Wireless router behaviour

From: David Gillett (gillettdavid_at_fhda.edu)
Date: 09/09/04

  • Next message: Andreia Gaita: "Re: Systems compromised with ShellBOT perl script - part 2"
    To: <incidents@securityfocus.com>
    Date: Thu, 9 Sep 2004 09:22:12 -0700
    
    

      We recently suffered an intrusion attempt on our
    internal network. (Details aren't relevant to my
    question....)

      We traced the source back to an unauthorized wireless
    router (D-Link 714P+, if it matters) plugged into a
    live but unused network jack in a barely-accessible
    location.
      Before we had found the device, or ascertained its
    type, we were able to sniff the switch port it was on,
    and observed that it was pinging the network gateway
    about once per second.

      That doesn't sound like normal router behaviour to me.
    Has anyone else seen such a device do this? Is this
    something the intruder did to the router? (We have
    suspicion, but not actual certainty, that the router
    was placed by the same intruder as executed the network
    attacks. So the attacker may have had to first compromise
    the router to get access.)

    Dave Gillett


  • Next message: Andreia Gaita: "Re: Systems compromised with ShellBOT perl script - part 2"

    Relevant Pages

    • Re: Wireless router behaviour
      ... > the past (you do have a changing password protocol for your network, ... >> That doesn't sound like normal router behaviour to me. ... >> was placed by the same intruder as executed the network ... >> attacks. ...
      (Incidents)
    • ~~~~~~~~~~~~~~ IP ADDRESS ~~~~~~~~~~~~~~
      ... block my ip address vista windows ... change public ip address linksys router ... setting up a network ip address ... warcraft server ip address ...
      (sci.misc)
    • Re: Using Remote Desktop From an SBS Domain
      ... After I thought about needing 3389 forwarded on my router to allow me to ... Remote Desktop "out" from a workstation on my SBS network to a host XP ... Hopefully next week I can attempt a connection while my ISP watches the ...
      (microsoft.public.windows.server.sbs)
    • Re: Linksys NAS200 Network Storage adapter
      ... The only two wireless network settings that are of any consequence are the SSID and the encryption method and password. ... either click the "Print Network Settings" button on the final screen of the Wizard or simply access the appropriate XML file and get at them that way and then use the information to configure the router manually as I explained earlier. ... I've read thru some of the MS web site on that product and it appears to do everything a NAS will do plus other cool features, such as, with an xbox360 with the wireless adapter, I can stream my video/pics to my TV for family viewing. ...
      (microsoft.public.windowsxp.network_web)
    • Re: OSPF routes not in routing table
      ... Here's the output of "sh ip ospf database router", ... "(Link Data) Router Interface address: ... Link connected to: a Stub Network ... Number of TOS metrics: 0 ...
      (comp.dcom.sys.cisco)