Re: Desperate for good firewall: ARP and DNS attacks
> I have an ADSL PPoE connection, although normally it's PPoA. Doesn't
> matter with my ISP. What do you mean by hosts connected? On my LAN? If
> that's what you mean, only one at the moment. Wifi present but not in
> use. I did use Wifi a while back and that seemed to be the beginning
> along with other issues. On my father's laptop I was astonished to see
> that he had 27 tunnelling adapters by looking at ipconfig. Lots of
> weird stuff went on there, and others who knew about this particular
> Wifi modem I had at the time told me it was junk and to throw it away.
If you're worried about security, make sure the wifi access point is
physically disconnected from your network.
ipconfig is a Microsoft Windows tool. I can't help you with Windows systems,
but if you have malware in your network it would likely be on those because
they are the target of most digital vermin. But the mere presence of tunnel
adapters does not indicate malware.
> > How do you detect malware on your system?
> By using rootkit tools, and by simple inspection and observing the
> behaviour of my system. For example, on my iMac, the malware resides
> on a partition I can't get rid of. Apple tech support said there
> should only be one partition for my system and I could use the disk
> tool to zero it out, but the malware partition won't let itself get
> wiped and it tries to take over the install (and does, I've tried many
> times.) I'm going to have to send my iMac to the service centre and
> ask them to send me back the bad disk and put in a new one for me.
> Lots of ways I detect it. Plus the kernel is not supposed to resume
> from a swap partition at boot time, is it? Seems odd to me. Also I
> found though looking at my traffic use uploads of data that did not
> come from me or my father.
What did those rootkit tools tell you? Such tools are heuristic by nature,
just because they flag a warning does not mean there actually is a rootkit.
Did you install Lenny on that Imac? Or is this another host in your network?
Also, does your father use another system, or yours? I'm asking because
above you said there was just one system. If you installed Lenny on the Mac,
please understand that Apple will not be aware of this unless you tell them,
they will not know about your partitioning scheme.
Linux systems typically write the resume image to the swap area, so yes,
this is normal. Unless of course you haven't actually suspended to disk,
then it shouldn't resume from it.
When you say traffic did not come from you, do you mean it did not originate
on your host? Or do you mean it originated on your host but you have no
idea why? Also, you are being very vague, unless you include packet captures
we cannot help you much. You can replace network addresses with aliases if
this is a concern.
> > What do you mean by 'on multicast'? From where did you boot whom off how?
> I saw a lot of stuff about traffic going to a multicast address, and a
> professor took a look at it, and it was a multicast address traffic
> was going to. Also something like "snmp-trap" and IGMP stuff. To be
> honest I only have a small knowledge of networking. Enough to get up
> and going and create a very simple firewall.
Depending on the devices you have in your LAN, SNMP and IGMP packets
are to be expected to float around.
> > Your router got taken over? Did you replace it? What/who is 'it'?
> Yes, I replaced several modem/routers. I don't know what/who is "it"
> otherwise I'd be gunning for who/it and making it stop. I have some
> suspicions and I'm investigating those. I've got lots of good packet
> captures and weird partitions not supposed to be partitioned which I
> ripped out with the dd command.
Please provide excerpts of these captures. Just because something is
there does not mean it's a danger to you.
Partitions that are not supposed to be partitioned? Again, these may have
completely benign causes. Maybe you installed a new system and the installer
tried to preserve the old system?
> > Also in this case you should consider contacting your
> > friendly law enforcement agency, it is likely that there is a law against
> > this, though I don't know where you live.
> Oh I will be doing that, but I would like to try and gather something
> that can stand up in a court of law. Otherwise I'm not sure anything
> could be done.
> As for the laws, I assumed there was, and I contacted the free legal
> advice line and got some help there. There are several ways I can get
> this done legally that I'm aware of at the moment. But I do need
> something that can likely result in conviction(s) and/or a Supreme
> Court writ for damages. Standards of proof are different obviously for
> those roads.
You shouldn't be concerned with the Supreme Court now. It is very unlikely
your case ever gets that far. Given that at the moment you don't even have a
case but wild guesses.
I recommend you to relax. I haven't percieved anything clearly
malicious so far.