Network Hacked or virus

[tikiman2012]

So the question is, has my network been hacked or do I have a virus?

There is an Epson printer that keeps showing up on my network. The only problem is that I don't have an Epson printer. There is no extra I.P. showing up in the router log. The only things that I see are the standard DoS attacks & port scans. UPnP is tuned off also, so I'm not sure what to make of this. I have a Media Center with 5 PC extenders also.


Any ideas?

 

[dashpuppy]

So the question is, has my network been hacked or do I have a virus?

There is an Epson printer that keeps showing up on my network. The only problem is that I don't have an Epson printer. There is no extra I.P. showing up in the router log. The only things that I see are the standard DoS attacks & port scans. UPnP is tuned off also, so I'm not sure what to make of this. I have a Media Center with 5 PC extenders also.


Any ideas?

wireless ? anyone on your network in the area ?

Look at your logs and see all the ip's take each ip and go to http://ipaddress and see what you get.

 

[tikiman2012]

I have. There are no unauthorized ip's on my network. At least the log doesn't show any. That's the reason for the confusion.

The dos attacks prompted me to turn off upnp after the printer showed up the first time because they were sniffing for upnp ports. This all started after I decided to give Spyware Blaster a try again after many many years.

 

[thedocta45]

Where is the printer showing up?

 

[tikiman2012]

Under Network Printers in the Network Folder in Win 7. Very strange. It was there again this morning when I fired up my rig. It disappears when you try to do something with it. You can bring up the properties & get the mac address & unique identifier from it. As soon as you close the properties it disappears.

I checked the mac & it is used by Lexmark. I don't have a clue at this point. I shut down my 2.4Ghz band & enabled mac filtering. We'll see if it shows up again. Maybe somebody was trying to crack my network. Who knows.

 

[Brak710]

If they got a printer on it, I'd assume they would have already "cracked" it.

Something tells me there is just a UPnP device getting misidentified, or you have a computer sharing a printer with some strange driver software.

 

[dashpuppy]

If they got a printer on it, I'd assume they would have already "cracked" it.

Something tells me there is just a UPnP device getting misidentified, or you have a computer sharing a printer with some strange driver software.

he could also track it by ip too ( i think ) see where it's comming from ( what computer )

 

[tikiman2012]

I think the UPnP idea is the most logical Brak710.

There is no ip dashpuppy. I can only see the mac address of the Lexmark printer if I click on it & choose properties. It shows no ip address. Any type of interaction with the device & it disappears. It also dsn't show up in the router log or attached devices.

 

[thedocta45]

Does the mac show up on your arp table in windows?
Command line type "arp -a"
without quotes

 

[Bone_Enterprise]

I like how the Epson printer turned into a Lexmark printer in this thread, best printer tom foolery ever.

 

[notarat]

I like how the Epson printer turned into a Lexmark printer in this thread, best printer tom foolery ever.

It reminds me of the meme "I've been among them 30 days and they still think I'm a _____"

Easiest way to correct the issue is enable MAC filtering, enter the MACs for each of his items, and set the router to deny all but those.

 

[Globox]

run B&W and ban the mac address of the printer

 

[tikiman2012]

I disabled UPnP & it hasn't been back. I think Brak710 was right.

It doesn't show up using the arp-p command. I'll re-enable UPnP and check again just for giggles.

I like how the Epson printer turned into a Lexmark printer in this thread, best printer tom foolery ever.

I'm glad I gave you a laugh. I had a stroke & one of the many effects is that my memory has become very spotty. As in almost instantly forgetting things sometimes. In this case I mixed up Lexmark with Epson in my original post.

 

[tikiman2012]

It showed back up in the router log. I haven't enabled UPnP again. The mac address showed up trying to connect to my wireless on the 2.4Ghz band. I have mac filtering turned on so they can't get in for now. That doesn't mean that they won't be able to though if they're smart. They were in before so that means that they had access to the mac #'s of my wireless machines & could easily spoof them. They've been trying to gain access persistently since I enabled the 2.4Ghz band 2 days ago.

Globox, what's B&W?

What windows program could I use to sniff out their location with my laptop?

 

[/usr/home]

If you have a secure WPA2 password and WDS disabled, you shouldn't have anyone getting in.

 

[XOR != OR]

If you have a secure WPA2 password and WDS disabled, you shouldn't have anyone getting in.

Ya, that's what immediately jumped out at me.

OP: What wireless security are you using? WEP, WPA, WPA2? Any?

 

[tikiman2012]

I'm using WPA2. No WDS enabled. I always use WPA2. They got in before. My password wasn't very good before, 9 characters. Now it's 30 characters, upper & lower case letters & numbers. This guy is still trying to crack it as we speak.

 

[thedocta45]

Turn off WPS.
There was some remote hack to signal WPS to a router iirc, that's probably how they are getting in.

 

[tikiman2012]

WPS is turned off. That's one of the first things I do when I set up a router aside from changing passwords.

 

[Mackintire]

If he made his WPA2 password long and complex enough, he should be able to stop anyone short of (someone with a dedicated GPU accellerated WPA hacking software). If the guy spent the $800 for the software and has the required GPUs nothing short of ACL with manual IPs and disabling DHCP is going to stop him from hacking the wireless. Unless you really did something interesting like.....adding a Unifi AP with a captive portal. Then he'd have another layer to hack through.

 

[xLokiX]

What kind of router do you have? Some routers can be hit with a WPS attack even if WPS is disabled.

 

[-Dragon-]

The guy might be just trying to brute force you since it was so easy last time, so hopefully he'll give up after he realized you beefed up security. Hiding SSID and/or changing it might encourage him to quit, or just unplug your router when you're not using it like when you're at work or go to bed, can't attack it if it's not up.

 

[tikiman2012]

Router is a Netgear WNDR3700v2.

I unplugged everything and opened up the 2.4Ghz band. Started tracking with Moocherhunter yesterday. He hasn't been back since.

Gonna play with Backtrack 5 & see what I get. It's been years since I messed with Backtrack or Linux.