[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
On Wed, 15 May 2013, Viv Griffin wrote:
The reason I think it is being hacked is that the opendns report files are showing web sites accessed that have not been accessed by the computers in this house, and activity at times when the internet was not in use at all. Additionally, here is an except from my router log. I am not sure if these kernel intrusions may be someone trying to log into the network, unsuccessfully. This is an excerpt from the log. May 15 11:25:52 user alert kernel: Intrusion -> IN=pppoa0 OUT= MAC= SRC=4.79.142.206 DST=*************** LEN=44 TOS=0x00 PREC=0x80 TTL=225 ID=61440 PROTO=TCP SPT=44471 DPT=139 WINDOW=8192 RES=0x00 SYN URGP=0 May 15 11:25:52 user alert kernel: Intrusion -> IN=pppoa0 OUT= MAC= SRC=4.79.142.206 DST=**************** LEN=44 TOS=0x00 PREC=0x80 TTL=225 ID=61440 PROTO=TCP SPT=44471 DPT=139 WINDOW=8192 RES=0x00 SYN URGP=0 There are a lot of these at different times, night and day. However, the src addresses are not all the same - many different ones so, thinking about it, it doesn't sound like these are indicating one person trying to hack into the system.
Those are "normal". I see them all the time. It's people trying to access random IP addresses on port 139 - google it. It can be used to compromise Windows PCs.
You can more or less ignore incoming router logs - really - unless you really need to know who/what/why people are trying to access it, then they're not going to be much help (other than to continue to scare you)
I am not sure what is happening but, if it is malware, I need to find out and sort it out. And the same goes, if it is a person doing it.
You need better tools. You need to interceot all traffic between your router and you LAN and Wi-Fi.
To intercept, the older way would be to use a hub. Connect router to hub, hub to LAN and known good PC to Hub. Run tcpdump/wireshark on PC and watch traffic.
The newer way would be to use a Linux PC with 2 Ethernet sockets configured in bridge (switch) mode. Run tcpdump/wireshark as before.
The crafty way to do it is by a technique called arp cache spoofing. Google it. But it works from a Linux PC with a single Ethernet socket and can snoop traffic on a switched network.
The reason I suspected someone had hacked into the router, is that the activity started again, quite soon after I had made some changes to it including changing the wifi key. I didn't realise that there were other accounts on the router (other than admin) which had default user names / passwords that people could use to access them. Mine has admin, user and support. I don't know if this is the case for most routers?
You get what you pay for, although it looks like your router is running Linux from those logs above - still, pleaty of insecure Linux routers on the 'net.
And look back a few weeks for articles posted about insecure routers and other devices which were used world wide to gain some knowledge about Internet traffic, etc.
I suspect that someone may have been logged onto the router, at the time we were making the changes. We hadn't turned the wifi off at the time - big mistake.
So if they logged into the router, what did they do?And the opendns report - it will not (can not) tell you what sites were accessed - only what sites were looked up using their DNS - maybe your router is an open recursive DNS resolver? There is a current DOS which exploits such devices - maybe that's what you're seeing?
Back to Activity - where are you seeing it? Does the router (make model?) tell you LAN, Wi-Fi, WAN activity, or just a single "activity" LED?
You really need to pin this down further - it's almost as bad as simply saying "the internet is broke". Turn off Wi-Fi (remove antennae), turn off LAN (unplug) and see what happens - still seeing activity? You will - that's normal (just people all over the world, probing, trying to hack in - "normal" in that it happens all the time - which doesn't make it right, however it happens), but you then need to look at your logs - the openDNS one too - my guess is that your router is being used as a DOS amplifier via an open recursive dns resolver.
Go here: http://dns.measurement-factory.com/cgi-bin/openresolvercheck.pl enter your IP address and see what it says... Gordon -- The Mailing List for the Devon & Cornwall LUG http://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/listfaq