LinuxQuestions.org
Latest LQ Deal: Linux Power User Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 02-25-2011, 02:29 PM   #1
Axel Meyer
LQ Newbie
 
Registered: Feb 2011
Posts: 2

Rep: Reputation: 0
Network security blunder


Hi,

had a bit of a scare tonight playing around at the very newbie level with my wireless. I had never taken time to make wireless work on my old distro because I didnt feel I knew enough about it, but now with a new distro I carelessly thought it was time to play with the wireless.

From my old experience I thought that I would have to compile some driver from source to make this work and was looking around at different posts on the subject on the web. I switched the wireless toggle on front of my computer on and played around trying different things. I don't rememeber it all, but I did do
Code:
modprope ath5k
and at some point
Code:
iwconfig wlan0 up
Afterwards I did
Code:
iwconfig
which gave output similar to
Code:
lo        no wireless extensions.

eth0      no wireless extensions.

wmaster0  no wireless extensions.

wlan0     IEEE xxxxxxxx  ESSID:""  
          Mode:Managed  Frequency:xxxxxx GHz  Access Point: Not-Associated   
          Tx-Power=20 dBm   
          Retry min limit:7   RTS thr:off   Fragment thr=2352 B   
          Power Management:off
          Link Quality:0  Signal level:0  Noise level:0
          Rx invalid nwid:0  Rx invalid crypt:0  Rx invalid frag:0
          Tx excessive retries:0  Invalid misc:0   Missed beacon:0
I noted the "no wireless extension" and thought I wasnt connected and started reading some posts on my particular card, maybe I did some more (stupid things), less than 5 minutes later I again did
Code:
iwconfig
And lo and behold, now the line wich earlier was
Code:
wlan0     IEEE xxxxxxxx  ESSID:""
read
Code:
wlan0     IEEE xxxxxxxx  ESSID:"LOLZ NO PW PWNED!!"
with the exception that the nice little greeting had yet a derogatory word, but in my native language

I pulled my cable and started worrying !

So my questions are:

Could someone briefly give me the overall picture of what happened ?

I have internet connection through a local LAN I think its called. I connect on an intra net and enter a pw to get net-access.

Why did I "broadcast" myself, all I wanted to do was using the local open network in the building. I want to connect but not open for incoming stuff.

What sources online or books would be good to get a basic at first understanding of everything related to these issues and later a solid understanding ?

If this person hadn't changed the ESSID I would likely never have known that I had somehow blundered. Are there some log files that can reveal if this happens and which can show me if it has happened before and if something bad has been done usingmy connection ?

Lastly, what is the sure way to check that everything wireless is shut off ?

Sorry for all the questions, I know I have a lot of reading to do before I consider getting wireless working properly again. A very humbling experience that motivates me study this network stuff
 
Old 02-25-2011, 04:02 PM   #2
wpeckham
Senior Member
 
Registered: Apr 2010
Location: Continental USA
Distribution: Debian, Ubuntu, Fedora, RedHat, DSL, Puppy, CentOS, Knoppix, Mint-DE, Sparky, Vsido, tinycore, Q4OS
Posts: 2,227

Rep: Reputation: 893Reputation: 893Reputation: 893Reputation: 893Reputation: 893Reputation: 893Reputation: 893
Wireless security

Actually, when you got a wireless router (I assume you did) there should have been documentation (perhaps on disk) addressing the security settings. The FIRST thing you do with a wireless device router should be to configure security on the device (admin password). The second should be to lock down the wireless to one of the better encryption standards with a passphrase or key, and a non-default SSID.


Before you turn on a wireless client, you get that information in front of you (or at the front of your mind at least) that you used to set up the router, and configure the wireless client security early - so that it connects ONLY to your secured router (using that passphrase or key).

That said, you should be able to google for some how-to pages that run through the step-by-step of the client side. The router side is somewhat vendor and model specific.

There is, somewhere in your neighborhood, a worm. That is a shame, but not YOUR shame. You did nothing wrong, the worm did.
Still: Please do not feed the worm again: if encouraged they tend to reproduce.
 
Old 02-25-2011, 04:09 PM   #3
Axel Meyer
LQ Newbie
 
Registered: Feb 2011
Posts: 2

Original Poster
Rep: Reputation: 0
Hi,

I do not have a router.
 
Old 02-26-2011, 07:45 AM   #4
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,803
Blog Entries: 1

Rep: Reputation: 416Reputation: 416Reputation: 416Reputation: 416Reputation: 416
Quote:
Originally Posted by wpeckham
There is, somewhere in your neighborhood, a worm. That is a shame, but not YOUR shame. You did nothing wrong, the worm did.
Still: Please do not feed the worm again: if encouraged they tend to reproduce.
Given the evidence presented so far, the idea that this is a worm, or any other sort of malware, is HIGHLY speculative at best.


Quote:
Originally Posted by Axel Meyer
Why did I "broadcast" myself, all I wanted to do was using the local open network in the building. I want to connect but not open for incoming stuff.
I'm assuming this means that you tried to connect to a an open access point that you don't control. That brings up a couple of questions. First, is this an access point you have permission to connect to? Second, did you actually manage to connect to it?

What you're seeing in the iwconfig output is the SSID broadcast of a wireless access point, which the owner of the access point can change at any time. If you didn't have permission to connect to the AP, it is possible you got noticed and the owner changed the SSID to see if they could scare you.

Now that said, take a look at a few things and see if anything has really happened. Connecting to an AP requires root privileges, so look in /root/.bash_history and see if there is anything there that looks suspicious and that you don't remember doing. Then go look at your log files (usually in /var/log) and do the same thing. You're looking for events that you don't recognize. Feel free to post things that you don't understand.

Lastly, it will be helpful to know a few things like the distro you're using and any network exposed services like ssh or http.
 
Old 02-28-2011, 12:42 PM   #5
wpeckham
Senior Member
 
Registered: Apr 2010
Location: Continental USA
Distribution: Debian, Ubuntu, Fedora, RedHat, DSL, Puppy, CentOS, Knoppix, Mint-DE, Sparky, Vsido, tinycore, Q4OS
Posts: 2,227

Rep: Reputation: 893Reputation: 893Reputation: 893Reputation: 893Reputation: 893Reputation: 893Reputation: 893
WIRELESS network security (single ended)

Hangdog42:
No, not that kind of worm. The two-legged kind.
Nice signature on that post! ;-)

Axel:
If you have no router and are connecting to one that does not require any security (passphrase, certificate, etc) then you are connecting to an unsecured and risky wireless network. If you have a software firewall and intrusion detection, that may not be a bad thing: as long as you know to expect trouble and are ready to deal with it. Otherwise I would avoid connecting to it, and consider if it is worth the risk.

I read back over your post again. There is clear evidence that the router was not protected, and that someone was able to get into the router configuration and change it. This is bad. There is no clear evidence that anyone even tried to get into your computer. While it is certainly possible, we KNOW that for part of that time they were involved in breaking into the router, not your PC.

Axle asked how to be sure that his wireless is NOT active. He also for asked book or references that would help him deal with this when he wants/needs to access the network again.
Has anyone additional suggestions that address these questions?

Last edited by wpeckham; 02-28-2011 at 12:44 PM.
 
Old 03-02-2011, 11:32 AM   #6
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,803
Blog Entries: 1

Rep: Reputation: 416Reputation: 416Reputation: 416Reputation: 416Reputation: 416
Quote:
Originally Posted by wpeckham
I read back over your post again. There is clear evidence that the router was not protected, and that someone was able to get into the router configuration and change it.
Unless I'm really spacing on something, no there isn't. In his second post, Axel stated that he doesn't have a router, which was in response to your question about a wireless router. At least to me, that suggests that the router being seen in the iwconfig output isn't under his control, but rather belongs to someone else. We actually need Axel to clarify this, and add some more info about what he was doing if we're going to help him. I also suspect a fair bit of misunderstanding of how wireless works, but again, without some more input, it is just speculation.
 
1 members found this post helpful.
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Google admits wi-fi data collection blunder Jeebizz Linux - News 4 05-15-2010 06:21 AM
LXer: Network Security Toolkit distribution aids network security administrators LXer Syndicated Linux News 0 07-23-2008 11:02 PM
LXer: The Great Microsoft Blunder LXer Syndicated Linux News 1 04-26-2006 01:48 PM
LXer: Open Source's Big Blunder LXer Syndicated Linux News 0 01-10-2006 03:01 PM
Linux CD burning blunder mainak Linux - General 2 05-25-2003 11:50 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 03:43 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration