OT: WLan in/security , mine was hacked

Discussion of music production, audio, equipment and any related topics, either with or without Ableton Live
Post Reply
rikhyray
Posts: 3644
Joined: Wed Aug 25, 2004 12:13 pm
Contact:

OT: WLan in/security , mine was hacked

Post by rikhyray » Tue Apr 29, 2008 9:58 am

I have 2 computers registrated with MAC , the WPA2. I noticed some interruptions since last Sunday afternoon, looked into WLan setup yesterday and found 3rd MAC number ??? How a hell someone was able to do that. I supposed that having WLan assigned to particular MAC is the safest solution. How could someone get into the WLan router and enter his MAC? I deleted it and will see what happens but I am curious how it was done. Is it possible over internet or only directly over WLan, meaning someone from my street.
I let a friend using the second computer on Sunday, he is online game junkie, I have no clue what those gamers do but could that be the cause?

8O
Posts: 5502
Joined: Fri Mar 28, 2008 9:29 am
Location: Berlin

Post by 8O » Tue Apr 29, 2008 10:08 am

I had a panic like that a while ago, but then found that one of the MAC addresses was the laptop's (wired) ethernet port, which I'd used once, a long, long time ago when initially configuring the WLAN router. Could be that?

The best you can hope for is that your WLAN is slightly more secure than your neighbours' - hopefully they go for the weakest of the herd.

Edit: hence, disable SSID broadcasting, if you can.

Sometimes, if someone's determined, there's nothing that will stop them anyway:

Image
Image

ciw
Posts: 689
Joined: Thu Dec 29, 2005 5:36 pm
Location: Cardiff, UK

Post by ciw » Tue Apr 29, 2008 10:35 am

xkcd ftw :-)

rikhyray
Posts: 3644
Joined: Wed Aug 25, 2004 12:13 pm
Contact:

Post by rikhyray » Tue Apr 29, 2008 10:53 am

8O wrote:I had a panic like that a while ago, but then found that one of the MAC addresses was the laptop's (wired) ethernet port, which I'd used once,
But then it should be exactly same number or ?
I am bit over sensitive since someone used all my data- Visa, phone number address, etc- opened paypal account and did some transactions, but that goes probably back to the infamous Hamburg Kartenhaus hack from last year. I never let credit card off my sight and even buying online insist on "please take a paper and pencil" dictating on the phone but it wont help if some idiots like Kartenhaus lets all their data stolen - that is what credit card security told me.

8O
Posts: 5502
Joined: Fri Mar 28, 2008 9:29 am
Location: Berlin

Post by 8O » Tue Apr 29, 2008 10:55 am

rikhyray wrote:
8O wrote:I had a panic like that a while ago, but then found that one of the MAC addresses was the laptop's (wired) ethernet port, which I'd used once,
But then it should be exactly same number or ?
That's what I thought, but wireless ethernet and wired ethernet ports have different MAC addresses.
Image

rikhyray
Posts: 3644
Joined: Wed Aug 25, 2004 12:13 pm
Contact:

Post by rikhyray » Tue Apr 29, 2008 11:09 am

Just checked that option, to be sure and it is not the case. Disconnected WLan hooked through the cable and it works with the very same MAC. Also talked to that gamer freak and he confirmed that he had some issues on Sunday, fight whatever in their online game (frankly I dont even want to know about those game junkies stuff, I think it fucks people worse then hardcore drugs) so might be someone was showing off his skills.
I am just curious if such router hacking is possible over internet/distance or only physically close to the source.

fishmonkey
Posts: 4096
Joined: Wed Oct 24, 2007 4:50 am

Post by fishmonkey » Tue Apr 29, 2008 12:23 pm

on some modem/routers access control by MAC addresses is only available for wireless connections...

each network interface usually has an unique MAC address, however spoofing is possible on a lot of hardware... so if someone has gained access to your router, maybe they know your MAC addresses anyway...

WPA2 is fairly secure, but still vulnerable to brute force attacks... the Wikipedia entry says you should create a random passphrase of at least 20 characters, and longer than 33 is recommended... if you think someone may be connecting wirelessly, connect to your router via ethernet, turn wireless off and change the passphrase for a really strong (i.e. long and random) one before activating wireless again...

if your router has options for remote management over the internet, you should make sure it is off, unless you really know what you are doing... to be extra safe, only login to your router via your local ethernet connection, especially when you are setting it up...

and of course, make sure you have changed the router login details from their default settings...

fishmonkey
Posts: 4096
Joined: Wed Oct 24, 2007 4:50 am

Post by fishmonkey » Tue Apr 29, 2008 12:28 pm

p.s. in other words, if you think someone's got a copy of your keys, change the locks! if they have managed to get admin access to your router and add a new MAC address, just deleting it isn't going to keep them out...

blank
Posts: 1512
Joined: Thu Apr 21, 2005 5:43 pm
Location: Montreal

Post by blank » Tue Apr 29, 2008 1:11 pm

If it was a real attack done by a real attacker ( and not a 12 years old script kiddies) you can have a backdoor somewhere. Use a rootkit detector just for fun,. Maybe your friend had one, dropping a piece of code into a computer via a game server is pretty possible and maybe common.

There is many many way to spoof a mac adress into a common router and to reg a new one after, especially in common home wireless router. This is part of the game with wireless communication.

Wpa2 is yes more secure but these days it's crackable nearly as fast as wep for some persons, this is true the wpa2 scheme is vulnerable to brute force attack and there is now some softwares able to crack it automaticly using packet interpolation. Some will tell you to close your ssid broadcast, but it will in fact do nothing against a guy who can spoof a router, he will use a wifi packet sniffer and will see you in a second.

Do you see if he's taking benefits of your dhcp server? if so change your default gateway and close the dhcp ( use fixed ip) it will late him a bit.

Change your router admin password for something not vulnerable to dictionnary attack could help.

Secure your computer using solid password, encrypt sensible data with truecrypt using good algo like triple des or blowfish, monitor your computer communication with a packet sniffer and check what is going where often ( once a week), don't put any trust in a anti-malware thingy.

Once it's done, let him came back, do some google reading, invest 2 or 3 days learning a bit, downloading tools and go try to nuke his ass

If you check your router log and if you were really attacked, they have been modified to covert traces ( except if the hacker is a fag one)

You can also install linux on a router ( there is some open project doing this) if your router is supported, it's the best way to go ( and what i've done here since a couple of months) your security will increase by 100.

hope it helps a bit
feug.net -:- virb.com/feug

rikhyray
Posts: 3644
Joined: Wed Aug 25, 2004 12:13 pm
Contact:

Post by rikhyray » Tue Apr 29, 2008 2:31 pm

Thanks very helpful. Found some interesting entries in the log, hacker was trying persistently for around hour and then managed to get in, obviously simply deleting his MAC yesterday was of not much use Will see how effective are todays resets.

blank
Posts: 1512
Joined: Thu Apr 21, 2005 5:43 pm
Location: Montreal

Post by blank » Tue Apr 29, 2008 5:07 pm

rikhyray wrote:Thanks very helpful. Found some interesting entries in the log, hacker was trying persistently for around hour and then managed to get in, obviously simply deleting his MAC yesterday was of not much use Will see how effective are todays resets.
did he tried to access your compter in any way regarding the log ?
feug.net -:- virb.com/feug

forge
Posts: 17422
Joined: Wed Apr 21, 2004 9:47 am
Location: Queensland, AU
Contact:

Post by forge » Tue Jun 10, 2008 2:29 pm

shit - I checked today to see how much bandwidth I've used this month and today it said I'd used 1.5 GB when I knew all I'd been doing was checking email etc - no way I used that much - asked my girlfriend and she'd had Limewire on without realising, but still I doubt she used that much

so now I started freaking out about some fucker stealing my bandwidth and remembered reading this

thing is she is on Mac and I am PC and from memory I had a hard time even setting up WPA2 so I ended up on WEP even though I know it's not that secure

anyone know what I can do?

mikemc
Posts: 5454
Joined: Mon Jun 21, 2004 2:14 pm
Location: Maryland USA
Contact:

Post by mikemc » Tue Jun 10, 2008 2:47 pm

this is good advice.
fishmonkey wrote:on some modem/routers access control by MAC addresses is only available for wireless connections...

each network interface usually has an unique MAC address, however spoofing is possible on a lot of hardware... so if someone has gained access to your router, maybe they know your MAC addresses anyway...

WPA2 is fairly secure, but still vulnerable to brute force attacks... the Wikipedia entry says you should create a random passphrase of at least 20 characters, and longer than 33 is recommended... if you think someone may be connecting wirelessly, connect to your router via ethernet, turn wireless off and change the passphrase for a really strong (i.e. long and random) one before activating wireless again...

if your router has options for remote management over the internet, you should make sure it is off, unless you really know what you are doing... to be extra safe, only login to your router via your local ethernet connection, especially when you are setting it up...

and of course, make sure you have changed the router login details from their default settings...
also, if you live near people, move away from them.

Post Reply