Security Incidents mailing list archives
RE: Wireless router behaviour
From: Christopher Adickes <christopher_adickes () SHI com>
Date: Thu, 9 Sep 2004 16:01:39 -0400
Is the router a piece of your equipment or was it brought in for the attack? I know that some SOHO routers (I believe the 714P+ is one) are configured to keep the WAN connection alive by pinging the gateway. I'm not too familiar with that particular router, but maybe the activity you saw was part of that. It does seem a little frequent to point to a simple keep alive though. My two cents, Chris -----Original Message----- From: David Gillett [mailto:gillettdavid () fhda edu] Sent: Thursday, September 09, 2004 12:22 PM To: incidents () securityfocus com Subject: Wireless router behaviour We recently suffered an intrusion attempt on our internal network. (Details aren't relevant to my question....) We traced the source back to an unauthorized wireless router (D-Link 714P+, if it matters) plugged into a live but unused network jack in a barely-accessible location. Before we had found the device, or ascertained its type, we were able to sniff the switch port it was on, and observed that it was pinging the network gateway about once per second. That doesn't sound like normal router behaviour to me. Has anyone else seen such a device do this? Is this something the intruder did to the router? (We have suspicion, but not actual certainty, that the router was placed by the same intruder as executed the network attacks. So the attacker may have had to first compromise the router to get access.) Dave Gillett
Current thread:
- RE: Wireless router behaviour Mike (Sep 10)
- <Possible follow-ups>
- RE: Wireless router behaviour Welsh, Armand (Sep 10)
- RE: Wireless router behaviour David Gillett (Sep 11)
- Re: Wireless router behaviour John Duksta (Sep 13)
- RE: Wireless router behaviour David Gillett (Sep 13)
- RE: Wireless router behaviour David Gillett (Sep 11)
- RE: Wireless router behaviour Christopher Adickes (Sep 11)