Problem With Intruder

[Tony Clifton]

Last evening I was looking at my Belkin software and saw an unknown PC listed in there named pb-wilais, not one of ours.

I could see the mac address and there were quite a few warnings in the security log section.

I then used the MAC address filtering option, and activated it by adding out computer mac addresses which should keep unknown mac addresses from connecting to our wireless connection/router.

I just checked the security log again and it is showing an intrusion alert again from 5 minutes ago although the pc is not yet listed in the DHCP client list.

Here is the latest intrusion from the security log:

an 1 12:37:11 user alert klogd: Intrusion -> IN=ppp_1_32_1 OUT= MAC= SRC=125.17.65.55 DST=125.27.9.235 LEN=60 TOS=0x00 PREC=0x00 TTL=107 ID=24788 DF PROTO=TCP SPT=1641 DPT=135 WINDOW=64240 RES=0x00 SYN URGP=0

We usually have two pc s on as 192.168.2 and .3, this pc showed up as .4

What else can I do to keep this guy out? Is there any way to hack his pc and mess it up? I also just saw a guy driving around our street with a laptop over his shoulder looking at houses. Nothing illegal here.

Edited December 7, 2006 by Tony Clifton

[Simmo]

Turn on WPA encryption in your wireless router.

[cdnvic]

Somewhere on your router there should be a setting "Disable WAN Ping" or similar. Enable that as this ping reply is how intruders find you. Change the password on your router and be sure you have WPA encryption as WEP is no longer secure.

Unhook your modem and go have a beer. When you are finished (drink sensibly alkie), plug the modem back in and you should have a new IP address.

Go to http://www.grc.com/default.htm and scroll down. Click on the "Shields Up" link and do the test. This will tell you if you are showing any open ports. Make sure all services are shut down except what you need. Allowing only IP range 192.168.2 and .3 will limit the router connections.

[Crushdepth]

Turn on WPA encryption in your wireless router.

With a really nasty key, which is another thing you can get generated for you at GRC.

What else can I do to keep this guy out? Is there any way to hack his pc and mess it up? I also just saw a guy driving around our street with a laptop over his shoulder looking at houses. unsure.gif Nothing illegal here.

Bit creepy, that.

[autonomous_unit]

With a really nasty key, which is another thing you can get generated for you at GRC.

Wow, I never realized people needed to use computers to access a remote server to generate a few random characters for them! Also, I don't recommend doing this over wireless to get a key meant to secure your wireless while you have evidence that someone is actively intruding into your wireless.

I agree you need to enable WPA, but the first thing you might want to do is connect via an ethernet cable, factory-reset the router, disable wireless, make sure your router password is really safe and secure (not some default "admin" password), then restart the router, configure WPA, and reenable wireless.

You didn't mention whether you were using WEP before or not... that would help us gauge the level of sophistication of your intruder. The fact that they got on again right after you blocked their MAC means they are not just an accidental tourist...

If they are clever enough to crack WEP and/or monitor the traffic on the wireless, they may already have the password to your router or they might have already reconfigured it to give them another way back in. A truly paranoid geek might want to make sure his router is running up to date firmware from the manufacturer...

[Tony Clifton]

WEP or WPA were not activated previously. I have updated lates firmware last evening.

I have followed all of the steps above previous to your post , no computers are showing in the dhcp client list, even after refresh. I still get intrusion alers in the security log.

Date/Time Facility Severity Message

Jan 1 00:00:20 user crit klogd: ADSL G.994 training

Jan 1 00:00:20 user crit klogd: eth1 Link UP.

Jan 1 00:00:22 user crit klogd: ADSL G.992 started

Jan 1 00:00:26 user crit klogd: ADSL G.992 channel analysis

Jan 1 00:00:30 user crit klogd: ADSL G.992 message exchange

Jan 1 00:00:31 user crit klogd: ADSL link up, fast, us=517, ds=1036

Jan 1 00:00:33 daemon crit pppd[394]: PPP server detected.

Jan 1 00:00:34 daemon crit pppd[394]: PPP session established.

Jan 1 00:00:34 daemon crit pppd[394]: PPP LCP UP.

Jan 1 00:00:34 daemon crit pppd[394]: Received valid IP address from server. Connection UP.

Dec 7 19:18:23 user alert klogd: Intrusion -> IN=ppp_1_32_1 OUT= MAC= SRC=216.57.86.45 DST=125.27.7.83 LEN=48 TOS=0x00 PREC=0x00 TTL=102 ID=37548 DF PROTO=TCP SPT=3175 DPT=6881 WINDOW=16384 RES=0x00 SYN URGP=0

Dec 7 19:18:24 user alert klogd: Intrusion -> IN=ppp_1_32_1 OUT= MAC= SRC=125.229.96.78 DST=125.27.7.83 LEN=48 TOS=0x00 PREC=0x00 TTL=105 ID=31313 DF PROTO=TCP SPT=4782 DPT=135 WINDOW=64800 RES=0x00 SYN URGP=0

Dec 7 19:18:29 user alert klogd: Intrusion -> IN=ppp_1_32_1 OUT= MAC= SRC=216.57.86.45 DST=125.27.7.83 LEN=48 TOS=0x00 PREC=0x00 TTL=102 ID=37555 DF PROTO=TCP SPT=3175 DPT=6881 WINDOW=16384 RES=0x00 SYN URGP=0

System Log

Date/Time Facility Severity Message

Dec 7 19:20:27 user alert klogd: Intrusion -> IN=ppp_1_32_1 OUT= MAC= SRC=216.57.86.45 DST=125.27.7.83 LEN=48 TOS=0x00 PREC=0x00 TTL=102 ID=37872 DF PROTO=TCP SPT=3259 DPT=6881 WINDOW=16384 RES=0x00 SYN URGP=0

Dec 7 19:20:36 user alert klogd: Intrusion -> IN=ppp_1_32_1 OUT= MAC= SRC=216.57.86.45 DST=125.27.7.83 LEN=48 TOS=0x00 PREC=0x00 TTL=102 ID=37883 DF PROTO=TCP SPT=3259 DPT=6881 WINDOW=16384 RES=0x00 SYN URGP=0

I`ll try what autonomous unit is suggesting later on this evening.

Oh, I have just adjusted the NTP time server, now showing the correct time and date.

Edited December 7, 2006 by Tony Clifton

[griser]

The most secure method for keeping out DSL freeloaders is to use MAC filtering .

Just set it to only allow the mac addresses from your computers. This method is very secure but very hard to maintain because its all manual but since you have only a couple of computers this isnt a issue.

If you see him in the security logs as attempting to connect, Don't worry! He can try all day and it won't let him in. He won't be assigned a IP address by the router

Hope that helps

Greg

Edited December 7, 2006 by griser

[autonomous_unit]

Sorry, I misunderstood your previous post. The "intrusion" alerts you just showed are coming from the external public Internet and all it means is that your firewall is working correctly. I think 125.27.7.83 is the IP address you are getting from TOT, so all this shows is that some other addresses are sending packets to your TOT address. Almost any public IP address receives random probes these days, so you will never get rid of these!

I thought before you has said that an unknown client was getting access to your LAN while you were trying to block them. These random attacks are nothing to worry about as long as your PC is behind the NAT and firewall and not set as the "DMZ" host in your router.

I have had some Linux systems on public addresses in different parts of the world over the last 15 years, and they've been noticing random probes for at least the last 10. It's just a fact of life on the Internet. It is one of the reasons I do not have any Windows machines on the Internet.

[autonomous_unit]

The most secure method for keeping out DSL freeloaders is to use MAC filtering .

By the way, that is just not true...

The most secure method is to disable wireless.

The second most secure is to use WPA.

The third is to turn on WEP, which is about as effective as MAC-filtering in that it only keeps out naive and lazy users.

It is even more trivial to change the MAC address than it is to run a WEP cracking utility. And if you can monitor the network, because of cracking WEP or because no WEP was used, you can just watch until you see what valid MACs have been used, and then set your own MAC to be one of those. Depending on when you do this, the victim may or may not notice problems with their network connection.

[Tony Clifton]

There was a third unknown computer listed under the DHCP client list, named BP-wilais (wireless in thai, lol).

I have activated WEP and added our computer mac addresses and there are no unknown computers listed so far.

By the way, that guy with a laptop was here again this morning, he was around for a while, waiting at the corner and facing this way, was holding a device in his hand, not a cellphone. If he s around again, I ll have someone ask him what he s looking for. Unplugged the modem right away just in case. Weird.

[Crushdepth]

He might have been holding a wireless PDA (maybe he was starting to get strange looks hanging around with a laptop).

He sounds remarkably persistent for a casual wardriver. Maybe he's after something other than bandwidth? (He may be able to access any shared folders on your computer too).

I suggest moving to WPA if you can, WEP won't keep him out for long if he's that serious. Are you the only WLAN in the vicinity or is it possible he is trying to bother someone else?

[cdnvic]

I think some people may be making this into a bigger threat than it is. Lets look at some facts;

Firewalls will always tell you that they just saved you from a calamity. Try setting Zonealarm to show all alerts and you'd think the whole world was trying to break down your door. Often enough you get an IP that belonged to someone on a filesharing network and you find yourself hammered by requests sent to your IP looking for files and music.

In any populated area there are tons of open, unsecured wireless routers that anyone can access. A wardriver will just move on to the easiest target.

There are many poorly configured wireless devices that will hunt constantly for open connections and focus on whatever's closest and strongst.

Thailand excels at poor computer and network configurations.

You probably have a neighbour who's wireless card starts hunting for access as soon as he shuts his own modem off. You may have a cheapskate nearby not wanting to pay for access who is trying to get a free ride on your wireless. In either case WPA encryption and a random strong password will keep them out.

Someone trying to break through your firewall and get into your computer is very very unlikely as its not worth the trouble, and in the case of a strong password and good encryption, is next to impossible.

Enable WPA encryption, choose a strong password, and stop looking at your firewall logs.

[Tony Clifton]

Oops, I had set it to WPA , not WEP, sorry. Got strong passwords as well.

As for shared folders, we have none, just in case of wireless leeches, we use thumbdrives when needed.

Out of curiosity, my wife has tried scanning for wireless networks around our house with her work laptop and never found any.

Thanks all for your help.

I'll take a pic of that guy should he come around again.

[Tony Clifton]

Thanks all for you much appreciated help, no more intrusions.

The stranger who seemed to be scanning for wireless networks hasn't been seen since.

[friend2]

You could perhaps also re paint your house with a lead based formula

and re surface your walls with aluminium foil

Edited December 14, 2006 by friend2

[Crushdepth]

It is more efficient to make a tinfoil hat.

[Tony Clifton]

Laugh all you want. He's back

I disabled security today, my wife had trouble connecting her PDA. Sitting outside smoking a cigarette, some guy parks his motorcycle, sits in the park, when he leaves I see a PDA hanging around his neck. He took off, I went inside and BP-WILAIS, same intruder as before, is listed once again in my DHCP client list, I wish I knew where he lives around here, I d pay him a visit.

[Guest Reimar]

The guy with Laptop and some Handheld device you're talking about use for sure a Wireless Network Finder which is now here on the market. May not the advanced version like in Europe but good enough for to start the tracing and find out enough to get "free" connection for what purpose ever.

If you can, make a photo of that Guy with hims devices in hand anbd publish this photo everywhere on the internet.

[cdnvic]

If you can, make a photo of that Guy with hims devices in hand anbd publish this photo everywhere on the internet.

When is the last time you logged onto the internet to look up photos of known wireless thieves (war drivers) to make sure that they weren't in your neighbourhood?

[nickbkk]

Many good suggestions in this thread.

Don't forget other physical changes you can make:

1. Reduce the WiFi power on your router. If there is an option to do so, lower it as far as you can without upsetting your use of the router.

2. Move the router inside your home, away from windows.

3. Alter the position of the WiFi aerial.

It might be worth getting a hold of a WiFi detector (perhaps off the throttled neck of the annoyance in question ) to help determine the range of your router.

Realistic security is all about making it as hard as possible for someone to get in. Hopefully, they'll move on to a softer target.

Failing all else, let him think he's in and redirect him.

Ultimately, the WiFi hardware and drivers in computers are insecure. A dedicated person can exploit that to get in, no matter what steps you take to secure the network and application layers.

Hence, I turn off WiFi and have nasty wires on the floor. My network prefers a good gigabit, anyway.

My understanding (not great, admittedly) is that unauthorized access to computer networks in Thailand is a serious offence. Whether or not there is a single member of the authorities that would or could do something about it is another thing altogether.

[bino]

Failing all else, let him think he's in and redirect him.

Excellent!!

[cdnvic]

Failing all else, let him think he's in and redirect him.

Excellent!!

Prompt him for a credit card number and tell him he'll get free porn

[Crushdepth]

I disabled security today, my wife had trouble connecting her PDA.

I had similar problems. For some reason turning on encryption breaks DHCP on my PDA (pocket PC). So I moved to using fixed IP addresses and problem solved. Hope it works for you.

[Tony Clifton]

I turned security back on as I had done earlier, used the mac address filtering as well, unplugged the modem for a while and he's no longer listed. I'll check again this evening.

[gharknes]

The most secure method for keeping out DSL freeloaders is to use MAC filtering .

By the way, that is just not true...

The most secure method is to disable wireless.

The second most secure is to use WPA.

The third is to turn on WEP, which is about as effective as MAC-filtering in that it only keeps out naive and lazy users.

It is even more trivial to change the MAC address than it is to run a WEP cracking utility. And if you can monitor the network, because of cracking WEP or because no WEP was used, you can just watch until you see what valid MACs have been used, and then set your own MAC to be one of those. Depending on when you do this, the victim may or may not notice problems with their network connection.

I share my wireless with a few people in my condo, after adding one of these guys and recording his details I notice 2 new additions - he must have passed on the wep key to a friend....naughty

so I excluded his MAC address using MAC filter, haven't seen him since

My question to you is - why you think using a MAC filter is next to useless, my understanding is that the MAC address is unique to each ethernet/wireless card and cannot be changed, yes you could change the card but I then excluded that one also, I understand that I can use the include filter and just list all the lgit users but I had a problem with that feature on my modem

Why do you consider MAC filtering insecure ?

[Simmo]

My question to you is - why you think using a MAC filter is next to useless, my understanding is that the MAC address is unique to each ethernet/wireless card and cannot be changed,

It is unique to the networking card but the operating system can easily override the address value - see here

http://www.nthelp.com/NT6/change_mac_w2k.htm

[gharknes]

My question to you is - why you think using a MAC filter is next to useless, my understanding is that the MAC address is unique to each ethernet/wireless card and cannot be changed,

It is unique to the networking card but the operating system can easily override the address value - see here

http://www.nthelp.com/NT6/change_mac_w2k.htm

yes ok but if you have filtering set only to allow certain MAC addresses then it doesn't matter what they change it too ??

[Crushdepth]

Plus he can easily pick up the MAC addresses of *your* equipment when it connects to the access point (and then use them on his own).

[gharknes]

Plus he can easily pick up the MAC addresses of *your* equipment when it connects to the access point (and then use them on his own).

how is this possible if he cannot get access to my network, even if he could he needs admin level to my router to see MAC addresses

please continue I am very interested in this......cheers

[silvero]

You don't need any access to your network to get MAC addresses, because your computer and the access point are both broadcasting the valid MAC addresses to anyone in range and who cares to listen. Every packet sent to and from an authorized wireless adapter contains the authorized MAC address.