Remote Exploit Forums

Go Back   Remote Exploit Forums > Newbie Area
Reload this Page Our network is possibly being attacked? Need help


Newbie Area Welcome to the BackTrack Forums! Please check this section and post to it if you are new to BackTrack, the Forums, or both.

Reply
Page 3 of 3 12 3
 
LinkBack Thread Tools Display Modes
  #21 (permalink)  
Old 11-04-2009, 06:02 PM
Thorn's Avatar
Senior Member
  
Join Date: Jul 2007
Location: The Village, of course
Posts: 1,269
Default
Quote:
Originally Posted by McKindling View Post
I ran wireshark during the problem and noticed that everytime I tried facebook.com there was a TCP retransmission that wireshark detected. Does this sound malicious?
No, it sounds like a transmission error specific to Facebook, or Facebook's DNS.

Quote:
Originally Posted by McKindling View Post
Also, I learned that a year ago our ISP informed us that someone had physically connected to our line. Our ISP thought they were stealing our internet and thought they removed them, but gave no other details. I wasn't managing our IT at the time.

Could there be a physical man in the middle attack occurring?
Yes.
__________________
Thorn

“Never try to teach a pig to sing; it wastes your time and it annoys the pig.”
- Robert Heinlein
Reply With Quote
  #22 (permalink)  
Old 11-12-2009, 12:32 AM
Junior Member
  
Join Date: Oct 2009
Posts: 7
Default ICMP redirect attack maybe?
Hey all,

I was doing my best to analyze the packets I captured and I eventually stumbled onto ICMP redirect attacks.

Does this sound like our situation? How can I catch these people if it is?

Also, after the facebook competition (causes dot com) ended we have only had facebook redirect once in 5 days now. During the competition it happened 20+ times a day.
Reply With Quote
  #23 (permalink)  
Old 11-12-2009, 01:55 AM
Senior Member
  
Join Date: Jun 2008
Posts: 358
Default
@OP
What range is the workstations IP's in.
What is the DNS on the workstations set to.
Do you have a server(apart from a computer just storeing files with file and print sharing),include AD
What are the routers between you and the internet, do they have manual assiged DNS., forwarding or ,(that thing that gets the page somewere else if not local)
Are anything used for proxying(not including workstation).
Do you have your own web page, internal extenal, any rediercts in that.
Reply With Quote
  #24 (permalink)  
Old 11-17-2009, 11:04 PM
Junior Member
  
Join Date: Oct 2009
Posts: 7
Default
Hey Compaq,
  • The IP ranges of the workstations are 101-150 (192.168.0.101...150)
  • DNS for the workstations are 192.168.0.1. IP's are manually assigned. Subnet is 255.255.255.0 and default gateway is 192.168.0.1
  • No server
  • Our setup is: Modem>Router (WRT310N2 with V12 firmware)>Switch(all computers hooked up to the switch except for 1 on the router)
  • No proxying is used
  • We do have our own webpage which is hosted on a server that we pay for. No redirects on that.

Thanks for your help.
Reply With Quote
Reply
Page 3 of 3 12 3

Bookmarks

Tags
network, possible attack, redirect

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On


All times are GMT. The time now is 03:56 PM.

Remote Exploit Forums - Archive - Top

Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2009, Jelsoft Enterprises Ltd.
Search Engine Optimization by vBSEO 3.3.2