF!

Please post pics of the screen showing these rouge computers as well as the results of a tracert yahoo.com.


----------



## GrundLhaw (Mar 27, 2014)

Hi Wand3r3 and thank you for your quick response. 

I attached two images one showing the intrusion and the other the results of tracert. 

PS : Today another computer showed up on my network. It connected twice for few seconds then it disconnected.


----------



## Wand3r3r (Sep 17, 2010)

Most of what you posted I can barely read. It does appear from the ipconfig that the ISP is going thru a private network. 172.17.x.x is a private ip address range which you see on the 3rd hop.

but then the 2nd hop appears to be public ip with a 197.202.x.x

Is your router in NAT mode or Bridge mode?

Reason I ask is if this is in NAT mode then these devices are getting attached via the LAN not the wan and its your router giving them ip addresses.

Have you confirmed what Net Watcher is telling you with what the Router is telling you concerning attached devices?

BTW mac addresses don't leave you lan and as such are not of any use to anyone.


----------



## GrundLhaw (Mar 27, 2014)

Sorry for the unreadable images, I reuploaded them. 

My router is in NAT mode. These devices are not getting attached via the wan. To verify that, I disconnected the router from internet the unknown computer was still there. 
My router is showing just my computer in its dhcp list although the unknown computer is currently on my network (see in the attached images).


----------



## bassfisher6522 (Jul 22, 2012)

MY question: do you have your network secured with a SSID and password? Only then, those who you give that info out to can log on to your network.


----------



## GrundLhaw (Mar 27, 2014)

@bassfisher6522

My wireless network is secured (WPA2 + AES, 13 random characters, changed many times). 
The thing is that even when I connect to my modem via LAN (with wireless disabled on the router), my modem is not connected to internet, my computer not connected to any network, the unknown computers still show up. 

I have an ADSL connection so I did test having :
- my modem connected to the telephone line. 
- my computer connected via a LAN cable to the modem. 
- disconnected modem from internet with wireless disabled 
- disconnected computer from internet or any other network (wireless disabled) 
=> unknown computers still there

I tried with another computer same results.


----------



## Wand3r3r (Sep 17, 2010)

I would like to see the router screen that has the attached devices.

Since you still see them when everything is disconnected tells me I can't believe what these utilities are telling you.

Simple solution is to do ip reservations or static ip assignments and disable the routers dhcp server so no one else can get a ip address.


----------



## GrundLhaw (Mar 27, 2014)

Thank you again for your help, 

I attached a screenshot of the dhcp table of the router. It is the only screen of the router that shows attached devices. 

I disabled DHCP server of the router, as you suggested, but the computers still showed up. 
I do not have the possibility to do ip reservation on my router. 

*Details of what I did *:
I did new tests many times to be sure about what is happening. 

I did the test with my computer then with another one. I unplugged/ plugged the cables, I rebooted the devices, deactivated/activated network cards. 
The results were the same.
*
The configuration :*

The *adsl router* is connected to the telephone line through an RJ 11 cable 
. Router's wireless is disabled.
. The router is not connected to internet (automatic connection to internet is disabled).
. No other devices are connected to the router.
. Tested with DHCP server enabled and disabled.

The *computer *is connected to the router via an RJ 45 cable. 
. The wireless and bluetooth cards of the computer are disabled.

*Notes :* 
- Before connecting the computer to the router there was no sign of the unknown computers.
- There are many unknown computers. They come and go. Sometimes they are on the network for seconds, sometimes hours. 
- The DHCP list of the router never showed the unknown computers. I can ping them and they appear on softwares like "Wireless Network Watcher", "IpScan" (for this reason I included again their screenshots).
- I cannot have the address of the unknown computer. For example If it is connected on 192.168.1.2 I cannot have it and I will be given the address 192.168.1.3.


*Supposition :* Could it be related to the ISP local installation ? These devices would be computers from the neighborhood connected to the same line/switch.


----------



## Wand3r3r (Sep 17, 2010)

I believe we are getting false readings.

Do a static ip assignment to your pc wired at 192.168.1.2 and the pcs wireless at 192.168.1.3. Disable the dhcp server on the router.

Once you are done with this go to a command prompt and type 
ipconfig /all and post the results for review.

They can't be neighborhood pcs because they have to be on your lan side for you to see them. They would be on your wan side and given that ip range of 192.168.x.x that would be impossible since your wan ip is in a completely different subnet.

You don't have a TV or other network device in your house connecting to your router do you? Well you will know for sure when everyone but your pc is cut from the network.


----------



## GrundLhaw (Mar 27, 2014)

I attached a screenshot of ipconfig/all.
I assigned 192.168.1.2 to my ethernet card, 192.168.1.3 to my wireless card, 192.168.1.4 to the wireless card of the other pc I have. Dhcp server on the router is disabled.

Regarding the question whether I have any other device connected to my router, the answer is no. 
To be sure that it is not a device connected to my router, I did tests with a configuration that does not allow any connection to the router other than mine, and despite that the unknown computers showed up.
I detailed this test and its configuration in my previous message, I hope it is clear enough.

I had a problem assigning static ip addresses (hence my late reply) but I managed to solve it.

*Problem I had (now solved) *: 
I was having an "unidentified network", with no access to internet or the router. Many times, when I was assigning a static address to the network card it was not taken into consideration, the fields were becoming blank in the network card's properties. Assigning other addresses, rebooting the router and computer, disabling/re enabling cards did not work.

I tried ipconfig/release and ipconfig/renew I had this error 
_An error occurred while releasing interface Loopback Pseudo-Interface 1 : The system cannot find the file specified. 

_*The solution that worked for me :*

I did *netsh int ip reset all* and *netsh winsock reset catalog*, rebooted the computer, set the same settings as those I tried before and static assignments worked.


----------



## Wand3r3r (Sep 17, 2010)

Excellent! That should take care of any rouge computers. The use of netsh leads me to believe you may have been hit by malware. Make sure your antivirus/malware checker is up to date and has the latest definitions.


----------



## GrundLhaw (Mar 27, 2014)

Some new elements over here.
The unknown computers were still there even with static IP assignments and DHCP server disabled. I could not connect until I changed my static IP because there was an unknown computer on 192.168.1.3.

*A (temporary ?) solution :* 

I changed my local routing IP to 10.0.0.x (it was 192.168.1.x previously) and now I am not in the same network as the unknown computers. They never showed up on the current network. 

 
*What's new with the problem : *(See the attached images for details) 

Now, when I scan the 192.168.1.x network , the same unknown computers are still there. But the device on 192.168.1.1 (obviously the router) is constantly changing with a different MAC address each time, from different manufacturers (it is usually D-link but there were others like AskeyCom).
192.168.1.1 is the only device that responds to ping.

I scanned the wireless access points in my neighborhood (using "Vistumbler") , no MAC addresses of the 34 routers I detected matched with the "unknown routers". 

My anti-malware/antivirus are up to date and I did scan my computer and it was clean. 

Perhaps it is related to the router. I will try to get another router to test with, I will see with my friends if one of them can let go of his router for a day or two. 


Any idea what it could be ?


----------



## Wand3r3r (Sep 17, 2010)

Lets see a ipconfig /all from the machine you are scanning from.
Also download xirrus wifi inspector and post a screen shot of the networks it sees.

I suspect you are getting on someone elses network. You can not scan a 192x network if you are on a 10x network.


----------



## GrundLhaw (Mar 27, 2014)

Thanks for the reply. 
I attached ipconfig /all and Xirrus screenshots you requested.

I added a screenshot of Vistumbler, that shows all the wireless access points in my neighborhood. The access points are still listed after they disconnect or if they are no more within range (I get a weak signal of some access points in a specific place of the room). 

The MAC addresses of these routers do not match with any of the routers detected from the scan of 192.168.1.x network. 

As a reminder, I can scan the 192.168.1.x network (and see the computers/routers) even when wireless and internet are disabled.


----------



## Wand3r3r (Sep 17, 2010)

Appears to me you are not just scanning your network but all those local to you also. These pcs are not on your lan.

This is why they still show up with everything you have turned off.

Everything is as it should be. No one is using your internet connection or lan.


----------



## lordshaz (Apr 30, 2015)

Sorry to res an old thread but in case anyone else is searching for this information (as I was) through a little investigation I found that the "Askey Computer" on my network was actually my Panasonic Viera Smart TV.

I use a Server for DHCP, not the router. It was showing as COM-MID1 in my DHCP list with mac E0CA94 - Askey Computer

My TV has an external USB WiFi specifically for its' model so I would say Askey Computer produce the chipsets that Panasonic used in the dongle.

My $0.02, hope it helps ;-)


----------

