Welcome to WebmasterWorld Guest from

Forum Moderators: bakedjake

Message Too Old, No Replies


Some Dudes camping at my router

10:51 pm on Mar 15, 2002 (gmt 0)

Preferred Member

10+ Year Member

joined:Oct 26, 2000
votes: 0

I have a small network 3 windows machines and my Linux box. The windows machines are all running Nortons Firewall. With Linux I set it up with high security tables. All behind a hardware router

It started a couple of days ago when I noticed my zip drive light up. I did a netstat and noticed the Dude was conneted to my box. Now I have a virtual windows on my box with samba networking the zip and a temp directory. I disconnected the network drive and broke the connection. So it looks like he was in through one of my windows machines. As long as I didn't fire up the virtual windows machine my box was shielded. If I start it up he will eventualy connect.

Last night I started scanning myself with nmap tring to figure out how he is getting in (by the way he is on a Linux box). I can't get past the router scanning unless I send ack packets, then I learn Nortons is wide open to someone who knows what they are doing.

This morning he connected direct to my linux box. I shut down all incoming to the eth0 and killed the connection. I started tcpdump and pointed at the router gateway and sure enough he shows up. I am over my head in this.. He/She was sending stuff like "awk whois Ip number" and some stuff about icmb. When I have the machine locked down he can't get in.

I think he is hijacking sessions and cruising past the router at that point.

Thats my sad story, I could use a little advice as to how to approach this. I have been reading about firewall setups and its going to take me awhile get a grip on it.

Suggestions ?

11:00 pm on Mar 15, 2002 (gmt 0)

Senior Member

WebmasterWorld Senior Member eliteweb is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:June 5, 2001
votes: 0

Wow David :) one thing I would do is change the hardware firewall password and if it has SNMP enabled change it out of the group *PUBLIC to anything else like BOB, *PUBLIC = your hardware password, and if they do a snmp dump and dump the config for yer hardware they could have the passwd in plain text. Learn more about snmp and MIBs by going to the hardware's website. They may be able to upload a new config via TFTP to the hardware

Make sure your hardware is configured properly to not allow incoming connections in except on specific ports to specific machines to figure more about what he is doing.

Theres millions of books on security, its just hard to find the right ones.

8:12 pm on Mar 16, 2002 (gmt 0)

Preferred Member

10+ Year Member

joined:Sept 24, 2001
votes: 0

Frist I'd go by cert.org and nsa.gov to look at rocketdicing my OS and applications, (all of them, linux and windows), next I would install a third party logging system, to make it hard for the dude to fumble with my OS log withour me knowing about it, then I would look at a firewall switch like zywall 1.

Come back with som info on how you solve this problem. I, for one, would love to hear


Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

Featured Threads

Free SEO Tools

Hire Expert Members