Our network is possibly being attacked? Need help

[McKindling]

Greetings,

I work IT part time at a small non-profit and I'm encountering some problems that are out of my experience range.

We have a WRT310V2 with firmware v12. The router is broadcasting a wireless signal (WPA2)

Here is the problem we're experiencing:
Webpages randomly redirect to other webpages but only temporarily. For example, facebook.com goes to myspace, even if the client on our network has never been to myspace.com.
Gmail redirects sometimes, as do a few other sites.
The interesting thing is that the webpages don't redirect to sites full of spam or malware.
This problem affects all browsers on the client (and only affects some clients on the network) and will go away after an hour at most. I performed an nslookup on an affected client and the IP's for myspace.com and facebook.com were different.

Restarting the computer will fix the problem. I have scanned all the computers in our network and they appear to be clean. ESET nod 32 business v4

The facebook>myspace problem is particularly problematic because we are doing very well in a giving challenge taking place on facebook right now. The problem didn't happen before the giving challenge.

In suspicion that we were being attacked, I asked our ISP to give me a new manual DNS. When I changed the settings in our router for a new DNS the problems completely stopped for about 2-3 days. Now they are happening all the time again.

Any thoughts? Does this seem like an attack? Does anyone have any immediate recommendations of measures I can set up to log potential attacks and help diagnose the problem?

Thanks for your time,
McKindling

[mikec]

I would first scan the computers for malware with something like SpyBot. Have you tried this?

[McKindling]

Thanks Mike,

I have scanned them with spybot search and destroy and full scans with eset nod32 v4 business edition.

There were a few things spybot picked up but nothing that seemed major or similar. Eset found nothing on all.

[mortis]

when you make a search on google, are you redirected?

a quick search on google "facebook redirects virus".
You have some links to explore

Good night!

[McKindling]

Thanks for looking Mortis.

I won't write the Facebook virus possibility off and I'll look into the possibilities, but I don't think that's the issue.

I rarely use Facebook but on my personal laptop I am encountering the problem as well, but only when I'm connected to the network in question (the one at the small non-profit). It only happens for an hour or two at most and sporadically throughout the day.

I've tested it on my laptop at my home connection and I don't have this problem at all. That's why I'm 95% sure it's not that virus since that one seems to constantly cause a redirect and it doesn't matter what network it's on.

[Nick_the_Greek]

I only know (short of) how to do this :

Code:

iptables -A PREROUTING -s 192.168.0.0/255.255.255.0 -p tcp -j DNAT --to-destination 212.205.43.30

it will redirect your router's traffic to MySpace (212.205.43.30).

Unfortunately I don't know how to find how is doing this to you or how to eliminate it.

Maybe you should wait until some senior member reads your post.

Nick

[Gitsnik]

Quote:

Does anyone have any immediate recommendations of measures I can set up to log potential attacks and help diagnose the problem?

Offload any and all event logs to a known good server for manual analysis - specifically SYSTEM and SECURITY logs as these are the ones most likely to be both wiped and recording the right information.

Do a manual check of the net user command on each machine, see if there are any accounts on there you think are suspect. Setup "arpwatch" on a tiny box in a corner on that same LAN, I use and recommend FreeBSD for this sort of thing. Go to each machine and manually change the local admin command, enable the firewall with no exceptions (all outgoing none incoming), then port scan the entire range with nmap (probably from the secured arpwatch box for safety's sake). It will take some time but it will be most helpful.

Are there other IT guys there who are potentially ensuring people stop doing non-work related things at work? There is enough of a language barrier re the facebook note that I can't understand whether that is work-related or otherwise.

There are more things to try, I may edit this post or respond with some more later.

All of the above assumes you can't just roll back to a known good restore point on every machine and change the pw by hand at the router console (or by plugging in a known safe laptop with a cross over cable). This paragraph is also always an option.

Edits:

Considering that you've checked and the like, I would be checking the router for firmware updates and/or other possibilities. If you have a spare (most companies should if they don't!), grab your spare router and plug it in instead, make sure that there are no default passwords on it (before you do this) and that you've turned on SSL/SSH rather than HTTP/Telnet.

Also make a note of checking for system restore points (or the lack thereof) as they could indicate a possible rootkit on machines (which I do not think is likely - this seems more like a router problem, maybe an arp attack but even that seems to stretch my imagination) - you can check for these with the rootkit hunter the sysinternals bloke put out (both the program and the authors names escape me).

One further edit: Manually set the DNS on one of the internal machines to the ISP given-DNS server and see if the problem stops. Probably best not to do it on anyones machine but yours as you are more likely to know how to connect to servers, email etc.

[vvpalin]

While i agree with Gitsnik on just about everything he said. I must say if this was my small business, every last thing would get a ful top to bottom reload, including the firmware and indepth scans of all the backups you "hopefully" have been keeping up on. That would be after i dumped all the logs for later reference.

After that, there would no longer be any myspace, facebook, etc.. unless i directly allowed it through an outbound proxy / ids.

[streaker69]

In addition, unless you really absolutely positively need it, you probably shouldn't be using any kind of wireless for your business. I would never trust business functions over wireless, there's just too many things that can go wrong.

I don't consider "need" as someone wants it because they want their computer one one side of the office and their network jack is on the other side, nor as "we're too cheap to run CAT5".

[lupin]

Quote:

Originally Posted by Gitsnik

you can check for these with the rootkit hunter the sysinternals bloke put out (both the program and the authors names escape me).

RootkitRevealer By Bryce Cogswell and Mark Russinovich.

There's a number of rootkit detectors for Windows (IceSword, DarkSpy, GMer, various ones from AV manufacturers, etc) but RootkitRevealer is the one I generally use. It will likely show some entries that are not rootkit related however, so Google before you panic.

As well as the other suggestions above Id also suggest to the OP that you start capturing packets on the network when the problem occurs to see where DNS responses are coming from (watch for incorrect IP and MAC addresses in requests/responses), where packets to facebook/other site of interest are going (correct IP?), whether multiple responses are coming back, and what other traffic is going on on the network. You may want to check in multiple spots (e.g. from an internal client, from the router itself, from a known clean system, etc) to get a more complete picture and to see if any network traffic is being hidden (which a rootkit could do).

Hope your TCP/IP-analysis-fu is strong!

On the issue of allowing/disallowing Facebook, Id agree if there wasn't a business need for it (just as I would agree to stopping ANY traffic there is no business need for), but it appears in this case there is one, and many other businesses are finding the same thing (some allow it as a benefit to staff, others use it for marketing, PR, research, etc). While it can seem like a big time waster at first glance I think a business case for it can easily be made. Plus, there are many worse things than Facebook that are allowed through for valid business reasons...