1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Unknown YouTube Connection Shows Different Subnet

Discussion in 'Networking' started by AlwaysBrian, Oct 4, 2018.

Thread Status:
Not open for further replies.
Advertisement
  1. AlwaysBrian

    AlwaysBrian Thread Starter

    Joined:
    Oct 4, 2018
    Messages:
    14
    First Name:
    It's Always Brian
    Thanks for reading.

    I had an issue with a stalker during the early part of this year and all of 2017. On one of many checks I would do of incoming and outgoing connections to our home wifi network I found this:

    A good 15 connections. Of YouTube on various ports, on a different subnet. Our home network was routed through our Netgear R7000 router and the address for the router and everything connected to it was 192.168.1.1 through 192.168.1.255.

    These connections show up as 192.168.0.5. All of them. Most are also associated with Google IP's as the remote address on either ports 80 or 443. One instance has it communicating with UDP on ports 67 and 68.

    We had suspected that this attacker of ours had somehow gained access to our home (I'll spare those details) and had possibly installed a camera of some sort.

    How does a scan of my home network show these YouTube connections? What does this suggest? Am I able to view this even though it is almost a year old? I will attach a small screen grab of what I am talking about.

    YOUTUBE WRONG ADDRESS SNIP.JPG
     
  2. Oddba11

    Oddba11

    Joined:
    May 12, 2011
    Messages:
    7,672
    First Name:
    Jim
    As noted in the package name, those are android connections. So they are likely wifi connections from a phone. Are you sure they aren't yours or someone else in your home?

    Have you verified the IP pools in use on your router? You could have, for example, the wired ports and wifi ports using different subnets.

    And if you think someone has breached your network, there are a few basic steps you can take, such as changing the router admin password, changing the wifi password, changing the IP pool(s) being used. At which point no devices can connect to your network unless you provide access.
     
  3. AlwaysBrian

    AlwaysBrian Thread Starter

    Joined:
    Oct 4, 2018
    Messages:
    14
    First Name:
    It's Always Brian
    This screenshot was taken with one of two devices connected to the router that day. One was the tablet that I was using to view the connections and the other was my desktop connected via ethernet cable. I had been firmly entrenched in knowing what settings were what, and at the time of the shot I had already been using DD WRT firmware on the router. At no time would the use of 192.168.0.1 have been used. This is concrete fact...

    I had been changing the admin password about every other day by this point. Later on it was determined through the router's logs that there was a firmware bug. Our little stalking problem seemed to have telecommunications experience and our ISP on several occasions would come to the house and say "huh? why did they do it this way?"

    Sparing details of the behavior, I had a strong, strong reason to believe there was some sort of device in the house. Since I had all the devices in the house on lockdown, and the problems kept returning, I suspect it was the one device I couldn't mess with: our DOCSIS Cable Modem. Buying a different Modem/Router a little after the shot was taken did little to stop the intrusion. While going through the initial setup, right out of the box, about halfway through the DOS started again. When I looked at the logs it showed that there was a login on the administrative IP of the modem/router...I think it was 192.168.0.10? Either way, this modem only lasted one day before just giving up and putting the old modem back in. That was the only time with the 0.10 or 0.anything that would've come from the house.

    Thinking about this from a standpoint of "knowing" there was an intrusion, what would these connections mean? For what its worth I, long after the screenshot, installed Google Home on my phone and during that setup it was picking up a neighbors open IP (edit: open WiFi bssid)...but only when plugged into a socket in my house...not on battery power.

    Could that be related as I know that is not supposed to happen.
     
  4. AlwaysBrian

    AlwaysBrian Thread Starter

    Joined:
    Oct 4, 2018
    Messages:
    14
    First Name:
    It's Always Brian
    Also, real quick here, it shows the established connections being over IPv6. Established even though the DD WRT settings had IPv6 turned off.
     
  5. TerryNet

    TerryNet Moderator

    Joined:
    Mar 23, 2005
    Messages:
    78,224
    First Name:
    Terry
    Is your "modem" a modem/router combination with the router using 192.168.0.x on its LAN?
     
  6. AlwaysBrian

    AlwaysBrian Thread Starter

    Joined:
    Oct 4, 2018
    Messages:
    14
    First Name:
    It's Always Brian
    At the time of that screenshot our modem was a cisco docsis DPQ3212 and the router was a Netgear r7000. So no, neither of those devices was a combo device. The router was using 192.168.1.x on its LAN.
     
  7. Oddba11

    Oddba11

    Joined:
    May 12, 2011
    Messages:
    7,672
    First Name:
    Jim
    Was the image above taken from the actual router log or a scan with some sort of network scanning tool? If it's a connection on your network, it will be in the router log. You will be able to see the number of devices connected to your network, their IP's, and the mac addresses. If you are simply wifi scanning, you will see traffic from ALL of the open networks in that area.

    If you have a home network of 9.9.9.x (as an example), you won't see other random device IP's (5.5.5.x) in your router log. All connected devices will be the same IP range (as configured in your router).

    I believe that you had some sort of issue previously, but I also believe that you have some false ideas about networking and network access.
     
  8. AlwaysBrian

    AlwaysBrian Thread Starter

    Joined:
    Oct 4, 2018
    Messages:
    14
    First Name:
    It's Always Brian
    I'm not sure what you mean by "some sort of issue", but I can assure you that the network never operated in the 192.168.0.1 range. At any time, for any reason. Now I'll be the first to admit my ideas on networking are woefully inadequate, but I really can't seem to find an answer as to why or how those connections existed.

    Kind of like this gem here...taken from a netstat application on a Samsung mobile phone running on the same wifi network. Maybe this will be connected to that? I don't know. It was from around the same time period, though. This picture shows "android system" and the local IP is : 156.104.70.1 and the other IP as: 0.0.0.0 (or this network, right?). And those are just listening, but the establish connection shows the same local IP (which WhoIs says belongs to Waste Management, Inc. and is not associated with any actual website as far as I can deduce) but the "non-local" IP shows as 0.0.0.1 on port 65529. With the other ports for all 3 local IP's associated with the "unknown port service" as ports 5060, 6100 and 6101.

    upload_2018-10-17_20-6-54.png
     

    Attached Files:

  9. Oddba11

    Oddba11

    Joined:
    May 12, 2011
    Messages:
    7,672
    First Name:
    Jim
    Running netstat from a phone app, shows the connections to/from the phone, not your home network. The image above shows the various connections and what they are.

    For example, the top one is a "system unknown service (OEM)" being used by Google Talk. Most of the apps on the phone could show up in that list.
     
  10. AlwaysBrian

    AlwaysBrian Thread Starter

    Joined:
    Oct 4, 2018
    Messages:
    14
    First Name:
    It's Always Brian
    I agree, and I was able to find most all the apps running on this list (not pictured in entirety). I guess I just don't understand the 192.168.0.1 on so many Youtube connections. That, and why would a Waste Management IP show as local and be operating on a couple of very specific ports.

    Thanks for all the input, I'm probably a lost cause at this point. lol. But really, thanks.
     
  11. Oddba11

    Oddba11

    Joined:
    May 12, 2011
    Messages:
    7,672
    First Name:
    Jim
    Any private IP's (ie: 192.168.x.x) are likely being generated by the phone itself. For example, you could have a wifi network in your home and still use your phone as a hotspot. The phone will look to see what IP's are currently in use and generate it's own subnet for sharing.

    All of those connections are only to/from the phone. So the short answer, some app on the phone reached out to Waste Management.
     
    AlwaysBrian likes this.
  12. AlwaysBrian

    AlwaysBrian Thread Starter

    Joined:
    Oct 4, 2018
    Messages:
    14
    First Name:
    It's Always Brian
    Thanks for going into for me. I wouldn't know why it would reach out to our garbage man, and without anything else to go on, I never will. I guess my last question is this:. Is that what it would look like if my phone were streaming directly to YouTube? It always been disabled as an app on that phone, which may explain why the unique local IP... But I'll just wonder about what a netstat would look like if the phone were streaming directly and in the background.
     
  13. Oddba11

    Oddba11

    Joined:
    May 12, 2011
    Messages:
    7,672
    First Name:
    Jim
    You can stream YouTube via app or browser. Having said that, I suggest a test to verify. Open a video and run a netstat. It's the easiest way to test and verify.
     
  14. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/1217391

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice