The D-Link routers have a keep alive feature. If the keep alive feature
is turned on, then it will periodically send ping packets out through
it's WAN interface port. Additionally, if any devices are associated
with the AP at the time the ping packets are being transmitted, because
of the NATing of the AP, the ping packets would appear to be coming from
the AP rather than from the real workstation. Remember, the DI-714P+ is
a router, not just an AP, so in router mode, you won't be able to tell
the difference between router originated, and WiFi originated packets;
they will all appear to be router originated.
Is it possible that someone planted it? Only if it is possible for
unauthorized individuals to gain physical access to where it was. It
seems more likely to me that an internal user installed the AP in an
attempt to utilize wireless, and that someone wardriving hacked into the
wireless connection. Hacking the AP is very easy after all...
Replacing the D-Link's firmware with linux doesn't seem very practicle,
this has been done on Linksys, but I have not seen it done on Dlink yet.
Given the amount of Brain Power required to implement linux on a Dlink,
and the small amount of brain power required to hack a wireless network,
I would suspect the wireless network's WEP (if even turned on at all)
was hacked. Once a system associates with an AP, the rest is easy.
Armand Welsh
-----Original Message-----
From: Mike [mailto:mike@superiorholidayadventures.ca]
Sent: Friday, September 10, 2004 5:25 AM
To: gillettdavid@fhda.edu; incidents@securityfocus.com
Subject: RE: Wireless router behaviour
If the attacker placed the router, s/he may have very well changed the
OEM firmware to some custom (probably Linux) firmware. Have you tried
pointing a web browser at the 714P's IP address? If you get something
other than the default D-Link setup screen that would mean that the OEM
firmware was replaced with something else. An NMap scan may also show
what OS is running on it.
Sincerely,
Mike Fetherston
-----Original Message-----
From: David Gillett [mailto:gillettdavid@fhda.edu]
Sent: Thursday, September 09, 2004 12:22 PM
To: incidents@securityfocus.com
Subject: Wireless router behaviour
We recently suffered an intrusion attempt on our
internal network. (Details aren't relevant to my
question....)
We traced the source back to an unauthorized wireless
router (D-Link 714P+, if it matters) plugged into a
live but unused network jack in a barely-accessible
location.
Before we had found the device, or ascertained its
type, we were able to sniff the switch port it was on,
and observed that it was pinging the network gateway
about once per second.
That doesn't sound like normal router behaviour to me.
Has anyone else seen such a device do this? Is this
something the intruder did to the router? (We have
suspicion, but not actual certainty, that the router
was placed by the same intruder as executed the network
attacks. So the attacker may have had to first compromise
the router to get access.)
Dave Gillett
