Someone cracked my WEP key
While looking through some firewall/router logs tonight, I noticed that on 08/28/2006 IPCop handed out an IP address via DHCP to a MAC that I didn’t recognize.
Here’s the info from the log:
IP Address: 192.168.2.198
MAC Address: 00:12:17:9b:26:86
Hostname: ncs-5pxom5jlr51
Lease Expires: 28/08/2006 00:20:07
For what it’s worth, a lookup on that MAC shows it’s a Cisco-Linksys NIC.
So while I’m not absolutely certain that someone cracked my WEP key, I’m pretty sure they did. Otherwise IPCop would not have handed out the address.
Now, I do have MAC filtering turned on and my wireless network is segregated on its own “Blue” subnet. So as far as I can tell, the person wasn’t able to actually do anything while connected. That theory seems to be supported by the associated traffic, connection, and proxy logs. And since I was on vacation last week, there was absolutely no traffic on that network anyway.
Probably not as much fun as they were hoping for.
So I asked some of the IRC regulars what they would recommend as a follow-up when your WEP key is broken…
Some recommended amusing pranks:
mgoss: nmap them, see if they’re respectable or not (linux or windows, etc. ;) )
mgoss: then sniff their packets, pick up on any screenname their using if they’re using an IM and IM them and freak them out :)
Others were bit more… drastic:
nate: I would kill everyone in a 5 mile radius
nate: just to make sure I got ‘em
nate: then I would take the corpses and stack them up, lighting a large pyre that burned far into the night… post the pics to my blog as a warning to others
nate: but that’s me
…
mgoss: sickos :)
matt: then make a sign
matt: “One of these people messed with my wireless. Learn.”
Heh.
On a more serious note, Nate recommended a honeypot based response that actually sounded quite interesting. But having looked into the current honeypot offerings a while back (e.g. honeyd), they all seem like far too much work for something as simple as this.
So instead I changed my WEP key, tightened up my DMZ pinholes, and… that’s about it. Unless I invest in some new hardware with WPA/WPA2, I doubt there’s much I’m going to be able to do about it.
Burning piles of corpses notwithstanding. ;)
Related:
