Illegal IP Address tracing

[ct04armand]

Hi, ive just got a question...coz im not sure how it happened. Im the network administrator of an internet shop. The shop has 10 computers linked together (cable connection) and they get their internet connection through a DSL router. Im using a LINKSYS router, and as far as i am aware, there havent been any recent vulnerabilities discovered with that type of router have there? Ive heard of the CISCO vulnerabilities, but none yet from LINKSYS so far. The problem was, all of a sudden, ive lost my access to my router! The password (which i foolishly forgot to change from its default :admin was changed and now i have no access to it at all. The internet connection is still ok, but the router config is inaccessible. I have already discovered how to regain control of it, i just want some expert advice from others here on how it possibly happened. Is this a typical hacking attempt? What ways can be employed to trace the IP of a host computer (coz whoever hacked into my router config and changed the password had to know my IP address) ? Thanks in advance for any advice!

[moxnix]

If you have your router logs, and the attacker didn't change or delete them then you have the IP of the attacker.
But, whom ever changed your password (linksys), could also have been internal. It didn't have to be from the outside.
The largest vulnerabilities in any router and/or system is the admin of the system. Especially if they leave the default password (linksys) set on a Linksys router. Any scriptkiddie that happens along, either external or internal, could own your system without even hardly trying.
I wouldn't worry about attempting to find out who got you.....you got yourself. I suggest setting a decent password on your admin account and then one by one go through all of your 10 computers and check them to see which ones are owned and or infected with trojans, backdoors and virus.
And set up secure systems while your at it. That will keep you busy for the next couple of months.

[nihil]

In answer to your question about whether this is typical "hacking".................no it isn't it is more like someone fooling around and playing a trick on you. A true hacker would have left the router password alone so as not to alert you to your vulnerability?

It sounds as if your ISP has given you a static IP address/block. If this is the case, it would be wise to ask them to change it for you.

The "textbook" answer would be that you should format all your machines and reinstall your software, as you never know what may have been put on your machines whilst you were owned.

Cheers

[Computernerd22]

The password (which i foolishly forgot to change from its default :admin was changed and now i have no access to it at all.

Network Administrator? You left your routers password set as default. It was just a matter of time before someone did this.

just want some expert advice from others here on how it possibly happened

Someone opened a browser typed http://192.168.x.y

user = admin
password = linksys

Has full Administrator access to your router because the admin left as default.

[ct04armand]

Thanks to all of your advice...just this morning, i reset the router config settings and changed the password. I've also already pinpointed who is the most probable culprit behind the attack...it was one of my customers who decided to play a joke on us. Either way, we're not taking any chances, the person is now under tight watch the moment he steps inside here. We dont want t take the chances of it happening again. Anyway, thanks for your advice everyone! To be honest, i was quite surprised, since im a newbie here, i didnt really expect that quick a reply. You can imagine my surprise when i saw such lengthy replies to my post... Thanks again!

[nihil]

Thanks for letting us know what happened, so many people just leave us wondering....

.it was one of my customers who decided to play a joke on us

Hey, I almost got one right for a change


Actually, you owe him/her a beer..............they did you a favour..............it could have been malicious, and you were wide open to an attack?

Cheers

[ct04armand]

Har har, nice idea nihil... i should do that. you do have a point, at least i was forewarned by a non-malicious attack before it became serious. Thanks for the info!

[Tiger Shark]

ct04: I would suggest that you set up some kind of sniffer/logger on the local network. In an environment as public as yours you have no idea who is coming in and what they are doing.... I guess you already experienced that....

The problem is that without documenting what occurs on these machines and what people are doing when they do something bad you need logs to look through to see what was done or you may have no choice but to reformat themm all and start again. The logs need to be secure too. If you can afford another machine, (it can be an old POS 'cos it isn't doing much with only 10 PC's), then you can set up a nice little sniffer/logging system that can document your network quite well, easily and securely. A big HD is essential but they aren't that expensive today... The cost of the drive is easily paid off the first time you need to find out what or who messed with your systems.

Oh.... and as an afterthought.... Trust _no-one_.....

[ct04armand]

Nice idea Tiger Shark, thanks for the info. I might consider having the network sniffed constantly so i know if anyone is trying to look for vulnerabilities or the like. Nice idea by the way.. Oh and "trust no one"? You're right, I just learned the hard way. Thanks again!