[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Desperate for good firewall: ARP and DNS attacks



On Wed, Mar 3, 2010 at 12:35 AM, Stephan Balmer <sb@lia.ch> wrote:

> What sort of Internet connection do you use? What hosts are connected?
> Wifi present?

I have an ADSL PPoE connection, although normally it's PPoA. Doesn't
matter with my ISP. What do you mean by hosts connected? On my LAN? If
that's what you mean, only one at the moment. Wifi present but not in
use. I did use Wifi a while back and that seemed to be the beginning
along with other issues. On my father's laptop I was astonished to see
that he had 27 tunnelling adapters by looking at ipconfig. Lots of
weird stuff went on there, and others who knew about this particular
Wifi modem I had at the time told me it was junk and to throw it away.

> What operating system are you using?

Lenny 5.0.4 with updates.

> How do you detect malware on your system?

By using rootkit tools, and by simple inspection and observing the
behaviour of my system. For example, on my iMac, the malware resides
on a partition I can't get rid of. Apple tech support said there
should only be one partition for my system and I could use the disk
tool to zero it out, but the malware partition won't let itself get
wiped and it tries to take over the install (and does, I've tried many
times.) I'm going to have to send my iMac to the service centre and
ask them to send me back the bad disk and put in a new one for me.
Lots of ways I detect it. Plus the kernel is not supposed to resume
from a swap partition at boot time, is it? Seems odd to me. Also I
found though looking at my traffic use uploads of data that did not
come from me or my father.

> What do you mean by 'on multicast'? From where did you boot whom off how?

I saw a lot of stuff about traffic going to a multicast address, and a
professor took a look at it, and it was a multicast address traffic
was going to. Also something like "snmp-trap" and IGMP stuff. To be
honest I only have a small knowledge of networking. Enough to get up
and going and create a very simple firewall.

> Your router got taken over? Did you replace it? What/who is 'it'?

Yes, I replaced several modem/routers. I don't know what/who is "it"
otherwise I'd be gunning for who/it and making it stop. I have some
suspicions and I'm investigating those. I've got lots of good packet
captures and weird partitions not supposed to be partitioned which I
ripped out with the dd command.

> Just a warning: I'm no expert.

That's okay, thank you for taking the time to respond. I appreciate it.

> As long as these reside on ramdisks, the security issues are slight.
> Attackers would have to exploit vulnerabilities in the install system over
> the network. This is unlikely.

Thanks for that information. So I can look elsewhere instead of being
overly worried about it and focus on what's more likely.

> You can download official Debian images from http://www.debian.org. An
> attacker would have to go to great lengths to provide malicious ones.
> So unless you have something of great value (or have annoyed somebody
> a great deal) it is exteremely unlikely anybody would do this. You can also
> download Debian testing images, those are generated daily and even harder to
> fake.
>
> If you want to be extra sure, take the SHA1 hash of an image and compare
> out-of-band with a trusted person. You would
>
> 1. Download an image from debian.org
> 2. take its SHA1 hash
> 3. Phone a trusted person to do the same
> 4. compare SHA1 hashes
>
> If they are different, first verify you both downloaded the same image.
> If the images really are different, publish both somewhere for people to
> have a look at them.

Thanks very much for that. I will do that and see what happens.

> Also in this case you should consider contacting your
> friendly law enforcement agency, it is likely that there is a law against
> this, though I don't know where you live.

Oh I will be doing that, but I would like to try and gather something
that can stand up in a court of law. Otherwise I'm not sure anything
could be done.

As for the laws, I assumed there was, and I contacted the free legal
advice line and got some help there. There are several ways I can get
this done legally that I'm aware of at the moment. But I do need
something that can likely result in conviction(s) and/or a Supreme
Court writ for damages. Standards of proof are different obviously for
those roads.

Thanks very much for taking the time to reply.


Reply to: