Hey man, get outta mah computer
July 20, 2010 4:12 AM   Subscribe

I suspect someone in my network connected to my computer today twice while my firewall was not working. Does this mean what I think it does, and what should I do from here?

Ok, so I live in a shared house with three others, and we have shared wireless internet provided by the letting company. Today I had an unsettling experience. I have a program on my computer called Xarp. It's a program that logs any changes to the MAC address and IP of the gateway you're connecting to - a sort of simple tool to see if anyone tries to attempt a man in the middle attack by spoofing your MAC. I have the oldest version because the newer one won't successfully install on my computer for some reason or another.

Well, today I noticed with a start that the program was logging my computer as connected to two ip-macs, one the gateway, and the other... a mac I didn't recognize and an address in a range that indicated it was within my network. Eeek. I killed the connection and then within a few minutes it was connected again. I then saw with a sinking feeling that my firewall was not working. I don't think the other could have been connected for more than 2-3 minutes, but still.

Am I right in suspecting that one of the computers on my network connected to my computer while my firewall wasn't working? Is there any reason to believe that it was anything other than malicious? Or am I AHAHOMGAH...whipping myself into a noob induced paranoiac frenzy?

I have thought of three scenarios:
1. one of my housemates connected to my computer, which I doubt somehow. As far as I know, only two of my three housemates even have a computer - and they really don't seem like the black hat type. One is a 20ish girl, who seems too well adjusted to be some creeper, the other a sweet middle aged woman. She is a little on the snoopy side, but I cannot imagine her doing it. I asked her today if she has a laptop and she said she bought one the other day. In other conversations she has come across as a novice, and I believe her. The other - I don't think she has one, but you never know. I don’t really talk with her. I haven't said anything to any of them about it as yet. You know, there's nothing like accusing your housemates of hacking your computer to endear yourself to them! ;p

2. the network has been compromised, and some unknown person connected to me. One of my roommates sometimes has friends over without asking. She might have given the network pass to this person. Or someone guessed - realistically they could, it's not the default but pretty insecure. This has bothered me for a while but I don't have access to the network, so I can't change the password, and I thought that there was only a tiny chance that a psycho would try it. But I think I will ask the property manager to. Doing this though is going to inconvenience my housemates and maybe make me look like a paranoid crazy person.

3. There is some innocent explanation that I cannot think of because of ignorance.

So, my question is this: do you think my computer was connected to, and was it necessarily malicious? What should I do to get the network secured, and prevent it in the future - should I talk about my suspicions with my property manager, or just let it slide, and just vaguely ask the manager to change the password on safety concerns? I know if I was compromised I totally served myself up by not having noticed that my antivirus had stopped loading on startup for some reason, so I'm going to look at my security.

Running XP Home s3
Comodo Internet Security free (incl firewall)
posted by ultrabuff to Computers & Internet (13 answers total) 3 users marked this as a favorite
 
I think you're probably being paranoid; a lot of network traffic happens automatically. Still, not having an antivirus running on Windows is a bad idea; run a full scan in to make sure.

1) Do you have any shared folders on your computer?

2) Is the IP address you were connecting to your own?
posted by katrielalex at 4:39 AM on July 20, 2010


@katrielalex
yeah I had an antivirus running at the time, but for some reason for maybe I week my firewall hasn't been starting automatically on start up, and forgot to start manually. Yeah not well done aye.
1. I have an empty shared folder. I would like to turn off sharing but apparently you can't with xp home? So it could possibly have been one of my housemates trying to detect shared folders.
2. Nope. I checked what ip I am currently allocated and they're different.
posted by ultrabuff at 5:11 AM on July 20, 2010


Did you change the default workgroup name? Did your logging program log a specific port? If you didn't and if the port is 135-139 then it's probably just Windows Networking. Not much I'd worry about. If it's some other port, knowing its number will give you a clue as to what was going on by looking up the associated service.

Also, if you were one of my "supported users", e.g. my mother, I'd uninstall that security software, enable the included windows firewall, install Microsoft Security Essentials, and enable automatic updates. But that's just me.
posted by ob1quixote at 5:17 AM on July 20, 2010 [1 favorite]


Well, today I noticed with a start that the program was logging my computer as connected to two ip-macs, one the gateway, and the other

A quick look at that web site indicates it's just showing you the arp table and alerting you is someone shows up attempting to spoof an arp/IP mapping. Was it showing you "there are two entries in the arp table" or did you get an alert that 2 MAC addresses were trying to use the same IP address?

The arp table is a map between the network interfaces' physical address (or MAC address) and the stations IP address. You see lots of ephemeral arp entries in Windows networks due to the chatty nature of the Windows networking protocols

In other words, an arp entry in and of itself is no indication you've been attacked.
posted by kjs3 at 5:18 AM on July 20, 2010


Ah, OK. You don't necessarily need a firewall running behind a router anyway (the internal network is not visible to the outside -- see NAT), so I wouldn't worry too much about not having. The main use of having one on your computer is to stop malicious programs connecting outwards.

I looked up sharing in XP Home and you're right, you can't disable it! I would chalk this up to someone accidentally accessing your shared folders and forget about it. Remember that it's very easy to do that accidentally -- for instance, if you just click on My Network Places in Explorer, it'll give you a list of all the computers on your network, which will connect to them.

I don't know anything about ARP spoofing attacks but a quick Google seems to suggest that the culprit needs access to your network first; as long as you trust your housemates not to have tried it you're probably fine.

The password on my router is horrendously insecure. It was the default for ages. Still never had any problems.
posted by katrielalex at 5:25 AM on July 20, 2010


You may want to offer the novice user with the newly bought computer a quick security setup of that machine as it is now on the inside of the external router. Who knows what may have been on that machine
posted by stuartmm at 5:31 AM on July 20, 2010


So, my question is this: do you think my computer was connected to, and was it necessarily malicious?

Ok, so first of all let's get this out of the way: Option three.

Second, you say "connected to", but don't specify a port or range of ports? That's something worth learning about - computers don't just "connect", they connect to services that are listening on certain ports (which sort belongs quote-unquotes, but that's the conceptually accurate way they're described everywhere) and then interact with those services.

Having said that, there are services on almost every OS that scan around the local network, looking for ways to make your life easier - automatically setting up printers or web proxies, look for local network shares, what have you. Windows has an automatic proxy setup thing, Apples have Bonjour, a bunch of stuff like that.

I mean, remain vigilant, and good on you for caring about this stuff! But nothing makes you more paranoid, or can take up more of your time, than bad ideas of what makes up the background noise of your environment. This is where haunted houses, ghost stories and a lot of comparably-superstitious IT security measures come from, to be blunt.

So:

- Stay up to date on your Windows or Apple security updates.
- Connect to the internet from behind a little NAT appliance. Any bog-standard Linksys router will do, provided you've changed the password.
- Use WPA and not WEP for wireless encryption, if you care about that. I leave mine unencrypted.

And then sleep soundly.
posted by mhoye at 5:33 AM on July 20, 2010 [2 favorites]


hey awesome answers everyone! I'm starting to think that I was being a little paranoid noobie after all
@ ob1quixote
Yeah you were right, my default workgroup was set up as WORKGROUP, so I've gone and changed that. Unfortunately the program doesn't log ports as far I can tell. The program didn't show any specific alert, I just happened to have the program on top when the 2nd IP-MAC mapping appeared. I assume the program doesn't log that behaviour as abnormal because no MAC-IP mapping changed, just an additional one appeared.
@ katrielalex
yeah suprised me too that you can't turn off sharing. Yeah I don't think it was an arp spoofing attack, and the program didn't show an alert as it being suspicious behaviour.
posted by ultrabuff at 5:47 AM on July 20, 2010


I am not following on how an arp entry somehow means you've been hacked. It looks like your app can help detect local arp spoofing but that's not a substitute for proper firewall logging, which is what you should instead be looking it.

Your housemates are constantly connecting to your computer. All these windows machines are doing netbios broadcasts saying "HEY IM HERE. MY COMPUTER NAME IS XXXX" on top of the ethernet broadcasts and other low level stuff. Not to mention, when they open apps like network neighborhood, they do all sorts of broadcasts to see what shares are on the network, thus connecting to any file/print sharing you have open.

I know if I was compromised I totally served myself up by not having noticed that my antivirus had stopped loading on startup for some reason, so I'm going to look at my security.

So both your firewall and AV were down? Sounds like you have larger issues than some network traffic. Most likely you compromised yourself long ago and haven't noticed until today. Its not normal for these things to just switch off. If anything, your computer is the one doing the attacking.
posted by damn dirty ape at 7:25 AM on July 20, 2010


Seconding switching to windows firewall and security essentials. If your 3rd party security solutions are shutting off randomly then they're junk and not worth running.
posted by damn dirty ape at 7:26 AM on July 20, 2010


a sort of simple tool to see if anyone tries to attempt a man in the middle attack by spoofing your MAC

One more thing, I've seen these home routers screw up DHCP and start handing out duplicate addresses. This is especially common when they reboot. That also would set off anything that checks your arp table. Generally, Windows will detect this and do an dhcp release/renew.
posted by damn dirty ape at 7:33 AM on July 20, 2010


Yeah you were right, my default workgroup was set up as WORKGROUP, so I've gone and changed that.

That's not going to do much in the way of security.

Honestly, I really wouldn't worry about it. I seriously doubt there's anything on your computer remotely interesting enough to justify the difficulty of hacking into it.
posted by schmod at 8:21 AM on July 20, 2010


thanks guys. Yeah I deep down suspected that it was many times more likely that my ignorance of the finer points of networks was the problem. It's nice not to have to jump to the much more unlikely conclusion that my middle aged housemate is actually an undercover haxxor genius. Will consider switching to essentials and windows firewall.
posted by ultrabuff at 9:00 AM on July 20, 2010


« Older I am working on setting up a w...   |  I had a weird experience just ... Newer »
This thread is closed to new comments.