Slash Boxes
NOTE: use Perl; is on undef hiatus. You can read content, but you can't post it. More info will be forthcoming forthcomingly.

All the Perl that's Practical to Extract and Report

use Perl Log In

Log In

[ Create a new account ]

Journal of nicholas (3034)

Friday January 14, 2005
08:35 PM

rooted? no, routed.

[ #22719 ]

We've just had an entertaining few hours on a wild goose chase...

I was the only one home, and noticed network slowdowns. We've had 3 second ping times over ADSL during file transfers, but this was up to 6 seconds, so I checked on the house IRC channel. "No, it's not me", said doop, and as neither of the others were around we assumed it wasn't them (manually at least). doop investigated on the gateway, and it seemed to be a lot of traffic over the wireless. So I ran tcpdump, and sure enough there was a lot of wireless traffic.

Erk. Why is my machine generating lots of wireless traffic. And why can't netstat see it? And how come the traffic survives a reboot? Which process is it, or has ps been compromised too? And so the chase began. And how had I been compromised? How do you compromise a Mac that lives a sheltered life behind NAT?

When I dropped the network, the traffic stopped. Good. So it seemed safe enough leaving it like that, but after a while I turned the machine off. However, the network was still slow at times, so it seemed that a second machine was compromised.

doop returned home, and we investigated the (headless) gateway machine. All seemed fine. Then we started various games to try to get the gateway to log traffic, and after fighting ssh X forwarding (or lack of it) got tethereal capturing and logging on the gateway machine, and ethereal running on his workstation to analyse the traffic.

ethereal reckoned that it was seeing a lot of the eDonkey protocol. And every so often a mass of DNS traffic. But why had someone gone to the trouble of compromising my machine to install eDonkey, and then doing a good job of concealing themselves with hacked tools?

And then doop asked "is your web browser set up to report itself as 'Windows NT 5.1'?". And the penny dropped. I checked my IP address. And the IP address tcpdump was showing. 236 != 221. Just because I'm the only one in the house, doesn't mean that I'm the only person on the wireless network. It seems that next door's network is down (something I noticed about an hour ago), so at least one of their machines is now happily talking over our network.

One moral of this story - when debugging, check your assumptions. Which is one of the 9 rules of debugging

The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
More | Login | Reply
Loading... please wait.