Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Arizona WAN IP logged as Ireland AWS IP in DD Wrt


  • Please log in to reply

#1
TheOOBEandMe

TheOOBEandMe

    New Member

  • Member
  • Pip
  • 3 posts

Hi, 

 

My home network got super crazy last year as a tool for harassment.  I know almost nothing about Networking but here this is:

 

The ISP is Cox in Arizona

Router was a Netgear R7000 which my brother installed DDWrt firmware on to maybe help stem the "shutdowns"

Modem was a CIsco DPQ3212

 

So I went through log after log and found something peculiar.  With the old network being located in the Phoenix suburbs in Arizona we generally would have the WAN IP in that range, with San Diego being thrown in from time to time.  I figured the mistake was Cox Communications based as opposed to a network intrusion.  But this time there was an IP address from Ireland showing in the syslog under "WAN is up:  34.240.118.245".

 

Why would this happen?  Is it related to the attack and could it possibly be used, in conjunction with Date and Time to point to the hacker?  Again, I know nothing...obviously.  But Cox was really skittish about providing me with the serial number they had on file for my modem when I wanted to make sure it matched with our In-Home modem.  Again, why?  It didn't match.  And there was mystery online charges on our statement showing our service one week going from the 100 mb/s to 30 mb/s and then back again...just for one week.  With all attached charges zeroed out.

 

I have reason to suspect that it is either the work of some crazy telecommunications employee messing with people's stuff OR...and try to stay with me here...OR its law enforcement.  I'm not sure how the official "handover" of data is usually carried out between an ISP and a law enforcement agency.  Just take my word that I had good reasons to consider that an option, and due to the amount of time since the attacks were taking place, the "handover" yielded nothing. 

 

Thanks in advance for any networking insight into this.  I have attached a screen shot of the syslog entry.  Keep in mind that these logs were captured during the boot process and there was nothing connected to the WiFi or by ethernet.

 

WAN is up. And its from Ireland.png

 


  • 0

Advertisements


#2
azarl

azarl

    GeekU Admin

  • Administrator
  • 25,289 posts

192.168.1.xxx is your home network


  • 0

#3
TheOOBEandMe

TheOOBEandMe

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
Yes, it is. But the WAN shows at the top of the screen shot. Normally this address is a local address determined by my ISP. But on this occasion, and this occasion only, the WAN is an Ireland based EC2 AWS address. The location of this setup is in the Phoenix, AZ suburbs, and was being flooded and frequently shut down. Why would this show as Ireland? And an Amazon or AWS site showing as the internet facing IP?
  • 0

#4
azarl

azarl

    GeekU Admin

  • Administrator
  • 25,289 posts

Anything to do with this?

https://www.cox.com/...loudPortQRG.pdf


  • 0

#5
TheOOBEandMe

TheOOBEandMe

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
It looks like a viable reason for the anomaly. Though it does say that I would need to sign up for AWS services before a connection like that could be made. At one point there was reason to suspect there was another machine with our IP, like the IP was duplicated. For instance, you saw that our IP was the 192.168.1.1, but there was evidence of about 30 concurrent connections to YouTube using 192.168.0.1 as the local address and 192.168.0.5, 6, 7, 8 and so on. Perhaps there was another router being used somewhere along the way being used to intercept traffic. I have a screen shot of that too.Screenshot_20180115-025124.jpg
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP