Router Log Mess

Discussion in 'Networking & Security' started by TechLarry, Dec 30, 2018.

  1. TechLarry

    TechLarry Can't find the G Spot

    Messages:
    29,527
    Joined:
    Aug 9, 2005
    There seems to be a lot going on in my Netgear Router Log, and I can't make heads nor tails of it.

    Two things of interest. The constant apparently failed login attempts from my main desktop (.23) and the UpNp changes.

    Wednesday, December 26, 2018 15:06:04 [admin login] from source 192.168.1.23, Wednesday, December 26, 2018 15:00:16 [UPnP set event: del_nat_rule] from source 192.168.1.23, Wednesday, December 26, 2018 10:30:42 [UPnP set event: add_nat_rule] from source 192.168.1.23, Wednesday, December 26, 2018 10:25:55 [Time synchronized with NTP server] Thursday, December 20, 2018 20:01:28 [UPnP set event: del_nat_rule] from source 192.168.1.23, Thursday, December 20, 2018 10:58:14 [Time synchronized with NTP server] Wednesday, December 19, 2018 20:00:02 [UPnP set event: add_nat_rule] from source 192.168.1.23, Wednesday, December 19, 2018 10:07:45 [UPnP set event: del_nat_rule] from source 192.168.1.23, Wednesday, December 19, 2018 06:11:53 [UPnP set event: add_nat_rule] from source 192.168.1.23, Wednesday, December 19, 2018 06:07:46 [Time synchronized with NTP server] Tuesday, December 18, 2018 20:00:01 [UPnP set event: del_nat_rule] from source 192.168.1.23.

    And blocks of...

    Sunday, December 09, 2018 19:22:45 [admin login failure] from source 192.168.1.23, Sunday, December 09, 2018 19:22:45 [admin login failure] from source 192.168.1.23, Sunday, December 09, 2018 19:22:44 [admin login failure] from source 192.168.1.23, Sunday, December 09, 2018 19:22:44 [admin login failure] from source 192.168.1.23, Sunday, December 09, 2018 19:22:44 [admin login failure] from source 192.168.1.23, Sunday, December 09, 2018 19:22:44 [admin login failure] from source 192.168.1.23, Sunday, December 09, 2018 19:22:44 [admin login failure] from source 192.168.1.23, Sunday, December 09, 2018 19:22:44 [admin login failure] from source 192.168.1.23, Sunday, December 09, 2018 19:22:44 [admin login failure] from source 192.168.1.23, Sunday, December 09, 2018 19:22:44 [admin login failure] from source 192.168.1.23, Sunday, December 09, 2018 19:22:43 [admin login failure] from source 192.168.1.23, Sunday, December 09, 2018 19:22:43 [admin login failure] from source 192.168.1.23, Sunday, December 09, 2018 19:22:43 [admin login failure] from source 192.168.1.23, Sunday, December 09, 2018 19:22:43 [admin login failure] from source 192.168.1.23, Sunday, December 09, 2018 19:22:43 [admin login failure] from source 192.168.1.23, Sunday, December 09, 2018 19:22:43 [admin login failure] from source 192.168.1.23, Sunday, December 09, 2018 19:22:43 [admin login failure] from source 192.168.1.23, Sunday, December 09, 2018 19:22:43 [admin login failure] from source 192.168.1.23, Sunday, December 09, 2018 19:22:42 [admin login failure] from source 192.168.1.23, Sunday, December 09, 2018 19:22:42 [admin login failure] from source 192.168.1.23, Sunday, December 09, 2018 19:22:42 [admin login failure] from source 192.168.1.23, Sunday, December 09, 2018 19:22:42 [admin login failure] from source 192.168.1.23, Sunday, December 09, 2018 19:22:42 [admin login failure] from source 192.168.1.23, Sunday, December 09, 2018 19:22:42 [admin login failure] from source 192.168.1.23, Sunday, December 09, 2018 19:22:42 [admin login failure] from source 192.168.1.23, Sunday, December 09, 2018 19:22:42 [admin login failure] from source 192.168.1.23, Sunday, December 09, 2018 19:22:40 [admin login failure] from source 192.168.1.23, Sunday, December 09, 2018 19:22:40 [admin login failure] from source 192.168.1.23, Sunday, December 09, 2018 19:22:40 [admin login failure] from source 192.168.1.23, Sunday, December 09, 2018 19:22:40 [admin login failure] from source 192.168.1.23, Sunday, December 09, 2018 19:22:40 [admin login failure] from source 192.168.1.23, Sunday, December 09, 2018 19:22:40 [admin login failure] from source 192.168.1.23, Sunday, December 09, 2018 19:22:40 [admin login failure] from source 192.168.1.23, Sunday, December 09, 2018 19:22:40 [admin login failure] from source 192.168.1.23, Sunday, December 09, 2018 19:22:39 [admin login failure] from source 192.168.1.23, Sunday, December 09, 2018 19:22:39 [admin login failure] from source 192.168.1.23, Sunday, December 09, 2018 19:22:39 [admin login failure] from source 192.168.1.23, Sunday, December 09, 2018 19:22:39 [admin login failure] from source 192.168.1.23

    Wash, Rinse, Repeat. This goes on for pages and pages and pages.

    Anyone know why the hell my desktop keeps attempting to log into my router?

    Could this be Netgear Genie?

    And finally, is there any sort of application you can feed these text logs and make them readable? This is a crock of shit.

    I tried importing into Excel but the comma usage is abnormal and it won't import correctly.

    My system scans clean of any Viruses, etc... And is protected by Bitdefender.
     
  2. FNtastic

    FNtastic [H]ard|Gawd

    Messages:
    1,103
    Joined:
    Jul 6, 2013
    What's your firmware version look like? Everything up to date?

    Also, I'm not aware of anything that will parse the logs aside from writing your own log parsing rules, or finding some that somebody already wrote online. This would typically include enterprise solutions. Although, depending on the time you have to put into it, you could certainly set up something that could parse and analyze your logs however you want.
     
  3. TechLarry

    TechLarry Can't find the G Spot

    Messages:
    29,527
    Joined:
    Aug 9, 2005
    It would not be so hard if they didn't abuse fucking comma's so badly.

    Yes, all firmware and os up to date. Always.

    I might try installing FileMaker Pro. It has always been good at sorting shit out automatically when importing.
     
  4. FNtastic

    FNtastic [H]ard|Gawd

    Messages:
    1,103
    Joined:
    Jul 6, 2013
    The only thing that makes logical sense to me is something attempting to login from your PC. There are a couple things I would try:
    -see if it happens while that device is off
    -research malware programs and try running another 1 or 2 just to be sure
    -create a new user on the PC. See if the logs populate when you login to your PC as the new user.
    -try uninstalling the suspected program "netgear genie" and see if anything changes in the logs

    Let us know what you come up with from these steps, and anything else you try.
     
  5. TechLarry

    TechLarry Can't find the G Spot

    Messages:
    29,527
    Joined:
    Aug 9, 2005
    Thats just it, I don't know what is causing it. I'ts coming from my main desktop.

    All scans I've run come back clean.

    I tried using the Microsoft analyzer, but that damn thing is WAY over my head.

    I might give process monitor a try.
     
  6. TechLarry

    TechLarry Can't find the G Spot

    Messages:
    29,527
    Joined:
    Aug 9, 2005
    I removed Netgear Genie since it really doesn't apply to my current config anymore. I ditched the R7000 that was acting up and put the default FIOS router in place, and added a Netgear Orbi mesh system for wireless.

    You know, it could have been Genie trying to access that old router. I cleared the log. We'll see what happens :)
     
  7. TechLarry

    TechLarry Can't find the G Spot

    Messages:
    29,527
    Joined:
    Aug 9, 2005
    Nope. Shit...

    [admin login failure] from source 192.168.1.23, Sunday, December 30, 2018 19:31:34

    I think I will need to run process monitor to gather network data and then compare the time's for entries.

    I'll need to filter out Backblaze. JC.
     
  8. TechLarry

    TechLarry Can't find the G Spot

    Messages:
    29,527
    Joined:
    Aug 9, 2005
    Well. Removing Netgear Genie didn't fix my mysterious log entries, but it did fix the sleep problem I've had for as long as I can remember.

    This machine has never really gone to sleep properly . Now it does.

    How about that :)
     
  9. FNtastic

    FNtastic [H]ard|Gawd

    Messages:
    1,103
    Joined:
    Jul 6, 2013
    Lol. Anxious to hear the results of the other troubleshooting steps go. Keep us updated!