• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

Client Hacked

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Computer Forensics and Incident Response

View previous topic :: View next topic  
Author Message
darkt3ch
Just Arrived
Just Arrived


Joined: 15 Jun 2004
Posts: 0
Location: aussie

Offline

PostPosted: Sat Jun 02, 2007 2:24 pm    Post subject: Client Hacked Reply with quote

Hi,

One of my clients has been hacked pretty bad. I found an entire new subnet running on the router with a bit of activity running through it.

We have fixed the problem. Now I want to know how???

Once someone has cracked into admin access on the router. How would they have gotten from there to having there computers on the private network? would the router need to have vnc access? Can they upload hacked firmware? Is there something that can be done in the route table to connect 2 private networks?

Any links to read???
Back to top
View user's profile Send private message Send e-mail AIM Address Yahoo Messenger MSN Messenger
RoboGeek
SF Mod
SF Mod


Joined: 13 Jun 2003
Posts: 16777166
Location: LeRoy, IL

Offline

PostPosted: Sat Jun 02, 2007 4:45 pm    Post subject: Reply with quote

what make/model router?
Back to top
View user's profile Send private message Visit poster's website
darkt3ch
Just Arrived
Just Arrived


Joined: 15 Jun 2004
Posts: 0
Location: aussie

Offline

PostPosted: Sun Jun 03, 2007 5:11 am    Post subject: Reply with quote

It was a netgear router nothing too special about it. I guess he might have setup VPN between his router and the clients?

We have fixed the problem and secured the router now... I just want to read into different ways to go about doing this.

So for example victim running a decent home grade router W/ADSL
attacker is using a similar quality router W/ADSL

Attacker gains full admin access to Victims router
and
The goal is to become apart of the local "private" network

I have come up with a few possibilities
1 - Static Routes
2 - VPN between routers
3 - PPP
4 - RIP

I thought these might be a few ways to accomplish this. I dont know much about any of them (or other methods).

Could someone shed some light? and maybe drop a few links to a good read.

Cheers
Back to top
View user's profile Send private message Send e-mail AIM Address Yahoo Messenger MSN Messenger
ryansutton
Trusted SF Member
Trusted SF Member


Joined: 25 Aug 2004
Posts: 67
Location: San Francisco, California

Offline

PostPosted: Sun Jun 03, 2007 7:07 am    Post subject: Reply with quote

If they have comprimised your router they could forward everything to a specific computer and exploit or make a connection there. Depending on the router they could even sniff all the data going out your network from the node. The possabilities are many.
Back to top
View user's profile Send private message
moondoggie
Lurker
Lurker


Joined: 27 May 2005
Posts: 19


Offline

PostPosted: Mon Jun 04, 2007 7:52 am    Post subject: Reply with quote

one of the first checks is to make sure you change the default admin password to his router. not sure if it was still the default before, but that's one very easy way to get into a router
Back to top
View user's profile Send private message
larsmhansen
Trusted SF Member
Trusted SF Member


Joined: 11 Jan 2003
Posts: 0
Location: Boston, MA, USA

Offline

PostPosted: Mon Jun 04, 2007 7:04 pm    Post subject: Reply with quote

darkt3ch wrote:
I have come up with a few possibilities
1 - Static Routes
2 - VPN between routers
3 - PPP
4 - RIP


If there was activity between two subnet (on local and one godknowswhere), the #2 is probably the answer. If someone got a hold of the admin password, and remote administration was enabled, then it's easy as pie to create a VPN between two locations. Since the router is also the default gateway, there's no need for any additional routing, so you can rule out #1 and #4. PPP is mostly dialup stuff, and if there's a modem somewhere on site, that's certainly a possibility.

If remote administration was not enabled, then there's two possibilities:
1) It was an inside job, or
2) One (or more) computers were compromised (trojan, rootkit), and then the router was accessed from the inside.

And yes, anyone who has the admin password to the firewall can upload new firmware to the unit, whether it's through remote access, VPN access or local.
Back to top
View user's profile Send private message Send e-mail Visit poster's website MSN Messenger
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Computer Forensics and Incident Response All times are GMT + 2 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register