Router name has changed to that of a foreign device

[FLeong 0]

Hi, the network scan of ESET shows that the name of the router that I am using has changed from the usual ASUS model  to  "WanConnectionDevice, mini UPnP router", with the same IP address of my original router.  Is this a cause for concern? Has my router been taken over by something else, or am I connecting to something that has piggy-backed on my router? The strange thing is that my husband using the same network reveals the correct name of the router in his ESET scan.

I have experienced some surveillance of late in my phone, network and living environment: 

-Cars mostly with skylight panel with man watching, close to where I stay.

-I have also problems with my network, in which ESET detected devices with foreign MAC address. Some of these devices that I suspect to be foreign could be a mobile assuming likeness in the name to my laptop, etc. That is, the label for the device type for those suspicious devices is different.

-Sometimes similar MAC addresses to my home devices are in the network I connect (5g). But these devices are used on a different network (2g), and have not known the password of 5g network. It is not clear if the MAC address of some home devices have been spoofed. After I used guest network to segregate devices,  the crossing over of networks stopped.

-But devices with foreign IP addresses still appear, now only occasionally.

 

[itman 1,659]

If you suspect that your router has hacked, the easiest way to resolve it is to perform a "hard" reset of the router.

If the router has not been assigned a strong password: https://www.howtogeek.com/195430/how-to-create-a-strong-password-and-remember-it/ assign a strong password to it. Many routers use the default "Admin" password or no password,

Edited July 23, 2020 by itman

[FLeong 0]

Thank you for the advice. I hard resetted the router, and have used a very strong password. After I did that, the router's name in the network scan had not reverted back to the correct one.

Could using a VPN cause a change of the name of the router (to WanConnection Device, Mini UPnP router)? But when I disconnect VPN, the name of the router remains foreign.

 

[itman 1,659]

I have no idea really why your router suddenly would be identified as such.

As far as mini UPnP refer to this: http://miniupnp.free.fr/ .

What bothers me is this; WanConnection Device. WAN's are a network of geographically distributed networks. Obviously this doesn't apply to you and might be indicative of your router being part of a botnet.

[SlashRose 25]

The router is not hacked, that is another Eset problem in build 13.2.15.0 under Windows Build 2004, I also have problems with the network scan, I also reported in my Eset Many Bugs Report. So don't worry, your router is not hacked !!!

[itman 1,659]

16 hours ago, FLeong said:

The strange thing is that my husband using the same network reveals the correct name of the router in his ESET scan.

Is he using the same router connection as you. That is, are you both using a Wi-FI connection to your PCs?

Also to address @SlashRose comment, are both PCs using the latest Eset  version; i.e. 12.2.15?

[itman 1,659]

Also of note is there have been multiple security vulnerabilities disclosed in regards to ASUS routers: https://www.cvedetails.com/vulnerability-list.php?vendor_id=3447&product_id=0&version_id=0&page=1&hasexp=0&opdos=0&opec=0&opov=0&opcsrf=0&opg

If that router's firmware hasn't been updated in a while, I recommended doing so with the latest release available for it.

[SlashRose 25]

16 hours ago, itman said:

Verwendet er dieselbe Router-Verbindung wie Sie. Das heißt, verwenden Sie beide eine Wi-FI-Verbindung zu Ihren PCs?

Auch zu adressieren @SlashRose kommen, sind beide PCs mit der neuesten Eset-Version; d.h. 12.2.15?

Hello itman,
I use the Fritzbox 6490 with the latest firmware and the last Eset Build 12.2.15, it is reported in many security forums by users, so it is not only users here in the forum who have this problem, it is also in other German forums Reported this bug!

[Marcos 5,071]

A device may return different names. It's possible that its name was determined in a different way on either machine. Please provide C:\ProgramData\ESET\ESET Security\homenet.dat. As long as the IP and MAC address of the router match on both machines, you are safe.

[Marcos 5,071]

51 minutes ago, SlashRose said:

I use the Fritzbox 6490 with the latest firmware and the last Eset Build 12.2.15, it is reported in many security forums by users

Please provide C:\ProgramData\ESET\ESET Security\homenet.dat for perusal.

[itman 1,659]

30 minutes ago, Marcos said:

Please provide C:\ProgramData\ESET\ESET Security\homenet.dat. As long as the IP and MAC address of the router match on both machines, you are safe.

Looking through this file, I see MAC addresses for every device on my local network other than for the router.

[FLeong 0]

Hi Itman, Slashrose and Marcos, appreciate your thoughts on the issue.

My computer and two others are all using the same network (at home but set to public for fear of files being shared between computers, as there had been computer looking alike pretending to cross over the 2g and 5g network, and foreign device). All three have ESET security installed. Only my computer gives the foreign router name, while the other two have the router labelled with "ASUS name + last 4 digits of  MAC address of the router "(which I assume is the naming convention of ESET? If not, then this name, which looks genuine, also reflects that of a foreign router. But let's not assume this scenario.

Anyway, all three computers using the same router network have the same version of ESET (13.2.15.0). The router (however named) has the same MAC and IP address shown in the network scans of the three computers.

Only the computer with the unrecognizable name was using a VPN different from another one. The third doesn't use VPN, which was labelled as XXXVPN (Wan Miniport (IKEv2)) . Only today the VPN is  changed to the use of TAP-XXXVPN adapter. But with or without VPN running in the background, the router's name is still the WANConnectionDevice mini UPnP router. So probably the VPN is not the issue.

The firmware of the router is up-to-date.

The computer that has the problem of the router's name is persistently faced with  Event 10016 Distributed COM issue. Happens 9 times in a period of one and a half hours. I don't know if this is a related issue.

The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID  {……… } and APPID {…………}  to the user ---------SID (……..) from address LocalHost (Using LRPC) running in the application container Microsoft.Windows.ShellExperienceHost_10.0.18362.449_neutral_neutral_cw5n1h2txyewy SID (……….). This security permission can be modified using the Component Services administrative tool.

The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID {…………… } and APPID {316CDED5-E4AE-4B15-9113-7055D84DCC97} to the user -----------SID (………….) from address LocalHost (Using LRPC) running in the application container Microsoft.Windows.ShellExperienceHost_10.0.18362.449_neutral_neutral_cw5n1h2txyewy SID (….). This security permission can be modified using the Component Services administrative tool. 

The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID {…………. } and APPID {…………} to the user ----------------SID (…………….) from address LocalHost (Using LRPC) running in the application container Microsoft.Windows.ShellExperienceHost_10.0.18362.449_neutral_neutral_cw5n1h2txyewy SID (…………….). This security permission can be modified using the Component Services administrative tool.

…..

Can't supply the homenet data file that Marcos wants as its extension is not accepted in this forum.

Thank you!

 

[Marcos 5,071]

4 minutes ago, FLeong said:

Can't supply the homenet data file that Marcos wants as its extension is not accepted in this forum.

Please compress it into a zip or rar archive, these should be allowed here.

Also you mentioned that the network is public. Connected Home Monitor works only partially in public networks and most of the checks are performed only in home networks.

[itman 1,659]

3 hours ago, FLeong said:

My computer and two others are all using the same network (at home but set to public for fear of files being shared between computers,

If the device with the issue has always been set to the Eset firewall Public profile, I wouldn't be concerned. Eset's Connected Home Monitor feature will warn you about not using it on the Public profile.

On the device showing WANConnectionDevice mini UPnP router, temporarily switch the Eset Profile to Private. Now select Connected Home Monitor. Is WANConnectionDevice mini UPnP router still shown? Finally, switch Eset firewall profile back to its prior Public setting.

[FLeong 0]

Hi Marcos, I attach the file you need. Thank you for going through it. Hopefully there are some leads.

homenet.zip

[FLeong 0]

Hi Itman, I have changed the physical wifi network from "public" to "home". The name of the router for the problematic computer is still WanConnectionDevice, miniUPnP router. No change to details at all. There is also the same network devices on it as shown as when it is a public network. The network setting is back as public.

By the way, I did not change to "home" the virtual network 5 and virtual network 7  that shows up as connected network to the computer together with my wifi network, that I know by name. I do not know if it is safe to change these to "home". And why are there these virtual networks to which the same computer is connected?

There is a warning not to scan. But I know that it is my network that I am scanning. Actually, I still don't understand why there is a warning not to scan a network set to "public". Is it a matter of intrusion into other people's data?

Thank you.

Edited July 25, 2020 by FLeong
to add some information

[itman 1,659]

According to this: https://www.asus.com/us/support/faq/1011715/ , ASUS Wi-FI routers use a WAN setup for connectivity to ISP and/or VPN. As such, I really wouldn't be concerned with what Eset Home Connectivity Monitor is showing. It well may be a bug in the feature. 

[Marcos 5,071]

16 minutes ago, FLeong said:

There is a warning not to scan. But I know that it is my network that I am scanning. Actually, I still don't understand why there is a warning not to scan a network set to "public". Is it a matter of intrusion into other people's data?

That's because actual attacks are attempted during a network scan and it would not be good to attack your company's network infrastructure for instance. Network scans are not carried out if you just ignore the warning shown with public networks.

[FLeong 0]

So Marcos, it means there is no real network protection if the setting is put to "public". My issue is that there are devices with foreign MAC addresses in my home network, so I set it to "Public".

If I change it back to "home" would that help to get rid of these devices or prevent them from entering the network? And what settings should I have for ESET to disallow file sharing, laptop discovery,  or multicasting on foreign devices, etc in a home network?  Would these settings be available? (There many settings that I need to understand what they mean before I can adjust them. Any help on them?)

Would setting to "public" mean it is easier to have devices tapping on the network?

Today I just had a device with foreign MAC in the home network. I also had problems logging in to the home network. Later, when I discovered the device, I adopted VPN, and the foreign device left the network. I wonder if the device was tapping on something in my laptop to get into the network -- that was before the I adopted VPN. 

My phone which only knew the password for 2G network, went into the 5G network and was detected by ESET. It remained as active ("just now") in the 5G network even after I had removed the phone from wifi. That happened to my husband's computer too (crossing from 2G to 5G network, not having stored the 5G password), and staying put in the network, even while his computer was away from home.

Well these issues go on and on in circles!

I can try setting the network to Home, and see if things improve, if that is advisable.

[FLeong 0]

Itman, got your view.

[itman 1,659]

44 minutes ago, FLeong said:

My issue is that there are devices with foreign MAC addresses in my home network, so I set it to "Public".

I assume these are IoT devices. Could be Smart phones, TVs, hell .... even your refrigerator. I also use Eset Public profile.

This is why I have my PC connected to the router via Ethernet cable. The only other things Eset picks up are like Ethernet devices connected to the router. Now Eset sees my TV's Ethernet WAP device that control the set top boxes it uses, but never any devices connected to it.

[Marcos 5,071]

The router identifies itself under different names. The dat file has helped us improve the heuristics for determining the name. Next week we plan to release a module update after which the router will be identified as RT-AC53.

[itman 1,659]

2 hours ago, Marcos said:

The router identifies itself under different names.

Exactly.

my .dat file shows BRCM963xx Broadcom ADSL router which it is the chipset it is using. The the .dat file also shows 2Wire 5286AC.  ATT&T however will list this as Pace/Motorola or Arris 5286AC. Note that is common with ISP issued routers to totally change the OEM firmware code; replacing it with a custom version.

Personally, I have never been a big fan of Eset's Connected Home Monitor feature due to the above and the difficulty in correctly identifying a device. Eset should just show MAC id and be done with it. At least this should at least cut down on the constant forum postings about Connected Home Monitor.

Edited July 27, 2020 by itman

[itman 1,659]

Nirsoft has a network scanner called Wireless Network Watcher that is superior to Eset's Connected Home Monitor in my opinion. Works well on all network connections; wireless or Ethernet. Can be downloaded as a portable executable here: https://www.nirsoft.net/utils/wireless_network_watcher.html .

The below screen shot shows the issue with some ISP routers. Note that the arrows show two connections for my router. This is because my router is actually a hybrid modified by my ISP. It was originally designed by its OEM as an Ethernet supported router only. AT&T modified its firmware to add Wi-Fi capability to it. In other words, its a router within a router.

Note the "unknown" devices shown. Actually this is how they are shown within the router GUI. So Eset wouldn't be able to do otherwise. They are actually old unused Wi-Fi connections. You have to open the router GUI and find those devices by IP address to determine what they actually are. The CyberTAN device is actually my AT&T Uverse WAP

Edited July 27, 2020 by itman

[FLeong 0]

Thanks, Marcos. Look forward to your newer creation. So you do the programming.

If there can be some standard setups for different kinds of considerations and requirements in the home network, so that people who don't know much about security can simply choose and click, it can add an user friendly dimension. ESET is very detailed in its settings. Those who know how to operate them, would appreciate it. So an systems engineer recommended it to me.