Has my AT&T 2WIRE WiFi Gateway been compromised??? NMap scan produced some odd results on network. HELP!
I have a 2Wire Gateway device from AT&T and I noticed that when the only other WiFi user in the home (an adult) would come home the internet would hard drop and when they would leave it would work fine. We made sure that the phone wasn't updating apps when connecting to the WiFi causing the hard drop and in fact when the wifi was turned off on their phone the internet would still hard drop. I begun using Fing!, Wireshark, and NMap to scan the network a few times a month for over a year now and finally I found a hidden network. Could this be another router behind the AT&T 2Wire Gateway??
I then began comparing the data from October of 2020 to the data of this year and I found a few things that were new and not on the 2020 and early 2021 scans.
1. "DNS1:126.96.36.199, DNS2: 188.8.131.52" And when I ran a DNS search is comes up at a website hosted by ATT of Vitaldosage.com with a NS Record that pointed to 184.108.40.206
2. SYS log said up on br1 with 220.127.116.11/22
3. "DNS server name: attlocal.net" "family 10, port 443 to fe80::de7f:a4ff:fe21:8881 scout 20"
4. host= cdn.samsungcloudsolution.com uri= public ** I assume this is my TV which is in fact Samsung which if that is the case then I think this is normal.
5. There is one device allowed to host through the firewall and I don't recognize it, but is named "Localhost."
I got an error message on my iPhone that said, "Cannot verify server identity. The identity of att.com cannot be verified by Wi-Fi. Review the certificate details to continue" and when I cliked the certificate I came to an AT&T login page that said issue "NAD-3302" asking me to reboot my Gateway. I only solved this issue by resetting the router to factory defaults.
Upon resetting the router to factory defaults, I was then only more confused because the network that showed was ATT6g2v8p9 and a Winegard2ghzD3197B which I have never seen. A few minutes passed and the network name I recognized and the one on the sticker on the back of my 2Wire device appeared and the others disappeared. I do not have neighbors and it is not possible that I would be picking up someone else's connection. As I said, these went away and changed to the network I know which is ATT4n yZa72z. Once back up the
"Current Internet Connection" page I get to by logging into my router showed:
subnet mask = 255.255.252.0
primary dns = 18.104.22.168
secondary dns = 22.214.171.124
host name = dsldevice
domain = ** empty**
DSL built in modem
IP connection = Direct IP (DHCP or static) but it would not show what that IP was it was just "xxx.xxx.xxx.xxx"
My iPhone also has said my iCloud is being used in a town that is 1 hour north of where I live when I have set up a new iPhone which is also weird to me because normally any other time it would say near the exact town I live.
One last super odd thing is that I can connect to something called Centurylink.com and TP-Link. I saw those names on the router traffic and upon typing them into the URL on my cell phone it autocompleted and I was logged in. The Centurylink passphrase code was the login code for TP-Link whatever that is. I took screen shots of all this and screen recordings, but AT&T Wireless has offered me ZERO help, so I am trying to internet support now.
I am thinking that my internet connection is not secure or something has happened because at my lake house home the internet activity is pretty simple when I compare them. I am a novice at this, but all I know is the behavior of this device in my home is very odd and it is effecting my cell phone as well as my iPhone calls are diverted to another number I have never seen before. I am the only person on my cell phone plan from AT&T and on the AT&T Uverse wifi plan