Digiweb network security compromise?

ikoonman

I hope this is the right group for this post. If not, I am sorry in advance. (It's because it's more specifically related to Digiweb rather than security issues)

A quick background:
I recently started having problems with viruses. The last 2 weeks to be specific. I thought this to be quite odd since I am always rather cautious about email attachments etc and I am aware of security issues and the Internet, and my Windows are up to date with the latest patches etc, aswell as antiviruses with latest signatures and firewalls (ZoneAlarm - only 2 pc's) and router firmware. Suffice to say i've never had any security related issues.

I have a small home network with 3 pc's connected to a Linksys router and then the Metro modem. (2 is wired and 1 is wireless, encrypted) I said only 2 pc's had firewalls because i didn't think the one pc needed it. The reason for that was that because of my router's firewall i noticed that the number of attempts from the internet to access my machines by ip had ceased completely so I guess you can say that i let my guard slightly. But that's (my suspicion) is where my problems started. So I installed ZoneAlarm on the unprotected machine and did full virus, spyware etc, on all machines (and it picked up few amount of virusses on only the third machine.)

The Issue:
At first I thought it was a virus that got passed my nets, but then i found a different virus. So after installing ZoneAlarm on the 3rd pc (something i should have never uninstalled), i started noticing that it's blocking access attempts from a 192.168* range ip addresses. Now my router's dhcp server dishes out in the same range (192.168.1.*), but these ip's were ip's like 192.168.88.* and 192.168.162.*.

So certainly it cannot be users hopping on my wireless LAN, because:

1. the dhcp is limited in the addresses it assigns,
2. the wireless network is encrypted, and
3. the ip range is wrong.

So then i did traceroute's to the IP's and it all resolved to domain names within digiweb's network (*.dub-deg-br2.net.digiweb.ie - but different hosts), reporting hosts unreachable - prob meaning that:

1. if it's a dial up, it's disconnected,
2. is a machine protected by it's own security, or
3. a machine offline.

So I am quite concerned and curious what is going on here. Can someone perhaps shed some light on this rather disconcerting anomaly? Still not sure how I got the virusses (haven't had problems with them in a few years) but i am convinced someone is snooping around. And it's not from outside Digiweb's domain, but inside.

Thanks

Sarunas

ikoonman wrote:

So then i did traceroute's to the IP's and it all resolved to domain names within digiweb's network (*.dub-deg-br2.net.digiweb.ie - but different hosts), reporting hosts unreachable

The ips you're trying to trace are not in the router' routing table, so it sends the request to the default route, which is digiweb' router. Thats why you end up somewhere on digiweb' network.

For example, tracing 192.168.200.200(I'm using 192.168.0.* range) on BT gives me:

 [svan@horus]->traceroute 192.168.200.200 
 traceroute to 192.168.200.200 (192.168.200.200), 64 hops max, 40 byte packets
  1  192.168.0.1 (192.168.0.1)  8.445 ms  0.613 ms  0.793 ms
  2  bas002.bmt.esat.net (193.95.142.243)  21.665 ms  19.383 ms  17.564 ms
  3  vlan101.rt001.bmt.esat.net (193.95.141.1)  17.164 ms  38.385 ms  16.778 ms
  4  * * *
  5  * * *
  6  * ge0-0.core001.bmt.esat.net (193.95.140.1)  262.905 ms !H *
  7  * ge0-0.core001.bmt.esat.net (193.95.140.1)  166.468 ms !H *
  8  * * *
  9  * * *
 10  * * *
 11  * * *
 12  ge0-0.core001.bmt.esat.net (193.95.140.1)  232.909 ms !H * *
 13  * * *
 14  *^C

the "!H" means the host is unreachable.

watty

If your linksys router is firewalling properly you need no firewall SW or zonealarm anywhere.

If you don't open attachments, click on stuff popup and don't install any sharing SW then you can't really get infected.

In any case the issue is not Digiweb at all.

Don't use DHCP. Put static IPs and also put allowed MAC address in the Wireless adaptor.

Then you know really if the IP is on your own lan.

Check the linksys settings, that it is really is doing Firewall protection and not simply routing everything.

ikoonman

watty wrote:

If your linksys router is firewalling properly you need no firewall SW or zonealarm anywhere.

If you don't open attachments, click on stuff popup and don't install any sharing SW then you can't really get infected.

In any case the issue is not Digiweb at all.

Don't use DHCP. Put static IPs and also put allowed MAC address in the Wireless adaptor.

Then you know really if the IP is on your own lan.

Check the linksys settings, that it is really is doing Firewall protection and not simply routing everything.

I am not too concerned abt my security settings - i am confident that it's ok. What does bother me is the fact that ZoneAlarm is blocking 2 IP's (192.168.88.1 and 192.168.162.1), which is not on my network. I've even set up to only allow clients to connect to my router by MAC address. Besides, my router cannot assign IP's in the range as above.

I am still trying to figure out how come they get blocked and where thet are and where they are from. I did various online tests and according to the results my firewall is working fine. Is must originate from within the Digiweb network.

aaronc

ikoonman wrote:

So I am quite concerned and curious what is going on here. Can someone perhaps shed some light on this rather disconcerting anomaly? Still not sure how I got the virusses (haven't had problems with them in a few years) but i am convinced someone is snooping around. And it's not from outside Digiweb's domain, but inside. Thanks

My bet would be you're getting traffic from other Digiweb customer's who have been infected by a virus/worm. If the traffic is recurring and attempting to connect to TCP ports 135 to 139 you could almost guarantee that it's from a Windows virus.

If you want to find out more about the machine sending the traffic you could always fire up nmap.

Aaron

ikoonman

aaronc wrote:

My bet would be you're getting traffic from other Digiweb customer's who have been infected by a virus/worm. If the traffic is recurring and attempting to connect to TCP ports 135 to 139 you could almost guarantee that it's from a Windows virus.

You've just confirmed my suspicion. But the ports aren't 135, 139, it's random, as if it's probing.

But still surely this is a problem that should be corrected by Digiweb?

Snaga

Im sure they would be happy to contact the affected customers if you provide their support department with your logs showing IP addresses and times of the scans. (And the actual scans themselves - your firewall logs should have this).