Suspicious that I am under attack

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Hi all,

I have discovered recently that I am accessing the net via a nearby wireless
access point (was reading my mail as normal one day and realised I had not
switched router on!)

I immediately had a look at what was being transmitted via Ethereal, and it
looks very much to me as though my machine is being used as a zombie. How can
I confirm this, and what can I do about it?

Many TIA's

Matilda
 
Matilda said:
Hi all,

I have discovered recently that I am accessing the net via a nearby
wireless access point (was reading my mail as normal one day and
realised I had not switched router on!)

I immediately had a look at what was being transmitted via Ethereal,
and it looks very much to me as though my machine is being used as a
zombie. How can I confirm this, and what can I do about it?

Many TIA's

Matilda
Click to expand...

http://www.jasons-toolbox.com/programs.asp?Program=IRCBot Detector

http://www.grc.com/dos/grcdos.htm
 
Matilda said:
Hi all,

I have discovered recently that I am accessing the net via a nearby
wireless access point (was reading my mail as normal one day and
realised I had not switched router on!)

I immediately had a look at what was being transmitted via Ethereal,
and it looks very much to me as though my machine is being used as a
zombie. How can I confirm this, and what can I do about it?

Many TIA's

Matilda
Click to expand...

With your computer disconnected from any networks, scan with a
full-featured antivirus and antimalware tools:

http://www.elephantboycomputers.com/page2.html#Removing_Malware

If you don't have a third-party firewall installed but are only using
SP2's Windows Firewall, consider using one even temporarily so you can
look at its log.

I rather suspect the problems you are experiencing are because you
aren't connecting properly to your own wireless network. First of all,
there is no reason to turn off your router. Set up your wireless
network with proper security - which includes renaming the default SSID
and using wireless encryption - and you won't connect to foreign
networks any more. Here are links to help you with that:

Wireless Network Setup Wizard SP2
http://www.microsoft.com/technet/community/columns/cableguy/cg0604.mspx

Wireless - Basic Configuration -
http://www.ezlan.net/Wireless_Config.html

Wireless - Basic Security - http://www.ezlan.net/Wireless_Security.html

MVP Barb Bowman on wireless security - http://tinyurl.com/56fc5

Malke
 
From: "Matilda" <[email protected]>

| Hi all,
|
| I have discovered recently that I am accessing the net via a nearby wireless
| access point (was reading my mail as normal one day and realised I had not
| switched router on!)
|
| I immediately had a look at what was being transmitted via Ethereal, and it
| looks very much to me as though my machine is being used as a zombie. How can
| I confirm this, and what can I do about it?
|
| Many TIA's
|
| Matilda


For non-viral malware...

Please download, install and update the following software...

* Ad-aware SE v1.06
http://www.lavasoft.de/
http://www.lavasoftusa.com/

* SpyBot Search and Destroy v1.4
http://security.kolla.de/

After the software is updated, I suggest scanning the system in Safe Mode.

I also suggest downloading, installing and updating BHODemon for any Browser Helper Objects
that may be on the PC.

* BHODemon
http://www.definitivesolutions.com/bhodemon.htm

For viral malware...

* Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm


* * * Please report back your results * * *
 
=?Utf-8?B?TWF0aWxkYQ==?= said:
I have discovered recently that I am accessing the net via a nearby wireless
access point (was reading my mail as normal one day and realised I had not
switched router on!)
Click to expand...

My daughter has a new laptop w/wireless. She get on the net using a
neighbors wireless setup.
 
Plato said:
My daughter has a new laptop w/wireless. She get on the net using a
neighbors wireless setup.
Click to expand...

Without the neighbor's approval she is very likely breaking the law:

http://www.politechbot.com/p-03884.html

From: Bill Shore [mailto:[email protected]]
Sent: Monday, July 08, 2002 9:56 AM
To: (e-mail address removed)
Subject: Wireless networks - Warchalking/Wardriving

<Excerp>

"Identifying the presence of a wireless network may not be a
criminal violation, however, there may be criminal violations if the
network is actually accessed including theft of services, interception
of communications, misuse of computing resources, up to and including
violations of the Federal Computer Fraud and Abuse Statute, Theft of
Trade Secrets, and other federal violations."


Steve
 
Steve said:
Without the neighbor's approval she is very likely breaking the law:
Click to expand...

Thanks for the head's up, but the wireless she gets on with is from her
best friends home 2 doors away, [about 150 feet] and they approve. I'm
no angel, but I'd be pissed if I had wireless and my neighbors were
using it without my permission/knowledge.
 
Thanks, Dave - and thanks all. Some really good links there. I have been on
quite a voyage of discovery. So far everything coming up clean, wget still
running.

What had me worried was the Ethereal protocol analysis showing strange
hostnames and ip addresses as both source and destination for packet traffic,
and I know I was doing nothing at the time. Background services like version
upgrade checks were not amongst the hostnames, and one was an edu domain name
which was really scary.

With regard to inadvertant access (possibly illegal) - how do I stop it?
When I boot up, this access is automatic. I am in the UK, by the way - don't
know how the law stands here. So long as other connections can't access my
computer, or read my traffic I'm not bothered.

Matilda

David H. Lipman said:
From: "Matilda" <[email protected]>

| Hi all,
|
| I have discovered recently that I am accessing the net via a nearby wireless
| access point (was reading my mail as normal one day and realised I had not
| switched router on!)
|
| I immediately had a look at what was being transmitted via Ethereal, and it
| looks very much to me as though my machine is being used as a zombie. How can
| I confirm this, and what can I do about it?
|
| Many TIA's
|
| Matilda


For non-viral malware...

Please download, install and update the following software...

* Ad-aware SE v1.06
http://www.lavasoft.de/
http://www.lavasoftusa.com/

* SpyBot Search and Destroy v1.4
http://security.kolla.de/

After the software is updated, I suggest scanning the system in Safe Mode.

I also suggest downloading, installing and updating BHODemon for any Browser Helper Objects
that may be on the PC.

* BHODemon
http://www.definitivesolutions.com/bhodemon.htm

For viral malware...

* Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm


* * * Please report back your results * * *
Click to expand...
 
From: "Matilda" <[email protected]>

| Thanks, Dave - and thanks all. Some really good links there. I have been on
| quite a voyage of discovery. So far everything coming up clean, wget still
| running.
|
| What had me worried was the Ethereal protocol analysis showing strange
| hostnames and ip addresses as both source and destination for packet traffic,
| and I know I was doing nothing at the time. Background services like version
| upgrade checks were not amongst the hostnames, and one was an edu domain name
| which was really scary.
|
| With regard to inadvertant access (possibly illegal) - how do I stop it?
| When I boot up, this access is automatic. I am in the UK, by the way - don't
| know how the law stands here. So long as other connections can't access my
| computer, or read my traffic I'm not bothered.
|
| Matilda
|


If you are on Broadband Internet I suggest the use of a Cbale/DSL Router such as the Linksys
BEFSR41 and on the Router specifically block TCP and UDP ports 135 ~ 139 and 445. There are
many other additional benefits to such a device as well.
 
From: "Plato" <|@|.|>

|
| Thanks for the head's up, but the wireless she gets on with is from her
| best friends home 2 doors away, [about 150 feet] and they approve. I'm
| no angel, but I'd be pissed if I had wireless and my neighbors were
| using it without my permission/knowledge.
||

The neighbour had beeter look at their ToS/AUP. I think they'll find such sharing is a
violation of their ToS/AUP.
 
Sygate Firewall and no doubt many others will allow you to 'bac
trace' any alerts or attempted hacks

I always thought these things where coded, like garage door openers
car alarms and no doubt DECT cordless telephones, whether they us
'frequency hopping' mode or not I can't say, this is where th
transmitted & received frequencies is varied or channel'
switched in a in a specific coded manner, as you can appreciate thi
would make reception more difficult than that one data source bein
transmitted on the same frequency

If this is the case, to receive these trasnmissions one would have t
have the frequency hopping sequence or code that matched yours

To clarify if I varied the transmitted frequency of your favourit
'pop' radio station in a manner that selected about 50 channels (fo
want of a figure) times a second, you would just hear garbage. T
listen to the transmission you would have to do likewise and vary th
receiver tuning in exactly the same sequence - hence 'frequency o
code hopping

If these devices operating on the same frequency all the time then i
would be quite easy to receive

The explanations a bit long winded, but tried to make it as simple a
possible - and it may not even apply..

Dav
 
David said:
| Thanks for the head's up, but the wireless she gets on with is from her
| best friends home 2 doors away, [about 150 feet] and they approve. I'm
| no angel, but I'd be pissed if I had wireless and my neighbors were
| using it without my permission/knowledge.
||

The neighbour had beeter look at their ToS/AUP. I think they'll find such sharing is > a violation of their ToS/AUP.
Click to expand...

Been in the business ten years. Our local cable company, as far as I
know, has never kicked anybody off. If you were the head bean counter of
a $50/month or $2,400 for the next four years of service, would you kick
that client off your line for a customer that allows a friend to
piggyback when home for college?
 
From: "Plato" <|@|.|>


|
| Been in the business ten years. Our local cable company, as far as I
| know, has never kicked anybody off. If you were the head bean counter of
| a $50/month or $2,400 for the next four years of service, would you kick
| that client off your line for a customer that allows a friend to
| piggyback when home for college?
|

It doesn't matter to what degree of enforcement that they may or may not perform. If they
are caught, it is a reason for termination and possible law suit.
 
Back
Top