Hi
I've got a local LAN setup behind a wireless router. Bad security setup, never bothered with it. Anyways
A neighbour used a wireless bridge to get into my network and was using up all my bandwidth. I restricted the wireless section to only allow my laptop(s) MAC addresses in, but he still got in (used MAC spoofing I presume).
Anyways I ran a port scanner and logged into his bridge, he had my SSID entered in it (obviously) which made me believe that it wasnt an accidental next -> next windows dude (not to mention the MAC spoofing). I mean a wireless bridge is usually used to give a wired router wireless capability. Anyways so I did a lot of port scans on NAT address ranges and on 10.1.1.X came up with around 40-50 machines visible. NOW the Q's
(My IP range was 192.168.254.x)
1) From my understanding of NAT, the only way possible for me to see 10.1.1.x was through the bridge, since NAT isn't routable over the internet, which meant either that guy has 40-50 machines in his basement or he's gotten into 40-50 machines and has aliases or something for them. Am I right?
I ran a traceroute and got a lot of timed out messages but the 2nd and 3rd hop were regular internet visible IP addresses
2) A lot of the machines I found had either 23/513 open or 80. I checked the port 80's and found 5 different cable modems with diff public IP's. I also did telnets on the other machines but didnt get any login (could type in text and didnt get a connection refused either). Anyways 5 diff cable modems to me SEEMED like he's in 5 other networks too (all of the cable modems are in the same IP range of my ISP.
3) What should I do? I can simply enable WEP disable wireless access unless a laptop is on etc, but I'd prefer notifying the other people being abused (IF my hypothesis are right? And no I wouldnt want to call the cops (Esp. with all the RIAA stuff)
4) I thought about doing packet sniffing but am not as knowledgable about that as I would've wanted to be. Also my 3 mbps pipe had only 77K left on my last cnet bandwidth test (I usually get 2-2.5Mbps). Also one possibility I presumed was Spamming, the guy visited www.atdmt.com which seem to be a digital marketing company but our ISP blocks port 25, so once again
Thanks for any ideas / help
EDIT: Am including the trace route
Tracing route to 10.1.1.252 over a maximum of 30 hops
1 * * * Request timed out.
2 16 ms * 69 ms xxxx [68.100.x.x]
3 28 ms 26 ms 18 ms xxxx [68.100.x.x]
4 45 ms 49 ms 40 ms 10.1.1.252
I've got a local LAN setup behind a wireless router. Bad security setup, never bothered with it. Anyways
A neighbour used a wireless bridge to get into my network and was using up all my bandwidth. I restricted the wireless section to only allow my laptop(s) MAC addresses in, but he still got in (used MAC spoofing I presume).
Anyways I ran a port scanner and logged into his bridge, he had my SSID entered in it (obviously) which made me believe that it wasnt an accidental next -> next windows dude (not to mention the MAC spoofing). I mean a wireless bridge is usually used to give a wired router wireless capability. Anyways so I did a lot of port scans on NAT address ranges and on 10.1.1.X came up with around 40-50 machines visible. NOW the Q's
(My IP range was 192.168.254.x)
1) From my understanding of NAT, the only way possible for me to see 10.1.1.x was through the bridge, since NAT isn't routable over the internet, which meant either that guy has 40-50 machines in his basement or he's gotten into 40-50 machines and has aliases or something for them. Am I right?
I ran a traceroute and got a lot of timed out messages but the 2nd and 3rd hop were regular internet visible IP addresses
2) A lot of the machines I found had either 23/513 open or 80. I checked the port 80's and found 5 different cable modems with diff public IP's. I also did telnets on the other machines but didnt get any login (could type in text and didnt get a connection refused either). Anyways 5 diff cable modems to me SEEMED like he's in 5 other networks too (all of the cable modems are in the same IP range of my ISP.
3) What should I do? I can simply enable WEP disable wireless access unless a laptop is on etc, but I'd prefer notifying the other people being abused (IF my hypothesis are right? And no I wouldnt want to call the cops (Esp. with all the RIAA stuff
)4) I thought about doing packet sniffing but am not as knowledgable about that as I would've wanted to be. Also my 3 mbps pipe had only 77K left on my last cnet bandwidth test (I usually get 2-2.5Mbps). Also one possibility I presumed was Spamming, the guy visited www.atdmt.com which seem to be a digital marketing company but our ISP blocks port 25, so once again
Thanks for any ideas / help
EDIT: Am including the trace route
Tracing route to 10.1.1.252 over a maximum of 30 hops
1 * * * Request timed out.
2 16 ms * 69 ms xxxx [68.100.x.x]
3 28 ms 26 ms 18 ms xxxx [68.100.x.x]
4 45 ms 49 ms 40 ms 10.1.1.252
Facebook
Twitter