Wireless LAN got hacked into


Couple of months back I was testing Linux with different encryption levels and left the encryption level to WEP on my access point. I normally use WPA2 AES.

Yesterday, I was checking my broadband bill and was surprised to find out that they had charged me for downloading an extra 4 GB of data. I checked my usage online for the current month and it was already 8GB! This is despite the fact that I have been on holiday for ten days, and my normal usage involves casual browsing and downloading e-mails.

Furthermore, I never exceeded my download limit since I started with my ISP. My ISP also confirms that this is quite unusual and against my normal usage pattern. I have asked them to provide me some usage statistics but they can only give me the data that I already see on my account online.

I am quite certain that somebody hacked into my wireless lan. But I want to confirm this. The admin consoles (web interfaces) of my wireless access point and ADSL modem-router do not give me the option to see any logs from which I could extract usage stats.

I have read in some posts that one can access log files on routers and access points. If so, I just want to find out how to do that.

Can anyone help me with this? I'd really appreciate it.

My wireless access point is: EW-7206APg Wireless LAN Access Point Modem router: Speed Touch 510 Alcatel


Reply to
Loading thread data ...

You might ask them what steps they take to prevent unsolicited traffic being counted against your bill.

e.g. someone outside trying to connect to you.

They may well not take any and if that is the case cannot reasonably charge you for downloads.

They may well of course be able to charge unreasonably:)

I have a sophisticated router and in the last 4 days at least 31866 / 2687544 or 1% of packets have not been requested by me. Now this is a small amount however there is every liklelyhood that some internet routers receive more then this. Your ISP's IP range could for example have become the target of a botnet.

Reply to

Where are you at, are you on cable? and/or did you add video on demand, or digital voice/voip to your system? Have a Tivo/DVR? Here in baltimore with comcast as the isp we added DV/Voip in the home, and started using video on demand... (we already had cable internet) and for some strange reason they add all video and audio to the data sent/received...

silly q, why not just set your security on wireless back to what it used to be?

Reply to
Peter Pan

Don't do that.

I don't think either of those can be configured to keep logs or to feed logs to something that will keep logs such as WallWatcher.

No logs for past events which wasn't logged. Probably no logs for future events that I can find.

Secure your network.

Reply to
Mike Easter

WEP encryption is an open invitation to hackers. It's now incredibly easy to crack. In my opinion, WEP should be banned from future products.

See the lights on the front of the router and DSL modem. They flash when there's traffic. It takes quite a while to download 4+8GB of whatever. Didn't you notice the lights flashing?

The Edimax EW-7206APG runs Linux firmware. I think (not sure and too lazy to check) that it supports SNMP out of the box. You can setup MRTG or RRDTool to generate the required traffic history graphs. The catch is that you'll need to leave the Linux box on 24/7 as a data collector. Unfortunately, it appears that the EW-7206APg does NOT support DD-WRT or other alternative Linux based firmware with SNMP.

If not, there's also syslog. I'm again too lazy to check, but if there's a log page, it might allow you some control over what to log. You won't get traffic info, but you will get the URL's and IP's of whatever is generating the traffic.

Assumption, the mother of all screwups. Any chance you also have a virus infected Windoze box that's been compromised and is spewing spam and garbage all over the internet? If Linux, the most common screwup is to use RDIST or similar synchronization software sending giant files. Ask your ISP is the traffic is mostly incoming or outgoing, which should offer a clue.

Yep. It's more fun to first assign the blame, then confirm the first guess. See "witch hunt" for how it's done.

Yep. That's normally not a common feature. Look into DD-WRT firmware, which does have daily traffic graphs. However, that might require a new wireless access point.

The log files are usually wiped after a power cycle. DD-WRT retains the log files in NVRAM, but that's unusual. More commonly, the traffic data is sent to a syslog server, or collected via an SNMP logger. Some routers also have a feature to email or ftp the syslog file to an email address or ftp server. However, the features are very limited and the content (and passwords) are NOT encrypted. Not recommended.

Is there a router and firewall anywhere in the system, possibly the Linux box? If Linux, it can be used to collect statistics going THROUGH the Linux server/router/whatever.

Reply to
Jeff Liebermann


formatting link
a ways down the page under routing (cli command)

second screen image, transfer statistics

may give you the info you want

Reply to
Peter Pan

I have gone back to WPA2 AES once again. The only reason I was checking other encryptions was to enable wireless on my Fedora box. Anyway, it's working now with WPA2 on Fedora with Network Manager.

My access point and DSL modem was left on and I am usually out most of the day. I have started to turn it off now. Whenever I get a chance, I monitor active clients using the wireless router admin interface.

Great! I'll look into this.

You definitely have a point here. Another thing I didn't take into account is that my partner started video conferencing (Windows Live Messenger) with her family and friends about two months ago. She had one chat yesterday and the usage stats showed 150MB more! I have to look into this as well.

I won't be able to change my access point but I'll definitely look into other tools you've mentioned.

I'll look into this as well.

Thanks again for replying. I'll look into everthing you've mentioned and report back here. Y

Reply to

Use a crontab entry to enable or disable internet access from the wireless port. For example, if the interface was eth2: ifconfig eth2 up (turn on) ifconfig eth2 down (turn off)

There are plenty of other bandwidth suckers available. I'm not sure what speed your ISP delivers, but it takes considerable time to suck

12GB of data. Such a low limit is usually not a feature of cable modems, which limit their abusers to about 100GBytes/month. A few DSL providers have limits, but most are in the same area. Which service provider has a 10(?)GByte monthly limit? Satellite?

Why not? Access points are nothing more than wireless routers with the router section disabled or disconnected. You can turn *ANY* wireless router into an access point by simply ignoring the WAN connector, and disabling the DHCP server. No big deal. Once you have a reasonably intelligent access pont running Linux, you have the ability to do some useful monitoring. Low end WRT54G and similar consumer wireless routers sell for $30 to $80.

Reply to
Jeff Liebermann

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.