Breach in network?

Discussion in 'System Security & Infection Support' started by Core, Feb 6, 2009.

  1. Core

    Core in pounce mode Moderator

    Joined:
    Jun 30, 2003
    Messages:
    1,557
    Likes Received:
    24
    Location:
    Akaa, Finland
    Ok, I really need some help with this one. I'm not necessarily the most versed person when it comes to network security, and this baffles me to no end.

    I have four clients showing up on the router's DHCP list. I recognize three of them as my Windows machines - this is normal. However, the fourth one is unfamiliar to me and apparently it uses Mac OSX. Definitely nothing in my house uses OSX.

    The router has wireless disabled.

    I checked Cisco Network Magic's network history, and this "Mac" shows up as having connected very briefly last Friday at around 3 pm, then Monday at about 2 pm, and again a little after 6 pm. Again on Tuesday morning at around 8:30 am. Thursday morning a little after 6 am. These are very brief connections and do not linger on. The reason I listed these times is to show how random they are.

    What possible reasons could there be for this?

    If someone was tapping into my cable, would they show up as DHCP clients even though they're not physically (or wirelessly for that matter) connected to my router?

    If I had a backdoor trojan on my PC, could that be used to take out a DHCP lease? Basically what I am asking is, what does it require for an entity to acquire a DHCP lease from an Ethernet router?
     
    Last edited: Feb 6, 2009
    Core, Feb 6, 2009
    #1
    1. Advertisements

  2. Core

    Codex85 Mouse Potato VIP Member

    Joined:
    Apr 19, 2005
    Messages:
    776
    Likes Received:
    18
    Location:
    US
    I would double-check to make sure wireless is disabled, along with SSID broadcast.

    Only a device with an NIC should be able to request an IP from the router. If someone were tapping into your cable outside your network, they'd need to connect their own modem--they shouldn't be showing up on your network.

    If your router supports it, you can enable logging and check to see if there are websites you don't recognize the next time this "Mac" appears.
     
    Codex85, Feb 6, 2009
    #2
    1. Advertisements

  3. Core

    Zeus Moderator

    Joined:
    Jun 20, 2005
    Messages:
    2,006
    Likes Received:
    33
    Location:
    Virginia
    When you say briefly, how long is briefly?

    I ask because Crimson (you guys may remember him although he hasnt been here in a while) had an issue one time where someone kept connecting to his wireless. He had a weak encryption key and someone cracked it, but since he was also using MAC address filtering the computer would only connect for a couple of seconds then be kicked back off of his wireless.

    Now if your wireless is not turned completely off, then someone has found your wireless and is trying to connect, but your router is doing it's job and while it is authenticating the Mac OSX machine it fails authentication and is kicked back off of your network.
     
    Zeus, Feb 7, 2009
    #3
  4. Core

    Core in pounce mode Moderator

    Joined:
    Jun 30, 2003
    Messages:
    1,557
    Likes Received:
    24
    Location:
    Akaa, Finland
    Wireless mode was turned off, I double-checked.

    It's hard to say how long the connections last due to Network Magic's reporting which just has a timeline in about 3 hour intervals, but it looks like it's in the area of 2-10 minutes for most connections.

    However I am even more alarmed now that I took a look at the router's security log and am seeing that I am being scanned from a Chinese IP.

    Firewall Log
    02/06/2009 00:42:01 **Smurf** 222.218.243.0, 55100->> 69.91.2.27, 45883 (from WAN Inbound)
    02/06/2009 00:22:15 **Smurf** 222.218.243.0, 55100->> 69.91.2.27, 45883 (from WAN Inbound)
    02/06/2009 00:01:45 **Smurf** 222.218.243.0, 55100->> 69.91.2.27, 45883 (from WAN Inbound)
    02/05/2009 23:57:39 **TCP FIN Scan** 62.0.179.140, 21577->> 192.168.2.3, 3273 (from WAN Inbound)
    02/05/2009 23:57:39 **TCP FIN Scan** 79.175.65.226, 10001->> 192.168.2.3, 3230 (from WAN Inbound)
    02/05/2009 23:57:39 **TCP FIN Scan** 58.96.81.224, 49152->> 192.168.2.3, 3280 (from WAN Inbound)
    02/05/2009 23:57:39 **TCP FIN Scan** 81.37.230.23, 6999->> 192.168.2.3, 3010 (from WAN Inbound)
    02/05/2009 23:57:39 **TCP FIN Scan** 91.140.100.196, 62195->> 192.168.2.3, 3420 (from WAN Inbound)
    02/05/2009 23:57:39 **TCP FIN Scan** 78.82.231.216, 11714->> 192.168.2.3, 3397 (from WAN Inbound)
    02/05/2009 23:57:39 **TCP FIN Scan** 82.77.155.118, 33503->> 192.168.2.3, 3237 (from WAN Inbound)
    02/05/2009 23:41:38 **Smurf** 222.218.243.0, 55100->> 192.168.2.3, 45682 (from WAN Inbound)
    02/05/2009 23:21:52 **Smurf** 222.218.243.0, 55100->> 69.91.2.27, 45883 (from WAN Inbound)
    02/05/2009 23:01:21 **Smurf** 222.218.243.0, 55100->> 192.168.2.3, 45682 (from WAN Inbound)
    02/05/2009 22:41:14 **Smurf** 222.218.243.0, 55100->> 69.91.2.27, 45883 (from WAN Inbound)
    02/05/2009 22:21:22 **Smurf** 222.218.243.0, 55100->> 192.168.2.3, 45682 (from WAN Inbound)
    02/05/2009 22:00:56 **Smurf** 222.218.243.0, 55100->> 69.91.2.27, 45883 (from WAN Inbound)
    02/05/2009 21:41:43 **Smurf** 222.218.243.0, 55100->> 69.91.2.27, 45883 (from WAN Inbound)
    02/05/2009 21:34:09 **Smurf** 169.254.255.255->> 169.254.106.179, Type:3, Code:3 (from WAN Outbound)
    02/05/2009 21:30:36 **Smurf** 169.254.255.255->> 169.254.106.179, Type:3, Code:3 (from WAN Outbound)
    02/05/2009 21:30:34 **Smurf** 169.254.255.255->> 169.254.106.179, Type:3, Code:3 (from WAN Outbound)
    02/05/2009 21:25:38 **Smurf** 169.254.255.255->> 169.254.106.179, Type:3, Code:3 (from WAN Outbound)
    02/05/2009 21:25:36 **Smurf** 169.254.255.255->> 169.254.106.179, Type:3, Code:3 (from WAN Outbound)
    02/05/2009 21:25:35 **Smurf** 169.254.255.255->> 169.254.106.179, Type:3, Code:3 (from WAN Outbound)
    02/05/2009 21:25:33 **Smurf** 169.254.255.255->> 169.254.106.179, Type:3, Code:3 (from WAN Outbound)
    02/05/2009 21:25:32 **Smurf** 169.254.255.255->> 169.254.106.179, Type:3, Code:3 (from WAN Outbound)
    02/05/2009 21:24:25 **Smurf** 169.254.255.255->> 169.254.106.179, Type:3, Code:3 (from WAN Outbound)
    02/05/2009 21:24:23 **Smurf** 169.254.255.255->> 169.254.106.179, Type:3, Code:3 (from WAN Outbound)
    02/05/2009 21:24:20 **Smurf** 169.254.255.255->> 169.254.106.179, Type:3, Code:3 (from WAN Outbound)
    02/05/2009 21:24:19 **Smurf** 169.254.255.255->> 169.254.106.179, Type:3, Code:3 (from WAN Outbound)
    02/05/2009 21:24:16 **Smurf** 169.254.255.255->> 169.254.106.179, Type:3, Code:3 (from WAN Outbound)
    02/05/2009 21:24:15 **Smurf** 169.254.255.255->> 169.254.106.179, Type:3, Code:3 (from WAN Outbound)
    02/05/2009 21:24:12 **Smurf** 169.254.255.255->> 169.254.106.179, Type:3, Code:3 (from WAN Outbound)
    02/05/2009 21:24:10 **Smurf** 169.254.255.255->> 169.254.106.179, Type:3, Code:3 (from WAN Outbound)
    02/05/2009 21:20:32 **Smurf** 169.254.255.255->> 169.254.106.179, Type:3, Code:3 (from WAN Outbound)
    02/05/2009 21:20:30 **Smurf** 169.254.255.255->> 169.254.106.179, Type:3, Code:3 (from WAN Outbound)
    02/05/2009 21:20:29 **Smurf** 169.254.255.255->> 169.254.106.179, Type:3, Code:3 (from WAN Outbound)
    02/05/2009 21:15:28 **Smurf** 169.254.255.255->> 169.254.106.179, Type:3, Code:3 (from WAN Outbound)
    02/05/2009 21:15:26 **Smurf** 169.254.255.255->> 169.254.106.179, Type:3, Code:3 (from WAN Outbound)
    02/05/2009 21:12:08 **Smurf** 169.254.255.255->> 169.254.106.179, Type:3, Code:3 (from WAN Outbound)
    02/05/2009 21:12:06 **Smurf** 169.254.255.255->> 169.254.106.179, Type:3, Code:3 (from WAN Outbound)
    02/05/2009 21:12:03 **Smurf** 169.254.255.255->> 169.254.106.179, Type:3, Code:3 (from WAN Outbound)
    02/05/2009 21:12:02 **Smurf** 169.254.255.255->> 169.254.106.179, Type:3, Code:3 (from WAN Outbound)
    02/05/2009 21:11:59 **Smurf** 169.254.255.255->> 169.254.106.179, Type:3, Code:3 (from WAN Outbound)
    02/05/2009 21:11:58 **Smurf** 169.254.255.255->> 169.254.106.179, Type:3, Code:3 (from WAN Outbound)
    02/05/2009 21:11:55 **Smurf** 169.254.255.255->> 169.254.106.179, Type:3, Code:3 (from WAN Outbound)
    02/05/2009 21:11:53 **Smurf** 169.254.255.255->> 169.254.106.179, Type:3, Code:3 (from WAN Outbound)
    02/05/2009 21:10:29 **Smurf** 169.254.255.255->> 169.254.106.179, Type:3, Code:3 (from WAN Outbound)
    02/05/2009 21:10:27 **Smurf** 169.254.255.255->> 169.254.106.179, Type:3, Code:3 (from WAN Outbound)
    02/05/2009 21:10:26 **Smurf** 169.254.255.255->> 169.254.106.179, Type:3, Code:3 (from WAN Outbound)
    02/05/2009 21:10:24 **Smurf** 169.254.255.255->> 169.254.106.179, Type:3, Code:3 (from WAN Outbound)
    02/05/2009 21:10:23 **Smurf** 169.254.255.255->> 169.254.106.179, Type:3, Code:3 (from WAN Outbound)
    02/05/2009 21:10:21 **Smurf** 169.254.255.255->> 169.254.106.179, Type:3, Code:3 (from WAN Outbound)
    02/05/2009 21:05:22 **Smurf** 169.254.255.255->> 169.254.106.179, Type:3, Code:3 (from WAN Outbound)
    02/05/2009 21:05:21 **Smurf** 169.254.255.255->> 169.254.106.179, Type:3, Code:3 (from WAN Outbound)
    02/05/2009 20:59:51 **Smurf** 169.254.255.255->> 169.254.106.179, Type:3, Code:3 (from WAN Outbound)
    02/05/2009 20:59:49 **Smurf** 169.254.255.255->> 169.254.106.179, Type:3, Code:3 (from WAN Outbound)
    02/05/2009 20:59:47 **Smurf** 169.254.255.255->> 169.254.106.179, Type:3, Code:3 (from WAN Outbound)
    02/05/2009 20:59:45 **Smurf** 169.254.255.255->> 169.254.106.179, Type:3, Code:3 (from WAN Outbound)
    02/05/2009 20:59:42 **Smurf** 169.254.255.255->> 169.254.106.179, Type:3, Code:3 (from WAN Outbound)
    02/05/2009 20:59:41 **Smurf** 169.254.255.255->> 169.254.106.179, Type:3, Code:3 (from WAN Outbound)
    02/05/2009 20:59:38 **Smurf** 169.254.255.255->> 169.254.106.179, Type:3, Code:3 (from WAN Outbound)
    02/05/2009 20:59:37 **Smurf** 169.254.255.255->> 169.254.106.179, Type:3, Code:3 (from WAN Outbound)
    02/05/2009 20:58:36 **Smurf** 169.254.255.255->> 169.254.106.179, Type:3, Code:3 (from WAN Outbound)
    02/05/2009 20:55:26 **Smurf** 169.254.255.255->> 169.254.106.179, Type:3, Code:3 (from WAN Outbound)
    02/05/2009 20:55:24 **Smurf** 169.254.255.255->> 169.254.106.179, Type:3, Code:3 (from WAN Outbound)
    02/05/2009 20:55:23 **Smurf** 169.254.255.255->> 169.254.106.179, Type:3, Code:3 (from WAN Outbound)
    02/05/2009 20:55:21 **Smurf** 169.254.255.255->> 169.254.106.179, Type:3, Code:3 (from WAN Outbound)
    02/05/2009 20:55:20 **Smurf** 169.254.255.255->> 169.254.106.179, Type:3, Code:3 (from WAN Outbound)
    02/05/2009 20:55:18 **Smurf** 169.254.255.255->> 169.254.106.179, Type:3, Code:3 (from WAN Outbound)
    02/05/2009 20:55:17 **Smurf** 169.254.255.255->> 169.254.106.179, Type:3, Code:3 (from WAN Outbound)
    02/05/2009 20:55:15 **Smurf** 169.254.255.255->> 169.254.106.179, Type:3, Code:3 (from WAN Outbound)
    02/05/2009 20:50:14 **Smurf** 169.254.255.255->> 169.254.106.179, Type:3, Code:3 (from WAN Outbound)
    02/05/2009 20:49:58 **Smurf** 169.254.255.255->> 169.254.106.179, Type:3, Code:3 (from WAN Outbound)
    02/05/2009 20:49:56 **Smurf** 169.254.255.255->> 169.254.106.179, Type:3, Code:3 (from WAN Outbound)
    02/05/2009 20:49:54 **Smurf** 169.254.255.255->> 169.254.106.179, Type:3, Code:3 (from WAN Outbound)
    02/05/2009 20:48:12 **Smurf** 169.254.255.255->> 169.254.106.179, Type:3, Code:3 (from WAN Outbound)
    02/05/2009 20:47:54 **Smurf** 169.254.255.255->> 169.254.106.179, Type:3, Code:3 (from WAN Outbound)
    02/05/2009 20:47:52 **Smurf** 169.254.255.255->> 169.254.106.179, Type:3, Code:3 (from WAN Outbound)
    02/05/2009 20:47:49 **Smurf** 169.254.255.255->> 169.254.106.179, Type:3, Code:3 (from WAN Outbound)
    02/05/2009 20:47:48 **Smurf** 169.254.255.255->> 169.254.106.179, Type:3, Code:3 (from WAN Outbound)
    02/05/2009 20:47:45 **Smurf** 169.254.255.255->> 169.254.106.179, Type:3, Code:3 (from WAN Outbound)
    02/05/2009 20:47:44 **Smurf** 169.254.255.255->> 169.254.106.179, Type:3, Code:3 (from WAN Outbound)
    02/05/2009 20:47:34 **Smurf** 169.254.255.255->> 169.254.106.179, Type:3, Code:3 (from WAN Outbound)
    02/05/2009 20:47:33 **Smurf** 169.254.255.255->> 169.254.106.179, Type:3, Code:3 (from WAN Outbound)
    02/05/2009 20:47:30 **Smurf** 169.254.255.255->> 169.254.106.179, Type:3, Code:3 (from WAN Outbound)
    02/05/2009 20:47:28 **Smurf** 169.254.255.255->> 169.254.106.179, Type:3, Code:3 (from WAN Outbound)
    02/05/2009 20:47:26 **Smurf** 169.254.255.255->> 169.254.106.179, Type:3, Code:3 (from WAN Outbound)
    02/05/2009 20:47:24 **Smurf** 169.254.255.255->> 169.254.106.179, Type:3, Code:3 (from WAN Outbound)

    The reason it bothers me to see Chinese IPs scanning my system is because I play an mmorpg and account hackings have been a huge problem for the last year, and it's not entirely clear how they are getting the information since some players use Xbox360 to play and don't even have a PC.

    If it were possible to block all outgoing and incoming connections from ALL Chinese IP addresses to my network, I'd be very glad to do it.
     
    Core, Feb 7, 2009
    #4
  5. Core

    Core in pounce mode Moderator

    Joined:
    Jun 30, 2003
    Messages:
    1,557
    Likes Received:
    24
    Location:
    Akaa, Finland
    A deeper malware scan found a backdoor trojan. Removed it, set scheduled runs. Updated firmware on the router. Went through the settings to see if there's anything else I can enable.
     
    Core, Feb 7, 2009
    #5
  6. Core

    Zeus Moderator

    Joined:
    Jun 20, 2005
    Messages:
    2,006
    Likes Received:
    33
    Location:
    Virginia
    I was gonna suggest a trojan of some sort. Also have you ran hijackthis to see if any unknown processes are running?

    Since a trojan was found I wouldn't suggest posting the HJT logs here, but if you want a 2nd set of eyes PM them to me and I will take a look.
     
    Zeus, Feb 8, 2009
    #6
  7. Core

    Core in pounce mode Moderator

    Joined:
    Jun 30, 2003
    Messages:
    1,557
    Likes Received:
    24
    Location:
    Akaa, Finland
    I ran HJT. Looks normal, there are some processes that I am not entirely sure about but they could be Vista's native ones; I'm not too familiar with the gazillion processes Vista has running.

    I pm'd you the log. Thanks guys.
     
    Core, Feb 8, 2009
    #7
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.