Security Incidents mailing list archives
RE: Wireless router behaviour
From: "Mike" <mike () superiorholidayadventures ca>
Date: Fri, 10 Sep 2004 08:25:08 -0400
If the attacker placed the router, s/he may have very well changed the OEM firmware to some custom (probably Linux) firmware. Have you tried pointing a web browser at the 714P's IP address? If you get something other than the default D-Link setup screen that would mean that the OEM firmware was replaced with something else. An NMap scan may also show what OS is running on it. Sincerely, Mike Fetherston
-----Original Message----- From: David Gillett [mailto:gillettdavid () fhda edu] Sent: Thursday, September 09, 2004 12:22 PM To: incidents () securityfocus com Subject: Wireless router behaviour We recently suffered an intrusion attempt on our internal network. (Details aren't relevant to my question....) We traced the source back to an unauthorized wireless router (D-Link 714P+, if it matters) plugged into a live but unused network jack in a barely-accessible location. Before we had found the device, or ascertained its type, we were able to sniff the switch port it was on, and observed that it was pinging the network gateway about once per second. That doesn't sound like normal router behaviour to me. Has anyone else seen such a device do this? Is this something the intruder did to the router? (We have suspicion, but not actual certainty, that the router was placed by the same intruder as executed the network attacks. So the attacker may have had to first compromise the router to get access.) Dave Gillett
Current thread:
- RE: Wireless router behaviour Mike (Sep 10)
- <Possible follow-ups>
- RE: Wireless router behaviour Welsh, Armand (Sep 10)
- RE: Wireless router behaviour David Gillett (Sep 11)
- Re: Wireless router behaviour John Duksta (Sep 13)
- RE: Wireless router behaviour David Gillett (Sep 13)
- RE: Wireless router behaviour David Gillett (Sep 11)
- RE: Wireless router behaviour Christopher Adickes (Sep 11)