RE: Wireless router behaviour

["David Gillett" <gillettdavid () fhda edu>]

  Done that.  Cleaned up a couple of known devices that 
users had promised would not be reinstalled, but nothing
we hadn't seen before.

Dave

> -----Original Message-----
> From: Kevin Reardon [mailto:Kevin.Reardon () oracle com]
> Sent: Monday, September 13, 2004 12:19 PM
> To: jamesworld () intelligencia com
> Cc: gillettdavid () fhda edu; incidents () securityfocus com
> Subject: Re: Wireless router behaviour
>
>
> Looks like a complete physical sweep will also be needed.  If 
> they were 
> smart, and had the oppertunity, they put in more then one.
>
> ---K
>
> jamesworld () intelligencia com wrote:
>
> > That is common. Seen it on a variety of "bridge type"  
> router devices.
> > Go ahead an update the firmware on it to clean it out and 
> put it on an 
> > isolated vlan or separate switch and configure it with a 
> gateway of a 
> > test machine.  Sniff the traffic and you will see the same thing.
> >
> > Contact you legal department and if you are up to it:
> >
> > Isolate a VLAN for the connection and put up a honeynet.  Engage 
> > state, county or local Law Enforcement  & capture the traffic.
> > Look for old user names or passwords from a cycle that were used in 
> > the past (you do have a changing password protocol for your 
> network, 
> > right :-)
> >
> > If it's an unauthorized router, he/she didn't need to "compromise" 
> > it.  It's already "owned" by them.  Too bad you already touched the 
> > device, it could have been fingerprinted.
> >
> > Cheers,
> > -James
> >
> > At 11:22 9/9/2004, David Gillett wrote:
> >
> > >   We recently suffered an intrusion attempt on our
> > > internal network.  (Details aren't relevant to my
> > > question....)
> > >
> > >   We traced the source back to an unauthorized wireless
> > > router (D-Link 714P+, if it matters) plugged into a
> > > live but unused network jack in a barely-accessible
> > > location.
> > >   Before we had found the device, or ascertained its
> > > type, we were able to sniff the switch port it was on,
> > > and observed that it was pinging the network gateway
> > > about once per second.
> > >
> > >   That doesn't sound like normal router behaviour to me.
> > > Has anyone else seen such a device do this?  Is this
> > > something the intruder did to the router?  (We have
> > > suspicion, but not actual certainty, that the router
> > > was placed by the same intruder as executed the network
> > > attacks.  So the attacker may have had to first compromise
> > > the router to get access.)
> > >
> > > Dave Gillett