View previous topic :: View next topic |
Author |
Message |
darkt3ch Just Arrived
Joined: 15 Jun 2004 Posts: 0 Location: aussie
|
Posted: Sat Jun 02, 2007 2:24 pm Post subject: Client Hacked |
|
|
Hi,
One of my clients has been hacked pretty bad. I found an entire new subnet running on the router with a bit of activity running through it.
We have fixed the problem. Now I want to know how???
Once someone has cracked into admin access on the router. How would they have gotten from there to having there computers on the private network? would the router need to have vnc access? Can they upload hacked firmware? Is there something that can be done in the route table to connect 2 private networks?
Any links to read???
|
|
Back to top |
|
|
RoboGeek SF Mod
Joined: 13 Jun 2003 Posts: 16777166 Location: LeRoy, IL
|
Posted: Sat Jun 02, 2007 4:45 pm Post subject: |
|
|
what make/model router?
|
|
Back to top |
|
|
darkt3ch Just Arrived
Joined: 15 Jun 2004 Posts: 0 Location: aussie
|
Posted: Sun Jun 03, 2007 5:11 am Post subject: |
|
|
It was a netgear router nothing too special about it. I guess he might have setup VPN between his router and the clients?
We have fixed the problem and secured the router now... I just want to read into different ways to go about doing this.
So for example victim running a decent home grade router W/ADSL
attacker is using a similar quality router W/ADSL
Attacker gains full admin access to Victims router
and
The goal is to become apart of the local "private" network
I have come up with a few possibilities
1 - Static Routes
2 - VPN between routers
3 - PPP
4 - RIP
I thought these might be a few ways to accomplish this. I dont know much about any of them (or other methods).
Could someone shed some light? and maybe drop a few links to a good read.
Cheers
|
|
Back to top |
|
|
ryansutton Trusted SF Member
Joined: 25 Aug 2004 Posts: 67 Location: San Francisco, California
|
Posted: Sun Jun 03, 2007 7:07 am Post subject: |
|
|
If they have comprimised your router they could forward everything to a specific computer and exploit or make a connection there. Depending on the router they could even sniff all the data going out your network from the node. The possabilities are many.
|
|
Back to top |
|
|
moondoggie Lurker
Joined: 27 May 2005 Posts: 19
|
Posted: Mon Jun 04, 2007 7:52 am Post subject: |
|
|
one of the first checks is to make sure you change the default admin password to his router. not sure if it was still the default before, but that's one very easy way to get into a router
|
|
Back to top |
|
|
larsmhansen Trusted SF Member
Joined: 11 Jan 2003 Posts: 0 Location: Boston, MA, USA
|
Posted: Mon Jun 04, 2007 7:04 pm Post subject: |
|
|
darkt3ch wrote: |
I have come up with a few possibilities
1 - Static Routes
2 - VPN between routers
3 - PPP
4 - RIP
|
If there was activity between two subnet (on local and one godknowswhere), the #2 is probably the answer. If someone got a hold of the admin password, and remote administration was enabled, then it's easy as pie to create a VPN between two locations. Since the router is also the default gateway, there's no need for any additional routing, so you can rule out #1 and #4. PPP is mostly dialup stuff, and if there's a modem somewhere on site, that's certainly a possibility.
If remote administration was not enabled, then there's two possibilities:
1) It was an inside job, or
2) One (or more) computers were compromised (trojan, rootkit), and then the router was accessed from the inside.
And yes, anyone who has the admin password to the firewall can upload new firmware to the unit, whether it's through remote access, VPN access or local.
|
|
Back to top |
|
|
|