Hi,

had a bit of a scare tonight playing around at the very newbie level with my wireless. I had never taken time to make wireless work on my old distro because I didnt feel I knew enough about it, but now with a new distro I carelessly thought it was time to play with the wireless.

From my old experience I thought that I would have to compile some driver from source to make this work and was looking around at different posts on the subject on the web. I switched the wireless toggle on front of my computer on and played around trying different things. I don't rememeber it all, but I did do
and at some point
Afterwards I did
which gave output similar to
I noted the "no wireless extension" and thought I wasnt connected and started reading some posts on my particular card, maybe I did some more (stupid things), less than 5 minutes later I again did
And lo and behold, now the line wich earlier was
read
with the exception that the nice little greeting had yet a derogatory word, but in my native language

I pulled my cable and started worrying !

So my questions are:

Could someone briefly give me the overall picture of what happened ?

I have internet connection through a local LAN I think its called. I connect on an intra net and enter a pw to get net-access.

Why did I "broadcast" myself, all I wanted to do was using the local open network in the building. I want to connect but not open for incoming stuff.

What sources online or books would be good to get a basic at first understanding of everything related to these issues and later a solid understanding ?

If this person hadn't changed the ESSID I would likely never have known that I had somehow blundered. Are there some log files that can reveal if this happens and which can show me if it has happened before and if something bad has been done usingmy connection ?

Lastly, what is the sure way to check that everything wireless is shut off ?

Sorry for all the questions, I know I have a lot of reading to do before I consider getting wireless working properly again. A very humbling experience that motivates me study this network stuff

Actually, when you got a wireless router (I assume you did) there should have been documentation (perhaps on disk) addressing the security settings. The FIRST thing you do with a wireless device router should be to configure security on the device (admin password). The second should be to lock down the wireless to one of the better encryption standards with a passphrase or key, and a non-default SSID.


Before you turn on a wireless client, you get that information in front of you (or at the front of your mind at least) that you used to set up the router, and configure the wireless client security early - so that it connects ONLY to your secured router (using that passphrase or key).

That said, you should be able to google for some how-to pages that run through the step-by-step of the client side. The router side is somewhat vendor and model specific.

There is, somewhere in your neighborhood, a worm. That is a shame, but not YOUR shame. You did nothing wrong, the worm did.
Still: Please do not feed the worm again: if encouraged they tend to reproduce.

Hi,

I do not have a router.

Given the evidence presented so far, the idea that this is a worm, or any other sort of malware, is HIGHLY speculative at best.


I'm assuming this means that you tried to connect to a an open access point that you don't control. That brings up a couple of questions. First, is this an access point you have permission to connect to? Second, did you actually manage to connect to it?

What you're seeing in the iwconfig output is the SSID broadcast of a wireless access point, which the owner of the access point can change at any time. If you didn't have permission to connect to the AP, it is possible you got noticed and the owner changed the SSID to see if they could scare you.

Now that said, take a look at a few things and see if anything has really happened. Connecting to an AP requires root privileges, so look in /root/.bash_history and see if there is anything there that looks suspicious and that you don't remember doing. Then go look at your log files (usually in /var/log) and do the same thing. You're looking for events that you don't recognize. Feel free to post things that you don't understand.

Lastly, it will be helpful to know a few things like the distro you're using and any network exposed services like ssh or http.

Hangdog42:
No, not that kind of worm. The two-legged kind.
Nice signature on that post! ;-)

Axel:
If you have no router and are connecting to one that does not require any security (passphrase, certificate, etc) then you are connecting to an unsecured and risky wireless network. If you have a software firewall and intrusion detection, that may not be a bad thing: as long as you know to expect trouble and are ready to deal with it. Otherwise I would avoid connecting to it, and consider if it is worth the risk.

I read back over your post again. There is clear evidence that the router was not protected, and that someone was able to get into the router configuration and change it. This is bad. There is no clear evidence that anyone even tried to get into your computer. While it is certainly possible, we KNOW that for part of that time they were involved in breaking into the router, not your PC.

Axle asked how to be sure that his wireless is NOT active. He also for asked book or references that would help him deal with this when he wants/needs to access the network again.
Has anyone additional suggestions that address these questions?

Unless I'm really spacing on something, no there isn't. In his second post, Axel stated that he doesn't have a router, which was in response to your question about a wireless router. At least to me, that suggests that the router being seen in the iwconfig output isn't under his control, but rather belongs to someone else. We actually need Axel to clarify this, and add some more info about what he was doing if we're going to help him. I also suspect a fair bit of misunderstanding of how wireless works, but again, without some more input, it is just speculation.

1 members found this post helpful.