Looks like a complete physical sweep will also be needed. If they were
smart, and had the oppertunity, they put in more then one.
---K
jamesworld@intelligencia.com wrote:
That is common. Seen it on a variety of "bridge type" router devices.
Go ahead an update the firmware on it to clean it out and put it on an
isolated vlan or separate switch and configure it with a gateway of a
test machine. Sniff the traffic and you will see the same thing.
Contact you legal department and if you are up to it:
Isolate a VLAN for the connection and put up a honeynet. Engage
state, county or local Law Enforcement & capture the traffic.
Look for old user names or passwords from a cycle that were used in
the past (you do have a changing password protocol for your network,
right :-)
If it's an unauthorized router, he/she didn't need to "compromise"
it. It's already "owned" by them. Too bad you already touched the
device, it could have been fingerprinted.
Cheers,
-James
At 11:22 9/9/2004, David Gillett wrote:
We recently suffered an intrusion attempt on our
internal network. (Details aren't relevant to my
question....)
We traced the source back to an unauthorized wireless
router (D-Link 714P+, if it matters) plugged into a
live but unused network jack in a barely-accessible
location.
Before we had found the device, or ascertained its
type, we were able to sniff the switch port it was on,
and observed that it was pinging the network gateway
about once per second.
That doesn't sound like normal router behaviour to me.
Has anyone else seen such a device do this? Is this
something the intruder did to the router? (We have
suspicion, but not actual certainty, that the router
was placed by the same intruder as executed the network
attacks. So the attacker may have had to first compromise
the router to get access.)
Dave Gillett
