Hello.
I'm using TP-LINK Archer C7 router with OpenWrt 18.06.2. Recently I discovered, that "arp -a" command returns a huge list (122 entries) of ip addresses from my local network, e.g. "192.168.10.33 0x1 0x0 00:00:00:00:00:00 * br-lan", despite the fact that there have never been devices with such addresses on my network. Usually "arp -a" returns a short list of IP addresses (and corresponding MACs) for devices, that I have communicated with by my own (e.g. ping them) from OpenWrt router. I suppose, that some program made a scan of my network from inside the router. The main services, that I use on my router are SSH, OpenVPN and Asterisk. SSH is restricted to login only with keys (no passwords), Asterisk binds only local network. Is this output of "arp -a" command is a sing of penetration? "logread" doesn't have a sign of suspicious logins. What can be the reason for such "arp -a" output?
Thanks!
18.06 is no longer supported, therefore there may be unpatched vulnerabilities.
What is the output of ps wwww; netstat -anp ?
2 Likes
Any attempt to contact an unknown/not existing 192.168.. address in your segment will lead to such an incomplete ARP entry. Maybe some host in your LAN is randomly probing IP addresses
2 Likes