Wireless router behaviour

From: David Gillett (gillettdavid_at_fhda.edu)
Date: 09/09/04

  • Next message: Andreia Gaita: "Re: Systems compromised with ShellBOT perl script - part 2"
    To: <incidents@securityfocus.com>
    Date: Thu, 9 Sep 2004 09:22:12 -0700
    
    

      We recently suffered an intrusion attempt on our
    internal network. (Details aren't relevant to my
    question....)

      We traced the source back to an unauthorized wireless
    router (D-Link 714P+, if it matters) plugged into a
    live but unused network jack in a barely-accessible
    location.
      Before we had found the device, or ascertained its
    type, we were able to sniff the switch port it was on,
    and observed that it was pinging the network gateway
    about once per second.

      That doesn't sound like normal router behaviour to me.
    Has anyone else seen such a device do this? Is this
    something the intruder did to the router? (We have
    suspicion, but not actual certainty, that the router
    was placed by the same intruder as executed the network
    attacks. So the attacker may have had to first compromise
    the router to get access.)

    Dave Gillett


  • Next message: Andreia Gaita: "Re: Systems compromised with ShellBOT perl script - part 2"