Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 2 subscribers
  • Views 10311 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Unknown device in wireless client list but no IP address assigned.

alan weir

Becoming more familiar with the UTM I am making an effort to check my logs for suspicious activity. I have been keeping an eye on my wireless protection logs and I am noticing something suspicious. an unknown wireless device has been attempting to connect to my wireless network all day long, every day. I have a very long 20+ character alphanumeric random password with special characters, which I highly doubt anyone could crack. I use AES encryption only.

 

My AP is bridged to LAN using WPA2 personal AES encryption. 

 

The device would just appear in my logs as STA authentication/association/WPA failure, so I figured maybe someone was trying to guess my wifi password (Good luck!) until just right now I noticed that the device actually showed up in my wireless client list which means they had successfully connected to my network, but how could this happen??? I have scoured my DHCP logs for the matching MAC address and can't find any evidence that they were handed an IP address, and the device does not show up in the IPv4 lease table, so this is bizarre. Before they gained access to my network I had blacklisted the MAC address which locked ME out of the network (I have verified that the MAC address of my Samsung phone is completely different) and so I deleted my access point and created a new one with an even longer password. 

The wireless client appears as an "LG electronics"with the name and MAC address being both the same. The MAC address does not belong to my Sophos AP15. At first I thought maybe the access point had separate MAC address for the 2.4 and 5GHz radios but I don't think this is the case.

 

 

Here is the output of the log. In the screen shot you can see that at 1:59:46 the device must have authenticated.

 

2018:05:15-01:49:47 A400248C300B3D3 hostapd: wlan0: STA b4:f1:da:ca:b4:45 IEEE 802.11: authenticated
2018:05:15-01:49:47 A400248C300B3D3 hostapd: wlan0: STA b4:f1:da:ca:b4:45 IEEE 802.11: associated (aid 1)
2018:05:15-01:49:47 A400248C300B3D3 awelogger[1423]: id="4103" severity="info" sys="System" sub="WiFi" name="STA authentication" ssid="AP15" ssid_id="WLAN1.0" bssid="00:1a:8c:7f:d2:2f" sta="b4:f1:da:ca:b4:45" status_code="0"
2018:05:15-01:49:47 A400248C300B3D3 awelogger[1423]: id="4104" severity="info" sys="System" sub="WiFi" name="STA association" ssid="AP15" ssid_id="WLAN1.0" bssid="00:1a:8c:7f:d2:2f" sta="b4:f1:da:ca:b4:45" status_code="0"
2018:05:15-01:49:51 A400248C300B3D3 awelogger[1423]: id="4105" severity="info" sys="System" sub="WiFi" name="STA WPA failure" ssid="AP15" ssid_id="WLAN1.0" bssid="00:1a:8c:7f:d2:2f" sta="b4:f1:da:ca:b4:45" reason_code="2"
2018:05:15-01:49:56 A400248C300B3D3 hostapd: wlan0: STA b4:f1:da:ca:b4:45 IEEE 802.11: deauthenticated due to local deauth request
2018:05:15-01:50:17 A400248C300B3D3 hostapd: wlan0: STA b4:f1:da:ca:b4:45 IEEE 802.11: authenticated
2018:05:15-01:50:17 A400248C300B3D3 hostapd: wlan0: STA b4:f1:da:ca:b4:45 IEEE 802.11: associated (aid 1)
2018:05:15-01:50:17 A400248C300B3D3 awelogger[1423]: id="4103" severity="info" sys="System" sub="WiFi" name="STA authentication" ssid="AP15" ssid_id="WLAN1.0" bssid="00:1a:8c:7f:d2:2f" sta="b4:f1:da:ca:b4:45" status_code="0"
2018:05:15-01:50:17 A400248C300B3D3 awelogger[1423]: id="4104" severity="info" sys="System" sub="WiFi" name="STA association" ssid="AP15" ssid_id="WLAN1.0" bssid="00:1a:8c:7f:d2:2f" sta="b4:f1:da:ca:b4:45" status_code="0"
2018:05:15-01:50:21 A400248C300B3D3 awelogger[1423]: id="4105" severity="info" sys="System" sub="WiFi" name="STA WPA failure" ssid="AP15" ssid_id="WLAN1.0" bssid="00:1a:8c:7f:d2:2f" sta="b4:f1:da:ca:b4:45" reason_code="2"
2018:05:15-01:50:26 A400248C300B3D3 hostapd: wlan0: STA b4:f1:da:ca:b4:45 IEEE 802.11: deauthenticated due to local deauth request
2018:05:15-01:54:18 mysophosutm awed[4669]: [MASTER] start processing configuration change
2018:05:15-01:54:18 mysophosutm awed[4669]: [MASTER] end processing configuration change
2018:05:15-01:55:55 A400248C300B3D3 hostapd: wlan0: STA b4:f1:da:ca:b4:45 IEEE 802.11: did not acknowledge authentication response
2018:05:15-01:55:55 A400248C300B3D3 awelogger[1423]: id="4103" severity="info" sys="System" sub="WiFi" name="STA authentication" ssid="AP15" ssid_id="WLAN1.0" bssid="00:1a:8c:7f:d2:2f" sta="b4:f1:da:ca:b4:45" status_code="0"
2018:05:15-01:56:26 A400248C300B3D3 hostapd: wlan0: STA b4:f1:da:ca:b4:45 IEEE 802.11: did not acknowledge authentication response
2018:05:15-01:56:26 A400248C300B3D3 awelogger[1423]: id="4103" severity="info" sys="System" sub="WiFi" name="STA authentication" ssid="AP15" ssid_id="WLAN1.0" bssid="00:1a:8c:7f:d2:2f" sta="b4:f1:da:ca:b4:45" status_code="0"
2018:05:15-01:59:47 A400248C300B3D3 hostapd: wlan0: STA b4:f1:da:ca:b4:45 IEEE 802.11: authenticated
2018:05:15-01:59:47 A400248C300B3D3 hostapd: wlan0: STA b4:f1:da:ca:b4:45 IEEE 802.11: associated (aid 1)
2018:05:15-01:59:47 A400248C300B3D3 awelogger[1423]: id="4103" severity="info" sys="System" sub="WiFi" name="STA authentication" ssid="AP15" ssid_id="WLAN1.0" bssid="00:1a:8c:7f:d2:2f" sta="b4:f1:da:ca:b4:45" status_code="0"
2018:05:15-01:59:47 A400248C300B3D3 awelogger[1423]: id="4104" severity="info" sys="System" sub="WiFi" name="STA association" ssid="AP15" ssid_id="WLAN1.0" bssid="00:1a:8c:7f:d2:2f" sta="b4:f1:da:ca:b4:45" status_code="0"
2018:05:15-01:59:50 A400248C300B3D3 awelogger[1423]: id="4105" severity="info" sys="System" sub="WiFi" name="STA WPA failure" ssid="AP15" ssid_id="WLAN1.0" bssid="00:1a:8c:7f:d2:2f" sta="b4:f1:da:ca:b4:45" reason_code="2"
2018:05:15-01:59:55 A400248C300B3D3 hostapd: wlan0: STA b4:f1:da:ca:b4:45 IEEE 802.11: deauthenticated due to local deauth request
2018:05:15-02:00:17 A400248C300B3D3 hostapd: wlan0: STA b4:f1:da:ca:b4:45 IEEE 802.11: authenticated
2018:05:15-02:00:17 A400248C300B3D3 hostapd: wlan0: STA b4:f1:da:ca:b4:45 IEEE 802.11: associated (aid 1)
2018:05:15-02:00:17 A400248C300B3D3 awelogger[1423]: id="4103" severity="info" sys="System" sub="WiFi" name="STA authentication" ssid="AP15" ssid_id="WLAN1.0" bssid="00:1a:8c:7f:d2:2f" sta="b4:f1:da:ca:b4:45" status_code="0"
2018:05:15-02:00:17 A400248C300B3D3 awelogger[1423]: id="4104" severity="info" sys="System" sub="WiFi" name="STA association" ssid="AP15" ssid_id="WLAN1.0" bssid="00:1a:8c:7f:d2:2f" sta="b4:f1:da:ca:b4:45" status_code="0"
2018:05:15-02:00:21 A400248C300B3D3 awelogger[1423]: id="4105" severity="info" sys="System" sub="WiFi" name="STA WPA failure" ssid="AP15" ssid_id="WLAN1.0" bssid="00:1a:8c:7f:d2:2f" sta="b4:f1:da:ca:b4:45" reason_code="2"
2018:05:15-02:00:26 A400248C300B3D3 hostapd: wlan0: STA b4:f1:da:ca:b4:45 IEEE 802.11: deauthenticated due to local deauth request
2018:05:15-02:00:48 A400248C300B3D3 hostapd: wlan0: STA b4:f1:da:ca:b4:45 IEEE 802.11: authenticated
2018:05:15-02:00:48 A400248C300B3D3 hostapd: wlan0: STA b4:f1:da:ca:b4:45 IEEE 802.11: associated (aid 1)
2018:05:15-02:00:48 A400248C300B3D3 awelogger[1423]: id="4103" severity="info" sys="System" sub="WiFi" name="STA authentication" ssid="AP15" ssid_id="WLAN1.0" bssid="00:1a:8c:7f:d2:2f" sta="b4:f1:da:ca:b4:45" status_code="0"
2018:05:15-02:00:48 A400248C300B3D3 awelogger[1423]: id="4104" severity="info" sys="System" sub="WiFi" name="STA association" ssid="AP15" ssid_id="WLAN1.0" bssid="00:1a:8c:7f:d2:2f" sta="b4:f1:da:ca:b4:45" status_code="0"
2018:05:15-02:00:52 A400248C300B3D3 awelogger[1423]: id="4105" severity="info" sys="System" sub="WiFi" name="STA WPA failure" ssid="AP15" ssid_id="WLAN1.0" bssid="00:1a:8c:7f:d2:2f" sta="b4:f1:da:ca:b4:45" reason_code="2"
2018:05:15-02:00:57 A400248C300B3D3 hostapd: wlan0: STA b4:f1:da:ca:b4:45 IEEE 802.11: deauthenticated due to local deauth request
2018:05:15-02:54:16 mysophosutm awed[4669]: [MASTER] start processing configuration change
2018:05:15-02:54:16 mysophosutm awed[4669]: [MASTER] end processing configuration change
2018:05:15-03:54:17 mysophosutm awed[4669]: [MASTER] start processing configuration change
2018:05:15-03:54:17 mysophosutm awed[4669]: [MASTER] end processing configuration change
2018:05:15-04:54:32 mysophosutm awed[4669]: [MASTER] start processing configuration change
2018:05:15-04:54:32 mysophosutm awed[4669]: [MASTER] end processing configuration change
2018:05:15-05:54:18 mysophosutm awed[4669]: [MASTER] start processing configuration change
2018:05:15-05:54:18 mysophosutm awed[4669]: [MASTER] end processing configuration change
2018:05:15-06:54:17 mysophosutm awed[4669]: [MASTER] start processing configuration change
2018:05:15-06:54:17 mysophosutm awed[4669]: [MASTER] end processing configuration change
2018:05:15-06:54:33 A400248C300B3D3 hostapd: wlan0: STA b4:f1:da:ca:b4:45 IEEE 802.11: did not acknowledge authentication response
2018:05:15-06:54:33 A400248C300B3D3 awelogger[1423]: id="4103" severity="info" sys="System" sub="WiFi" name="STA authentication" ssid="AP15" ssid_id="WLAN1.0" bssid="00:1a:8c:7f:d2:2f" sta="b4:f1:da:ca:b4:45" status_code="0"
2018:05:15-06:59:35 A400248C300B3D3 hostapd: wlan0: STA b4:f1:da:ca:b4:45 IEEE 802.11: disassociated due to inactivity
2018:05:15-06:59:36 A400248C300B3D3 hostapd: wlan0: STA b4:f1:da:ca:b4:45 IEEE 802.11: deauthenticated due to inactivity (timer DEAUTH/REMOVE)
2018:05:15-07:13:58 A400248C300B3D3 hostapd: wlan0: STA b4:f1:da:ca:b4:45 IEEE 802.11: authenticated
2018:05:15-07:13:58 A400248C300B3D3 hostapd: wlan0: STA b4:f1:da:ca:b4:45 IEEE 802.11: associated (aid 1)
2018:05:15-07:13:58 A400248C300B3D3 awelogger[1423]: id="4103" severity="info" sys="System" sub="WiFi" name="STA authentication" ssid="AP15" ssid_id="WLAN1.0" bssid="00:1a:8c:7f:d2:2f" sta="b4:f1:da:ca:b4:45" status_code="0"
2018:05:15-07:13:58 A400248C300B3D3 awelogger[1423]: id="4104" severity="info" sys="System" sub="WiFi" name="STA association" ssid="AP15" ssid_id="WLAN1.0" bssid="00:1a:8c:7f:d2:2f" sta="b4:f1:da:ca:b4:45" status_code="0"
2018:05:15-07:14:02 A400248C300B3D3 awelogger[1423]: id="4105" severity="info" sys="System" sub="WiFi" name="STA WPA failure" ssid="AP15" ssid_id="WLAN1.0" bssid="00:1a:8c:7f:d2:2f" sta="b4:f1:da:ca:b4:45" reason_code="2"
2018:05:15-07:14:06 A400248C300B3D3 hostapd: wlan0: STA b4:f1:da:ca:b4:45 IEEE 802.11: deauthenticated due to local deauth request


This thread was automatically locked due to age.
Parents
  • 0

    Not to bump my own thread, but it just happened again. I cannot figure out what this LG device is or how it is connecting. Could there be malware on my device that is changing the MAC address of the phone and then connecting on top of the wifi connection I already have? Surely there must be some explanation. The unknown MAC address is in the red square.

     

     

    I also notice that anytime I make changes to the wireless network settings, I will receive an authentication error and I will have to re-enter my wifi password into the UTM or I will never be able to connect.

    For the meantime I created a MAC address definition (for my Samsung) and added my phone to the whitelist using the whitelist filtering in the wireless network settings. Now I will see if that rogue MAC address show up again.

  • 0 in reply to alan weir

    Alan, could that be a colleague's LG cell phone that doesn't have the passcode entered correctly??

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    No as I have not given my passcode to anyone. I am the only one that uses this wireless connection. Probably a neighbor is attempting to access this connection. With that being said I still don't understand how the device was able to show up in my wireless client access list without a successful association. Does any client that attempts to connect show up in this list and should I be concerned that the log shows the device was authenticated?

    The status code "0" in the log, according to Intel, suggests that the association was successful, then a few seconds later there is a STA WPA failure. As I said before, there is no record of this wireless client receiving an IP address in the DHCP log.

     

    After changing my wifi password I have not seen any more connection attempts but I have taken the following steps.

    Created a MAC address definition for the unknown device

    Created a network definition based on that MAC address and gave it an IP address on a different subnet.

    Created two firewall rules blocking any source and any service to that IP address, and blocking that IP address to any destination using any service.

     

    https://www.intel.com/content/www/us/en/support/articles/000006508/network-and-i-o/wireless-networking.html

    Association
    Once authentication is complete, mobile devices can associate (register) with an AP/router to gain full access to the network. Association allows the AP/router to record each mobile device so that frames are properly delivered. Association only occurs on wireless infrastructure networks, not in peer-peer mode. A station can only associate with one AP/router at a time.

    Association process:

    1. Mobile device authenticates to an AP/router and then sends an Association Request.
    2. AP/router processes the Association Request. AP/router vendors may have different implementations for deciding if a client request should be allowed.
      • When an AP/router grants association, it responds with a status code of 0 (successful) and the Association ID (AID). The AID is used to identify the station for delivery of buffered frames when power-saving is enabled.
      • Failed Association Requests include only a status code and the procedure ends.
    3. AP/router forwards frames to or from the mobile device.
Reply
  • 0 in reply to BAlfson

    No as I have not given my passcode to anyone. I am the only one that uses this wireless connection. Probably a neighbor is attempting to access this connection. With that being said I still don't understand how the device was able to show up in my wireless client access list without a successful association. Does any client that attempts to connect show up in this list and should I be concerned that the log shows the device was authenticated?

    The status code "0" in the log, according to Intel, suggests that the association was successful, then a few seconds later there is a STA WPA failure. As I said before, there is no record of this wireless client receiving an IP address in the DHCP log.

     

    After changing my wifi password I have not seen any more connection attempts but I have taken the following steps.

    Created a MAC address definition for the unknown device

    Created a network definition based on that MAC address and gave it an IP address on a different subnet.

    Created two firewall rules blocking any source and any service to that IP address, and blocking that IP address to any destination using any service.

     

    https://www.intel.com/content/www/us/en/support/articles/000006508/network-and-i-o/wireless-networking.html

    Association
    Once authentication is complete, mobile devices can associate (register) with an AP/router to gain full access to the network. Association allows the AP/router to record each mobile device so that frames are properly delivered. Association only occurs on wireless infrastructure networks, not in peer-peer mode. A station can only associate with one AP/router at a time.

    Association process:

    1. Mobile device authenticates to an AP/router and then sends an Association Request.
    2. AP/router processes the Association Request. AP/router vendors may have different implementations for deciding if a client request should be allowed.
      • When an AP/router grants association, it responds with a status code of 0 (successful) and the Association ID (AID). The AID is used to identify the station for delivery of buffered frames when power-saving is enabled.
      • Failed Association Requests include only a status code and the procedure ends.
    3. AP/router forwards frames to or from the mobile device.
Children
No Data
Unfiltered HTML