RE: Wireless router behaviour

["Mike" <mike () superiorholidayadventures ca>]

If the attacker placed the router, s/he may have very well changed the
OEM firmware to some custom (probably Linux) firmware.  Have you tried
pointing a web browser at the 714P's IP address?  If you get something
other than the default D-Link setup screen that would mean that the OEM
firmware was replaced with something else.  An NMap scan may also show
what OS is running on it.

Sincerely,

Mike Fetherston

> -----Original Message-----
> From: David Gillett [mailto:gillettdavid () fhda edu]
> Sent: Thursday, September 09, 2004 12:22 PM
> To: incidents () securityfocus com
> Subject: Wireless router behaviour
>
>   We recently suffered an intrusion attempt on our
> internal network.  (Details aren't relevant to my
> question....)
>
>   We traced the source back to an unauthorized wireless
> router (D-Link 714P+, if it matters) plugged into a
> live but unused network jack in a barely-accessible
> location.
>   Before we had found the device, or ascertained its
> type, we were able to sniff the switch port it was on,
> and observed that it was pinging the network gateway
> about once per second.
>
>   That doesn't sound like normal router behaviour to me.
> Has anyone else seen such a device do this?  Is this
> something the intruder did to the router?  (We have
> suspicion, but not actual certainty, that the router
> was placed by the same intruder as executed the network
> attacks.  So the attacker may have had to first compromise
> the router to get access.)
>
> Dave Gillett