dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
3143
share rss forum feed

SeanG

join:2013-03-07
Orleans, ON

How to detect..

Ok let me start with explaining what's my issue.

Last week for 4 days my download bandwidth (Rogers) went up soo much it past my cap limit by 32G's!!!
On which I contacted Rogers to find what's going on and to why I was getting charged an extra $42, I went on and on with them for three days and did I what they ask me to do which was just unplug the modem for a straight 24hrs.
So I did, called them back to find the results, they concluded I was at fault...

So I explained to them, it's IMPOSSIBLE for me to even download 10G's in one day, how can I do this for 4 straight days at over 15G's. My connection is not even fast enough for that.
They removed my charge for the $42.

I've been checking on a daily basis my connection, including my wireless (hence why I'm posting here) for intruders and my router does not detect any at all, I've checked the reports, nothing..
But now, earlier this morning I noticed my modem going nuts, checked my wireless and again no intruders.
Sum up what's connected:
2 wired desktops
1 wireless laptop
2 iPod Touch
1 Nintendo Wii (not always connected, turned off)

Back to what's happening, after seeing the modem acting as such, I checked all computers and iPod's, nothing going on.
So I then had to unplug it and plugged it back in after a half hour.
Now I'm at work, I connect to my main computer at home using LogMeIn to check my network with Network Magic (Linksys) and nothing else is connected (no intruders).

My network was on WEP a while back due to some Nintendo DS which required WEP to connect, I had forgotten about those and my WEP wireless, so this was changed of course to WPA2 but kept the same key (slapping my face for that).
So I recently changed it, I know this should of been done in the first place.

So by reading this book
If it was indeed my fault like Rogers says and my router wasn't detecting an intruder.
If I did have an intruder, why wasn't my router detecting it?
Is it because the hacker was imitating one my wireless connections like one of the iPod's?
Also by not changing my wireless key and using WPA2, would the hacker still be able to connect?

I may have already found my problem and solution, however, I'd like to know why the intruder if in fact there is one was not detected on my router.

Much appreciated if you can help me solve this completely.
FYI, I'm not a high-end tech guy, nor a newbie but I do know how to get around.

Thanks



aefstoggaflm
Open Source Fan
Premium
join:2002-03-04
Bethlehem, PA
kudos:7
Reviews:
·PenTeleData
·Verizon Online DSL

#1 What is the brand and model of your modem?

#2 If you have a RJ-45 WAN port router connected to the modem: What is the brand and model of the RJ-45 WAN port router?

#3 For the laptop and Desktop(s) only:

a) What software firewall are you using?

For example - the only built into the OS..

b) If the software firewall built into the OS: What OS and Version:

For example - Windows XP.

#4 What level of WPA2 are you using: WPA2 or WPA2/WPA Mixed Mode?
--
Please use the "yellow (IM) envelope" to contact me and please leave the URL intact.



Juggernaut
Irreverent or irrelevant?
Premium
join:2006-09-05
Kelowna, BC
kudos:2

1 recommendation

reply to SeanG

If I have the key to your house, am I breaking in?

WEP is very easy to hack. Because you went to WPA2, but used the same PW, they could still connect. Change the PW for the router, and the wifi connection.
--
"I fear the day that technology will surpass our human interaction. The world will have a generation of idiots." ~ Albert Einstein



aefstoggaflm
Open Source Fan
Premium
join:2002-03-04
Bethlehem, PA
kudos:7
Reviews:
·PenTeleData
·Verizon Online DSL

said by Juggernaut:

If I have the key to your house, am I breaking in?

WEP is very easy to hack. Because you went to WPA2, but used the same PW, they could still connect. Change the PW for the router, and the wifi connection.

I agree with that, as the first thing to do....
--
Please use the "yellow (IM) envelope" to contact me and please leave the URL intact.

SeanG

join:2013-03-07
Orleans, ON
reply to aefstoggaflm

said by aefstoggaflm:

#1 What is the brand and model of your modem?
It's still the old 2.0 from Rogers (Scientific Atlanta DPC2100), planning on changing it tonight as well for the 3.0 to give them more money...

#2 If you have a RJ-45 WAN port router connected to the modem: What is the brand and model of the RJ-45 WAN port router?
Linksys WRT54G Wireless-G Broadband Router

#3 For the laptop and Desktop(s) only:

a) What software firewall are you using?
Comodo Internet Security (up-to-date)

For example - the only built into the OS..

b) If the software firewall built into the OS: What OS and Version:

For example - Windows XP.

#4 What level of WPA2 are you using: WPA2 or WPA2/WPA Mixed Mode?
WAP2 Personal

Missing anything?

quote:
If I have the key to your house, am I breaking in?

WEP is very easy to hack. Because you went to WPA2, but used the same PW, they could still connect. Change the PW for the router, and the wifi connection.

Good point
Forgot about the router PW too, changing that now as well.

Right now, no wireless in the house since I've changed the wifi key. So the router disconnected all wifi (of course), howevere I have no idea what's going on with my modem at this time since I'm still at work
Hopefully no activity.


Juggernaut
Irreverent or irrelevant?
Premium
join:2006-09-05
Kelowna, BC
kudos:2

1 recommendation

Unless you have malware on the home computer, there should be no modem activity to speak of.



aefstoggaflm
Open Source Fan
Premium
join:2002-03-04
Bethlehem, PA
kudos:7
Reviews:
·PenTeleData
·Verizon Online DSL
reply to SeanG

#1 Since the router is using WAP2 Personal, what level is that:

a) AES

OR

b) TKIP

c) OR both AES and TKIP

?

#2 While I know you turn off the Wii, did you disconnect the power to it too?

#3 When you get home OR use LogMeIn: In the Linksys router go to Administration -> Management

#4 UPnP in the router is turned off?

#5 Remote Router Access in the router is turned off?

#6 When you get home OR use LogMeIn: In the Linksys router go to Administration -> Log

#7 Enable the log, if the log is not already enabled.
--
Please use the "yellow (IM) envelope" to contact me and please leave the URL intact.



aefstoggaflm
Open Source Fan
Premium
join:2002-03-04
Bethlehem, PA
kudos:7
Reviews:
·PenTeleData
·Verizon Online DSL

1 recommendation

reply to Juggernaut

said by Juggernaut:

Unless you have malware on the home computer, there should be no modem activity to speak of.

If the OP thinks that there is malware on his/her computer, he/she should:

a) Post in »Security Cleanup

b) While posting there, follow »Security Cleanup FAQ »Mandatory Steps Before Requesting Assistance
--
Please use the "yellow (IM) envelope" to contact me and please leave the URL intact.

SeanG

join:2013-03-07
Orleans, ON
reply to aefstoggaflm

said by aefstoggaflm:

#1 Since the router is using WAP2 Personal, what level is that:

a) AES

OR

b) TKIP

c) OR both AES and TKIP

--Both

#2 While I know you turn off the Wii, did you disconnect the power to it too?
--Oh yes, both!

#3 When you get home OR use LogMeIn: In the Linksys router go to Administration -> Management

#4 UPnP in the router is turned off?
--Should it be?

#5 Remote Router Access in the router is turned off?
--yes

#6 When you get home OR use LogMeIn: In the Linksys router go to Administration -> Log

#7 Enable the log, if the log is not already enabled.

--Just when I was reading this, I was also re-enabling this.


SeanG

join:2013-03-07
Orleans, ON
reply to aefstoggaflm

said by aefstoggaflm:

said by Juggernaut:

Unless you have malware on the home computer, there should be no modem activity to speak of.

If the OP thinks that there is malware on his/her computer, he/she should:

a) Post in »Security Cleanup

b) While posting there, follow »Security Cleanup FAQ »Mandatory Steps Before Requesting Assistance

When the bandwidth issue happened last week, I did a complete scan. I did have some malware, nothing major really and most I already knew about.


aefstoggaflm
Open Source Fan
Premium
join:2002-03-04
Bethlehem, PA
kudos:7
Reviews:
·PenTeleData
·Verizon Online DSL
reply to SeanG

said by SeanG:

said by aefstoggaflm:

#3 When you get home OR use LogMeIn: In the Linksys router go to Administration -> Management

#4 UPnP in the router is turned off?

--Should it be?

Well, let me explain some info..

#1 Assuming that UPnP was off - if you want users upstream of your router to connect through your router to your computer behind your router you must log-in to your router and forward ports to the computer that is behind your router that you want them to connect to.

There are guides on-line you can find how to do that, if you are interested...

#2 As long as a program ( for example uTorrent ) or a system ( example most network cameras and DVRs ) allows you to define the port ( or ports ) that, that program/system uses (regardless if that program/system supports UPnP or not), then you do not need to use UPnP to allow users upstream of your router to connect through your router to your computer behind your router.

#3 If a program OR a system (for example Xbox) does not allow you to define the ports that, that program/system uses and you have at least two of those programs/systems that support UPnP and if you have only one public IP, using UPnP I have heard/read is the only way to get those apps/systems to work.

For example if talking about the Xbox or on the Playstation: With only one public IP and without using UPnP, good luck on getting Open NAT (on the Playstation it called NAT Type 2).

#4 Using UPnP allows you to open ports in the router automatic without asked for the router's control (with most Linksys the default password is admin) password.

#5 If you call number four above bad, that is the least of issues about UPnP..

a) I point to »www.h-online.com/security/news/i···727.html

b) To test to be sure UPnP is not enabled on the WAN Side:

a) Go to grc.com -> Services -> Shield's Up.

b) Read the page.

c) Click on proceed

d) Say ok to the alert about switching from https (SSL) to http (non SSL), as need be.

e) Click on GRC's Intstant UPnP Exposure Test

**

Please note: There are other websites that allow you to check if UPnP is enabled on the WAN side, but I have not seen any others that are free from Java Script.

For example with »upnp-check.rapid7.com/ I had to have Java Script turned on and with NoScript I had to trust rapid7.com
--
Please use the "yellow (IM) envelope" to contact me and please leave the URL intact.

HELLFIRE
Premium
join:2009-11-25
kudos:15

1 recommendation

reply to SeanG

said by SeanG:

however, I'd like to know why the intruder if in fact there is one was not detected on my router.

1. as other have said, get rid of WEP and go to a stronger encryption scheme. Also change the wireless password on a
semi-regular basis.

2. If your gear is home use / low end, tracking "intruders" is going to be difficult. Two places you'd want to check
is wireless associations and the router's ARP table, which for most home / low end use you have to manually check.

If possible, you could look into routers that are amenable to being modded with alternate firmwares -- DDWRT, Tomato, etc.
-- which offer MUCH more functionality. One especially useful feature is the ability to monitor bandwidth utilization
to see if something screwy's going on or not, which from the sounds of it is basically what started the whole gongshow.

3. ALWAYS practice endpoint safe hex -- AV, malware scanners, unknown / unwanted programs, etc. This cannot
be reiterated enough.

My 00000010bits.

Regards

SeanG

join:2013-03-07
Orleans, ON

Thanks guys, you learn something new everyday.

My issue is still not resolved...
I've done a complete check using Anti-Malwarebytes, Spybot, Virus scan from my antivirus.
And yesterday I called Rogers to help me switch to bridge mode, that was done last night.

I've also changed my long bad ass key once again to over 20 characters. (for the third time!)

So I'm completely out of ideas, however very early this morning I started to think, maybe it is my PC which runs WinXP...
In someway, somehow...it's...someone is conencting to it and it's completely undetected.
So I just might spend hours on reinstall Win XP

I also have a duel-boot with Win 7 Ultimate, I don't really run that one because most games, most old such as Diablo 2 LOD (my ten yrs old likes to play) and a few others don't run on Win 7.
Right now it's going to stay on Win 7 because my cap limit has only about 20G left out of 80G, that's correct 60G's in about 11 days!!!
And I'll just disable the internet on the WinXP, the games don't require internet to play anyways.

So aefstoggaflm I've tried the grc.com (Shield's Up), results are:
THE EQUIPMENT AT THE TARGET IP ADDRESS
DID NOT RESPOND TO OUR UPnP PROBES!
(That's good news!)

This page has reported 3231 positive “exposed” results.

Is that really good news?
And it's on my Win 7 boot.


SeanG

join:2013-03-07
Orleans, ON
reply to HELLFIRE

said by HELLFIRE:

said by SeanG:

however, I'd like to know why the intruder if in fact there is one was not detected on my router.

1. as other have said, get rid of WEP and go to a stronger encryption scheme. Also change the wireless password on a
semi-regular basis.

2. If your gear is home use / low end, tracking "intruders" is going to be difficult. Two places you'd want to check
is wireless associations and the router's ARP table, which for most home / low end use you have to manually check.

If possible, you could look into routers that are amenable to being modded with alternate firmwares -- DDWRT, Tomato, etc.
-- which offer MUCH more functionality. One especially useful feature is the ability to monitor bandwidth utilization
to see if something screwy's going on or not, which from the sounds of it is basically what started the whole gongshow.

3. ALWAYS practice endpoint safe hex -- AV, malware scanners, unknown / unwanted programs, etc. This cannot
be reiterated enough.

My 00000010bits.

Regards

Oh Hellfire, I know WEP is garbage but like I mentioned before, I forgot I was still using it due to Nin DS's. I check my network on a regular basis using Cisco Network Magic Pro, unless this program is crap, I do see any intruders at all and it would report them or I can manually check anytime.

My antivirus is up-to-date, malware check done, unknown programs check done at least 2-3 times a week. I do have 3 others in the house (Wife & two kids age 8 & 10) and they know where they can go and if something pops-up to come get me. Told them, you break (virus or whatever), no more computer, so they don't want that to happen.


aefstoggaflm
Open Source Fan
Premium
join:2002-03-04
Bethlehem, PA
kudos:7
Reviews:
·PenTeleData
·Verizon Online DSL
reply to SeanG

said by SeanG:

So aefstoggaflm See Profile I've tried the grc.com (Shield's Up), results are:
THE EQUIPMENT AT THE TARGET IP ADDRESS
DID NOT RESPOND TO OUR UPnP PROBES!
(That's good news!)
Is that really good news?

Yes, for you.

That test only test the device that is handling the public IP (WAN Level). It does not test the LAN or OS.

To test at the LAN level:

I have heard/read

quote:
»opentools.homeip.net/dev-tools-for-upnp

If you don't care about sources, just pick the developers tool package
and install it; when the setup completes you'll have a new program
group containing a number of UPnP tools; the ones we're interested into
are called Device Sniffer and Device Spy; let's start with the
first one, run it (and allow it on your firewall) and if there are any
active UPnP clients seeking for UPnP enabled devices you'll see the
discovery packets logged onto the program GUI; once done, just close
the app and fire up Device Spy, the app will send out discover
packets and show the UPnP devices it discovered (in some cases you may
need to use the rescan network to discover more devices); just let it
running (iconize it) for a while and, again, if there are any UPnP
devices sitting on the network, the app will list them.

After that is done, to test at the OS level if UPnP is enabled or not - on Windows: I point you to grc.com -> Freeware -> Security -> UnPlug n' Pray. That tool also lets you disable UPnP if it is enabled.

said by SeanG:

So aefstoggaflm See Profile
This page has reported 3231 positive “exposed” results.

Is that really good news?

For those other users, no.

I am sure that they will fix their issue..
--
Please use the "yellow (IM) envelope" to contact me and please leave the URL intact.

SeanG

join:2013-03-07
Orleans, ON

I've download the tool package and started Device Sniffer, it sniffed...and sniffed...with always the same results. Possibly because I'm connected to my PC using LogMeIn fom work?
I then tried Device Spy, got nothing at all, even after 5 mins.... should I leave it longer?

Then I went ahead and tried the Unplug n' Pray, it was enabled!
But now disabled

Also I'm not sure if you noticed one of my previous post regarding Cisco Network Magic Pro, any idea if this is any good or is it providing false information?

Thanks


SeanG

join:2013-03-07
Orleans, ON
reply to aefstoggaflm

said by aefstoggaflm:

said by SeanG:

So aefstoggaflm See Profile I've tried the grc.com (Shield's Up), results are:
THE EQUIPMENT AT THE TARGET IP ADDRESS
DID NOT RESPOND TO OUR UPnP PROBES!
(That's good news!)
Is that really good news?

Yes, for you.

That test only test the device that is handling the public IP (WAN Level). It does not test the LAN or OS.

To test at the LAN level:

I have heard/read

quote:
»opentools.homeip.net/dev-tools-for-upnp

If you don't care about sources, just pick the developers tool package
and install it; when the setup completes you'll have a new program
group containing a number of UPnP tools; the ones we're interested into
are called Device Sniffer and Device Spy; let's start with the
first one, run it (and allow it on your firewall) and if there are any
active UPnP clients seeking for UPnP enabled devices you'll see the
discovery packets logged onto the program GUI; once done, just close
the app and fire up Device Spy, the app will send out discover
packets and show the UPnP devices it discovered (in some cases you may
need to use the rescan network to discover more devices); just let it
running (iconize it) for a while and, again, if there are any UPnP
devices sitting on the network, the app will list them.

After that is done, to test at the OS level if UPnP is enabled or not - on Windows: I point you to grc.com -> Freeware -> Security -> UnPlug n' Pray. That tool also lets you disable UPnP if it is enabled.

said by SeanG:

So aefstoggaflm See Profile
This page has reported 3231 positive “exposed” results.

Is that really good news?

For those other users, no.

I am sure that they will fix their issue..

So I tried Device Sniffer it just kept on going and going with the same results (could this be because I'm using LogMeIn from work?)
Device Spy didn't do anything at all, for at least 5 mins, should I leave it longer?

I went ahead and use the Unplug n' Pray, it was enabled! But now disabled.

I'm not sure if you had read my previous post regarding Cisco Network Magic Pro?
Any idea if it's fact providing the correct info?


aefstoggaflm
Open Source Fan
Premium
join:2002-03-04
Bethlehem, PA
kudos:7
Reviews:
·PenTeleData
·Verizon Online DSL
reply to SeanG

#1 I do not know much about Cisco Network Magic Pro, but I detected an important missing word: Not.

quote:
I do not see any intruders at all and it would report them or I can manually check anytime.

#2 The tools should be on a computer that is behind your router at home.

#3 I would recommend locking down the (If you have not already, done so) router and the modem.

If someone could get into the room where..

a) ..The router is: Then they could reset the router back to the defaults.

b).. The modem is: Then they could disconnect the modem from the router, and bypass the (connect their computer directly to the modem) router.
--
Please use the "yellow (IM) envelope" to contact me and please leave the URL intact.

SeanG

join:2013-03-07
Orleans, ON

1 recommendation

The issue of a physical person actually touching these is quite impossible. We're just a Family of 4 (Parents and 2 small kids (10 & 8)), I'm the only tech guy in the house and we never have visitors, only on special occasions (xmas, easter etc...) and they are also not into the tech stuff. They always contact me for some help.

I'll let this run on Win 7 for the day and with the UPnP now really disabled, I hope it's just the Win XP boot that has the problem.
If so, I'll wipe it clean and start that over and only use Win 7, disable the internet on the Win XP once it's up.

Again, much appreciated of your wonderful help



SoonerAl
Premium,MVM
join:2002-07-23
Norman, OK
kudos:5

1 edit

1 recommendation

If you suspect an intrustion you might see activity by running this old program called AirSnare on your XP box. I used it in the long distant past to monitor my home network...

»home.comcast.net/~jay.deboer/airsnare/

I don't know if it will run on a Windows 7 machine or not...



aefstoggaflm
Open Source Fan
Premium
join:2002-03-04
Bethlehem, PA
kudos:7
Reviews:
·PenTeleData
·Verizon Online DSL
reply to SeanG

Maybe, the meters are wrong?

While I know your ISP is Rogers, I point to »AT&T Won't Explain Meter Inaccuracy, Claims Data Proprietary
--
Please use the "yellow (IM) envelope" to contact me and please leave the URL intact.


HELLFIRE
Premium
join:2009-11-25
kudos:15

1 recommendation

reply to SeanG

Never used Network Magic Pro, but here's the key thing -- does it check ONDEMAND, or does it check ALLTHETIME?
If you don't have some sort of method of it watching all the time AND logging the results somewhere for later
review, especially when you're sleeping or at work, then it defeats the purpose of your security stance.

My 00000010bits

Regards


hellonewman

join:2013-03-18

2 recommendations

reply to SeanG

It is possible that your MAC address has been cloned and someone is piggy backing off of your connection. I would disable wireless and see if your data still goes up quickly.


SeanG

join:2013-03-07
Orleans, ON

3 edits

Well now we're at the middle of March and I've already hit my cap by 14GB, so it's now at 94GB for the month. I've never ever been close to 60GB in a whole month....

Last night I called Rogers again to let them know, of course it's 99.9% on my side, well I told him I'm 100% sure it's not with all the anti-malwares instaled and always checking, so the 0.1% is because of....

I got fed up and scrapped my Win 7 drive and reinstalled it, now I'll be doing the same for the Win XP drive (same PC by the way).

I noticed the router was going nuts with the wireless even though my laptop is turned off and both iPod's too. Nothing connected to the wireless network. Checked my Wireless settings, everything looked ok but the Wireless MAC Filter had about 8 or 9 entries?

I cleared all of them, then the wireless light on the router stopped blinking... could that been the problem?
If so, how and how can I prevent for this to happen again?

***Update***
Last night I purchased new Linksys Router to replace my old one, I got the E2500 and I had the WTR54G2. So this would change my pass key once again for the fourth time and this time it's 26 characters long with different characters, not just letters & numbers too. So if this one gets cracked, damn that person is damn genius!
Rogers tech support mentioned I should maybe change their modem too, which I couldn't do last night (didn't have time), maybe this evening.
Just checked my bandwidth, yesterday had over 9GB but that could of been before I changed the router. I'll only know tomorrow if the new router changed anything.

Another thing I forgot to mention, my speed is not affected at all!!!

More info, just found this site and I'm clearly not the only one...
»trueler.com/2012/01/29/rogers-in···-beware/


SeanG

join:2013-03-07
Orleans, ON

Ok I've completely gave up on Rogers internet, my usage for March 19th is missing, have the 20th, then it's the 18th and before.
I have now reached 98GB in 20 days with only the Express package.

As of today I am no longer of Rogers Internet customer (well the end date April 19th), it's sad really, mostly when I've had no issues with them since they first came out with cable internet (@Home service). They tried to offer me the unlimited plan thing free for 12 months, oh that's nice but like I told the Rep, what if the problem is still there after the 12 months, because I don't need to pay an extra $10 for unlimited and the overage issue still exist, what then?
He didn't have answer for me.

Soooo I went to Distributel and took the Cable 28 package, cheaper, a little faster and unlimited at no extra charge...

I am sad to leave them but one has to take a stand once a while.