Jump to content

ISP threatening to temporarily shut off Internet of my aunt.


Automic

Recommended Posts

Hello dear Hak5 community,

Today my aunt received an e-mail from her ISP stating that there is being send a great amount of SPAM from their connection.

And if they don't fix it within 3 days their connection will be temporarily shut off.

They have 2 computers and 1 laptop on the network, all "Wireless" connected.

All computers have a viruscanner with the latest definitions and Hitman pro is runned regularly on each of those computers.

Also their Wireless router is not secured, they did not even knew that it was possible to secure it.

I'm going to her tomorrow, and I'm wondering what could be the cause.

I think the cause is other people on her network, since its unsecured and her computers aren't showing any symptons of infection of any kind.

I have guided her trough the steps to get in the router and set-up the security, and she could not log on with the default administrator password.

And they did not want to touch the router to reset it there afraid to break it... <_<

So most likely some wireless leecher changed that password.

And thats why I want to know who are leeching her wireless network, before I (ruin their little leeching party) secure it.

Any advice on how to see who are on her network (not only the computer name).

And any ideas what else might be the cause to this spam?

Thank you in advance.

Greets,

Automic

Link to comment
Share on other sites

Lots of options. Check some of these out and see what you're comfortable with

BIG BROTHER

http://www.bb4.com/

AutoNOC

http://www.autonoc.com/benefits/

OpenNMS

http://www.opennms.org/index.php/Main_Page

Just for Fun NMS

http://www.jffnms.org/

TheDude is pretty cool for a freebie...

http://www.mikrotik.com/thedude.php

MRTG is the defacto standard for free tool

http://www.mrtg.org

PRTG is a little more refined version

http://www.paessler.com/prtg

I'm very partial to Solarwinds Orion and the Engineer's Toolsets

http://www.solarwinds.net

Neon Software to diagram/document/monitor your network

http://www.neon.com/map.shtml

What's up gold:

http://www.ipswitch.com

I like the interface of Netcrunch:

http://www.adremsoft.com/netcrunch/index.php

Argus Sofware (looks just like What's UP Gold, only for Linux - and free)

http://argus.tcp4me.com/shots.html

Manage Engine by OpManager (can restart services on Windows servers)

http://manageengine.adventnet.com/products...r/index.html?tb

or you can use windows

Network Monitor.

Network Monitor is a component of the Windows Server OSs and Microsoft Systems Management Server (SMS) that lets you monitor network traffic as it crosses the wire. By using Network Monitor, you can monitor network traffic in real time or capture and store packets for later analysis. You can use the information that Network Monitor captures to troubleshoot problems on LANs, WANs, and virtually any device that uses TCP/IP to communicate. Network Monitor has three primary uses:

* Troubleshooting network connectivity. This is the number-one reason to use Network Monitor. If you have two machines that have problems communicating with each other, you can use Network Monitor's Network Trace feature to help determine the problem's exact cause. You can also use Network Monitor to view each TCP/IP packet that travels between the two devices and the information contained within each packet.

* Assessing network performance. Network Monitor gives you a clear picture of current network utilization. If you suspect that you have a network performance bottleneck, you can use the information that Network Monitor providessuch as detailed network-utilization statistics and information about the network traffic sourceto find the bottleneck. Although you typically won't use Network Monitor to initially identify a problem as network communications­related, it's a great second-level troubleshooting tool that can help you further pinpoint a problem and displays much more detail than Performance Monitor does.

* Troubleshooting beaconing hardware devices. Before switched networks existed, you could use Network Monitor to track down problems with hardware devices on a network. You can still use Network Monitor to track fragmented or damaged packets sent out by faulty equipment, but to do so you'll probably need the full version of Network Monitor, which supports remote agents and the capture of packets on a network segment even when the traffic isn't directed to the machine that's running Network Monitor. (For more information about the two versions of Network Monitor, see the sidebar "Network Monitor Versions.") If you have a managed switch, you can use a combination of the managed-switch statistics and Network Monitor to obtain as clear a picture of the problem as possible when diagnosing faulty network hardware.

Installing Network Monitor

To use Network Monitor, you must have a NIC that supports promiscuous mode installed in the server that's running SMS or Network Monitor. (Most NICs support promiscuous mode.) Network Monitor isn't installed by default unless you explicitly selected it when you installed Windows Server 2003 or Windows 2000 Server. To install the version of Network Monitor that's included in Windows 2003 or Win2K Server, perform these steps:

1. Open Control Panel (click Start, highlight Settings, and click Control Panel).

2. Double-click Add or Remove Programs.

3. Click Add/Remove Windows Components.

4. Click Management and Monitoring Tools, then click Details.

5. Select the Network Monitor Tools check box and click OK.

Starting Network Monitor

After you've installed Network Monitor, you're ready to start the utility. Click Start, Programs, Administrative Tools, Network Monitor. (Alternatively, you can run Network Monitor from the command line or use a batch file to automate packet captures.) You'll see the initial Network Monitor screen. To start capturing packets, click the Capture button. After Network Monitor starts capturing packets.

Network Monitor is the simplest utility to monitor network traffic. If you found it difficult then let me know I will suggest you a different utility.

Good Luck

Link to comment
Share on other sites

And any ideas what else might be the cause to this spam?

The router might have been flashed with a version of the firmware that contains a bot.

If a virus scanner found nothing, that means the virus scanner found nothing, it doesn't mean there isn't malicious software on the computer.

Since the network has been compromised, best just reinstalling windows on both the computers and installing the latest firmware for the router.

Link to comment
Share on other sites

Thanks for your reply Justin Ewing.

The router might have been flashed with a version of the firmware that contains a bot.

Never tought of that!

And yeah, There will always be things a viruscanner can't find ofcourse.

Thanks for the advice Sparda!

More advice is always welcome :)

Link to comment
Share on other sites

The best option, unless you already have some idea about what is causing this, is to reinstall all the computers and re-flash the router. Then set up some proper security.

...and in the meantime, unplug the internet connection, just so you don't have to go through the hassle of calling the ISP and making them re-enable it.

Link to comment
Share on other sites

this is more of a basic suggestion run Adware and spyware scanner

Run Lavasoft ad-aware and spybot search and destory

and for the concern of a leecher go into the routers setup and look in the Client list and see if the list contains the computers that suppost to be on LAN

Getting stuff like that is all involed with the internet hygine. like not like clicking on links or downloading stuff from email that is from people that she does not know or downloading stuff from the net that is not trustworthy

Link to comment
Share on other sites

Hello all, thanks for all your advice!

I have been at my aunts place today, and I immediately noticed the clients on the router.

All the computers that did not belong to them in the network had a computername including their own names..

So now we know who where those people.

I secured their wireless, reinstalled all machines and closed some ports that should remain closed.

So I think its problem solved, also renamed the SSID to : "Not-Your-Wi-Fi" ^^.

Ofcourse I also told them not to click on everything etc..

@Spikey, Hitman pro is a great tool www.hitmanpro.com it includes ad-aware and spybot search and destroy and is fully automated.

Link to comment
Share on other sites

some infections are able to hide from the virus scanners when run. is you do a lot of p2p never rely on your virus scans auto protection as 9 out of 10 times it will not protect you

if you want to test, install a virtual machine, and install a goof virus scanner and turn on its auto protection, then download a file you know to be infected

then scan it, if it is infected, don't delete it, run it (I have tried it with avast and avg and my old copy of nortons system works 2003 and on all of them, most of the files run were not detected by the auto protection or detected after the file already did things like change the desktop background or disable almost everything in windows or do some kind of damage

Link to comment
Share on other sites

  • 1 month later...
is you do a lot of p2p never rely on your virus scans auto protection as 9 out of 10 times it will not protect you

Ok i havete say thats a bit of bs statement no offense though. Thats providing false facts, if you use a useless av then obviously it wont pick up the virus, useing a good av that has real time protection will be able to pick up viruses that are being downloaded through p2p services. I know this because i used to use Kaspersky and use p2p services and it picked up the virii that i mistakenly downloaded, it picks it up by about 10 - 30% of a completed download

Link to comment
Share on other sites

AV is retarded ... and some host on the network has some malware ..

just follow this simple tutorial and grandma can go to what ever midget porn sites she wants ..

http://rmccurdy.com/email.html

great tutorial. just one thing: in the advanced runas section, instead of "runas /u:admin /savecred" is "runas /u:admin /savedcred"

again, it's a great way to make windows safer ;)

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...