Security Incidents mailing list archives
Re: Wireless router behaviour
From: jamesworld () intelligencia com
Date: Thu, 09 Sep 2004 17:16:28 -0500
That is common. Seen it on a variety of "bridge type" router devices.Go ahead an update the firmware on it to clean it out and put it on an isolated vlan or separate switch and configure it with a gateway of a test machine. Sniff the traffic and you will see the same thing.
Contact you legal department and if you are up to it:Isolate a VLAN for the connection and put up a honeynet. Engage state, county or local Law Enforcement & capture the traffic. Look for old user names or passwords from a cycle that were used in the past (you do have a changing password protocol for your network, right :-)
If it's an unauthorized router, he/she didn't need to "compromise" it. It's already "owned" by them. Too bad you already touched the device, it could have been fingerprinted.
Cheers, -James At 11:22 9/9/2004, David Gillett wrote:
We recently suffered an intrusion attempt on our internal network. (Details aren't relevant to my question....) We traced the source back to an unauthorized wireless router (D-Link 714P+, if it matters) plugged into a live but unused network jack in a barely-accessible location. Before we had found the device, or ascertained its type, we were able to sniff the switch port it was on, and observed that it was pinging the network gateway about once per second. That doesn't sound like normal router behaviour to me. Has anyone else seen such a device do this? Is this something the intruder did to the router? (We have suspicion, but not actual certainty, that the router was placed by the same intruder as executed the network attacks. So the attacker may have had to first compromise the router to get access.) Dave Gillett
Current thread:
- Odd mail traffic Jack Bristow (Sep 08)
- Wireless router behaviour David Gillett (Sep 09)
- Re: Wireless router behaviour jamesworld (Sep 10)
- RE: Wireless router behaviour David Gillett (Sep 12)
- Re: Wireless router behaviour Kevin Reardon (Sep 14)
- RE: Wireless router behaviour David Gillett (Sep 14)
- Re: Wireless router behaviour jamesworld (Sep 10)
- Wireless router behaviour David Gillett (Sep 09)
- Re: Odd mail traffic Andrew Smith (Sep 14)