Intruder!?

Discussion in 'Computer Support' started by Kevin Garrett, Nov 15, 2006.

  1. Hi All:

    Here is the scenerio. Last Friday I noticed that in my router's DHCP
    Client Table there was an extra computer logged on. It was the same name
    as my computer but the last two digits of my MAC address were 90 instead of
    92. I beleive 92 is my MAC address. I rebooted my router and it was gone.

    I have cable internet with a Lyksis RT31P2, a vonage router with 3 ethernet
    and two phone ports. We have two computers, mine and her's sharing the
    internet connection. Not sharing printers or files on our LAN.

    On that same Friday I turned off her computer and unplugged the connection.

    All was good for a few of days. She was out of town during this time and
    her computer remained turned off and unplugged from the router.

    Today when I got home for work I turned my computer on and after about 10
    minutes I looked at the router and in the DHCP Client Table a connection
    with her computer name was there.?? Yes her computer was turned off and
    unplugged from the router at the time.

    I'm assuming that it must be either something in my computer or someone has
    hacked into the router from the outside.

    What should I do?

    I have run Adaware and Spybot and just found the usual tracking cookies and
    such. I have Hijack This and Rootkit Defender installed but I don't know
    how to interpret their output.

    Any help appreciated.

    Thanks,

    Kevin
    Kevin Garrett, Nov 15, 2006
    #1
    1. Advertising

  2. Kevin Garrett

    Mr. Arnold Guest

    Kevin Garrett wrote:
    > Hi All:
    >
    > Here is the scenerio. Last Friday I noticed that in my router's DHCP
    > Client Table there was an extra computer logged on. It was the same name
    > as my computer but the last two digits of my MAC address were 90 instead of
    > 92. I beleive 92 is my MAC address. I rebooted my router and it was gone.


    I would say it's a mishap with the router's entry of data into the DHCP
    table of the router.
    >
    > I have cable internet with a Lyksis RT31P2, a vonage router with 3 ethernet
    > and two phone ports. We have two computers, mine and her's sharing the
    > internet connection. Not sharing printers or files on our LAN.


    It doesn't mean anything if you leave the O/S open to attack. If you
    really wanted to prevent that, then you would remove the services off of
    the NIC or dialup connection such as Client for MS Networks and MS File
    and Print Sharing.
    >
    > On that same Friday I turned off her computer and unplugged the connection.
    >
    > All was good for a few of days. She was out of town during this time and
    > her computer remained turned off and unplugged from the router.
    >
    > Today when I got home for work I turned my computer on and after about 10
    > minutes I looked at the router and in the DHCP Client Table a connection
    > with her computer name was there.?? Yes her computer was turned off and
    > unplugged from the router at the time.


    It doesn't go away in the DHCP table just because a computer was off
    from some period of time. There is a delete button in the DHCP table
    area on the router UI that you must use in order to delete a entry out
    of the DHCP server table.
    >
    > I'm assuming that it must be either something in my computer or someone has
    > hacked into the router from the outside.


    From the outside I kind of doubt it that someone hacked through the
    router but it's not impossible. I would say that it maybe from the
    inside, that it could be done with machine that has been compromised by
    malware, which got there with someone with the happy fingers clicking on
    everything under the Sun.

    >
    > What should I do?
    >
    > I have run Adaware and Spybot and just found the usual tracking cookies and
    > such. I have Hijack This and Rootkit Defender installed but I don't know
    > how to interpret their output.
    >


    None of that stuff means anything as malware can circumvent and defeat
    every last bit of it.

    If you're concerned, then you should use other tools to look around for
    yourself, like Process Explorer and Active Ports, etc that's being
    explained in the link.

    Long

    http://www.windowsecurity.com/artic...d_Rootkit_Tools_in_a_Windows_Environment.html

    Short

    http://tinyurl.com/klw1

    If you have one of the O/S(s) in the link, then harden it to attack like
    removing things off of the NIC, along with other things being talked
    about in the link.

    http://labmice.techtarget.com/articles/winxpsecuritychecklist.htm

    You should have your users practice safehex as much as possible.

    http://www.claymania.com/safe-hex.html

    If the router has a syslog, then you can use something like Wallwatcher
    to watch inbound and outbound connects with machines connected to the
    router to possible dubious remote IP(s). If you don't have a router that
    has a syslog, then maybe you should think about getting one.

    http://www.sonic.net/wallwatcher/

    If you have left the router in its default out of the box settings on
    the admin and PSW, then you should change them as everyone else knows
    them too.

    Duane :)
    Mr. Arnold, Nov 15, 2006
    #2
    1. Advertising

  3. Kevin Garrett

    Whiskers Guest

    On 2006-11-15, Kevin Garrett <> wrote:
    > Hi All:
    >
    > Here is the scenerio. Last Friday I noticed that in my router's DHCP
    > Client Table there was an extra computer logged on. It was the same name
    > as my computer but the last two digits of my MAC address were 90 instead of
    > 92. I beleive 92 is my MAC address. I rebooted my router and it was gone.


    Check the MAC addresses. If the router has a 'MAC address filtering'
    ability, use it.

    > I have cable internet with a Lyksis RT31P2, a vonage router with 3 ethernet
    > and two phone ports. We have two computers, mine and her's sharing the
    > internet connection. Not sharing printers or files on our LAN.
    >
    > On that same Friday I turned off her computer and unplugged the connection.
    >
    > All was good for a few of days. She was out of town during this time and
    > her computer remained turned off and unplugged from the router.
    >
    > Today when I got home for work I turned my computer on and after about 10
    > minutes I looked at the router and in the DHCP Client Table a connection
    > with her computer name was there.?? Yes her computer was turned off and
    > unplugged from the router at the time.


    The DHCP allocation for her computer, had not 'expired'. You may be able
    to change the duration of allocations to something less than 'forever' or
    '168 hours' or whatever the setting is at present.

    > I'm assuming that it must be either something in my computer or someone has
    > hacked into the router from the outside.


    I'd look at the router settings first. You don't mention any 'wireless'
    feature of the router, so how would anyone not inside your house, make a
    LAN connection with your router?

    > What should I do?


    Don't Panic :))

    > I have run Adaware and Spybot and just found the usual tracking cookies and
    > such. I have Hijack This and Rootkit Defender installed but I don't know
    > how to interpret their output.


    Well, that implies pretty strongly that your computer is running Windows
    and if those applications are up-to-date then your Windows system is
    probably in reasonable shape. Those applications won't have any effect on
    the router (which is almost certainly not running any sort of Windows and
    so won't be vulnerable to any of the things those applications are
    suppposed to defend Windows against, anyway).

    You might want to consider installing some sort of 'anti-virus'
    application as well, if the lack of mention of one indicates the lack of
    use of one.

    --
    -- ^^^^^^^^^^
    -- Whiskers
    -- ~~~~~~~~~~
    Whiskers, Nov 15, 2006
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. erman

    intruder

    erman, Aug 14, 2003, in forum: Computer Support
    Replies:
    4
    Views:
    628
    Monsignor Larville Jones MD
    Aug 18, 2003
  2. Chris Marin
    Replies:
    0
    Views:
    817
    Chris Marin
    Jun 29, 2003
  3. DVD Verdict
    Replies:
    0
    Views:
    428
    DVD Verdict
    Sep 16, 2003
  4. a
    Replies:
    3
    Views:
    399
    don2007
    Nov 22, 2006
  5. Firewall: Block an intruder?

    , Jul 2, 2006, in forum: Computer Support
    Replies:
    12
    Views:
    808
Loading...

Share This Page