Funny, the other day (Wed) I received a call from my ISP (FastQ), stating that they've received a call from Columbia Pictures stating that on 6/25/02 at aprox. 2240 (my time) that observed that "spiderman.avi" was on Morpheus on xxx.xxx.xxx.171 on of my spare IP addresses. FastQ gave me the usual BS, about illegal files, and blah blah. I listened to 'em with their speil, and then countered with my rebuttal.

1. I only use X.X.X.170 for main computer, and occasionally when I bring my laptop home from work do I hook it up to 171. and this laptop is a company owned laptop and the only things I have on it are company files.

2. On the night in ?, I didn't even fire up my computer on 170, and I left my laptop at work since I left there late.

3. I don't DL movies
a. since it takes way to long even with DSL
b. the quality sucks; I'd much rather buy the DVD
c. Plus I'd rather see it on the "Big Screen" since I'm an "poor" audiophile and my home theater consits of a lame 32" Panasonic TV and a cheap Sony DVD player. My stereo an aging Sony system isnt even hooked up to it!

4. I don't use Morpheus! Tried and hated the ads. I use WinMX for MP3's.

FastQ replied that my system must be getting hacked into

1. I running XP Pro with passwords setup
a. Zonealarm w/ Visual Zone
b. Norton System Works 2002
c. Diamonds TDS-3
d. Diamonds Wormguard
e. Cisco 678 DSL router w/ dual passwords (8-12 alphanumeric)

I asked em how much secure could I make my system?

No answer

Then I asked them if maybe some from inside FastQ's network is stealing one of my IP address'

he told me that this couldn't happen.

Now I'm asking you. How hard would it be to steal one of my IP's and use it?

Yesterday I received an email from them stating that they'er changing my slot of 8 IP's.

Before when I ran the my IP's thru a who is? tool the came back resigtered to me with my name and everything on 'em.

These new ones just come back registered to FastQ. Should I be concerned with them monitoring me?

Is there anything else I need to do?

For someone at the ISP to use your "unused" IP addresses, sounds very easy to me. Even if they physically segmented your IP address range via a router (which isn't even likely in an efficient design) someone inside could connect a box to it.


If you can't trust your ISP, who can you trust? They have access to all your Internet traffic and can monitor every packet. If you think they do so abusively, I would go with another ISP.


As for someone outside your ISP stealing your IP address. I don't think so. The IP routing wouldn't allow it in TCP communications. It could be spoofed, but generally this isn't very effective for large data transfers because of the packet guessing required.

Dont ISP's have better things to do than hire people to monitor packets. Maybe we could be saving the money on our monthly bills instead of paying people to spy on us. Shame on ISP's.

Is there any way I could tell if they're monitoring me?

not in many cases, but some possibilities if they are running a sniffer... (and some of these won't apply to your situation directly)..

ping method
Most "packet sniffers" run on normal machines with a normal TCP/IP stack. This means that if you send a request to these machines, they will respond. The trick is to send a request to IP address of the machine, but not to its Ethernet adapter.

To illustrate:

The machine suspected of running the packet sniffer has an IP address 10.0.0.1, and an Ethernet address of 00-40-05-A4-79-32.
You are on the same Ethernet segment as the suspect (remember, the Ethernet is used only to communicate locally on a segment, not remotely across the Internet).
You change the MAC address slightly, such as 00-40-05-A4-79-33.
You transmit an "ICMP Echo Request" (ping) with the IP address and this new MAC address.
Remember that NOBODY should see this packet, because as the frame goes down the wire, each Ethernet adapter matches the MAC address with their own MAC address. If none matches, then they ignore the frame.
If you see the response, then the suspect wasn't running this "MAC address filter" on the card, and is hence sniffing on the wire.
There are ways defending against this. Now that this technique is widely publicized, newer hackers will enabled a virtual MAC address filter in their code. Many machines (notably Windows) have MAC filtering in drivers. (There is a hack for Windows: most drivers just check the first byte, so a MAC address of FF-00-00-00-00-00 looks like FF-FF-FF-FF-FF-FF (the broadcast address which all adapters accept). However, some adapters implement multicast in such as way that this address will match as a multicast, which is any address whose first byte is an odd number. Thus, this can result in false positives).

This technique will usually work on switched/bridged Ethernets. When switches see an unknown MAC address for the first time, they will "flood" the frame to all segments.

ping method, part 2
The ping method can be enhanced in a number of ways:

Any protocol that generates a response can be used, such as a TCP connection request or a UDP protocol such as port 7 (echo).
Any protocol that might generate an error on the target machine might be used. For example, bad IP header values might be used to generate an ICMP error.
Sometimes a broadcast address (either a "local broadcast" like 255.255.255.255 or a "directed broadcast" like 10.0.0.255) needs to be used in order to bypass software IP address filtering. This then encounters another problem in that many machines do not respond to broadcast requests (responses to broadcasts causes network problems, such as the 'smurf' hack).
ARP method
The ARP method is similar to the ping method, but an ARP packet is used instead. An explanation (in Spanish) is given at http://www.apostols.org/projectz/neped/ which includes a program called neped to do this detection.

The simplest ARP method transmits an ARP to a non-broadcast address. If a machine responds to such an ARP of its IP address, then it must be in promiscuous mode.

A variation of this technique takes advantage of the fact that machines "cache" ARPs. Each ARP contains the complete information of both the sender as well as the desired target information. In other words, when I send out a single ARP to the broadcast address, I include my own IP-to-Ethernet address mapping. Everyone else on the wire remembers this information for the next few minutes. Therefore, you could do something like sending out a non-broadcast ARP, then a broadcast ping. Anybody who responds to your ping without ARPing you could only have gotten the MAC address from a sniffed ARP frame. (To make double-sure, use a different source MAC address in the ping).

DNS method
Many sniffing programs do automatic reverse-DNS lookups on the IP addresses they see. Therefore, a promiscuous mode can be detected by watching for the DNS traffic that it generates.

This method can detect dual-homed machines and can work remotely. You need to monitor incoming inverse-DNS lookups on the DNS server in your organization. Simply do a ping sweep throughout the company against machines that are known not to exist. Anybody doing reverse DNS lookups on those addresses are attempting to lookup the IP addresses seen in ARP packets, which only sniffing programs do.

This same technique works locally. Configure the detector in promiscuous mode itself, then send out IP datagrams to bad addresses and watch for the DNS lookups.

One interesting issue with this technique is that hacker-based sniffing programs tend to resolve IP addresses as soon as they are found, whereas commercial programs tend to delay resolution until the point where the packet sniffer user views the protocol decodes.

source-route method
Another technique involves configuring the source-route information inside the IP header. This can be used to detect packet sniffers on other, nearby segments.

Create a ping packet, but put a loose-source route to force it by another machine on the same segment. This machine should have routing disabled, so that it will not in fact forward it to the target.
If you get a response, then it is likely the target sniffed the packet off the wire.
In the response, doublecheck the TTL field to find out if it' came back due to sniffing (rather than being routed correctly)
Details:

In loose source-routing, an option is added to the IP header. Routers will ignore the destination IP address and instead forward to the next IP address in the source-route option. This means when you send the packet, you can say "please send packet to Bob, but route it through Anne first".

In this scenario, both "Anne" and "Bob" are on the segment. Anne does not route, and therefore will drop the packet when received. Therefore, "Bob" will only respond if he has sniffed the packet from the wire.

On the off chance that Anne does indeed route (in which case Bob will respond), then the TTL field can be used to verify that Bob responded from routing through Anne, or answering directly.

The decoy method
Whereas the ping and ARP methods only work on the local network, the decoy method works everywhere.

Since so many protocols allow "plain text" passwords, and hackers run sifters looking for those passwords, the decoy method simply satisfies that need. It consists simply of setting up a client and a serve on either side of the network, which the client runs a script to logon to the server using Telnet, POP, IMAP, or some other plain-text protocol. The server is configured with special accounts that have no real rights, or the server is completely virtual (in which case, the accounts don't really exist).

Once a hacker sifts the usernames/passwords from the wire, he/she will then attempt to log on using this information. Standard intrusion detection systems or audit trails can be configured to log this occurance, alerting the fact that a sniffing hacker has found the traffic and attempted to use the information.

http://www.zurich.ibm.com/~dac/Prog_RAID98/Full_Papers/sniffer_detector.html/index.htm

thanks DVNT1, very helpful.

ISP's can see what files you download ?

yes Strat... unless you are downloading from an encrypted site or over a VPN (which also encrypts).

Thanks for all the insight DVNT! Although it'll take me awhile to digest:p

So all the sickos who download kiddie pictures over p2p should be easily caught then !!!!

So all the sickos who download kiddie pictures over p2p should be easily caught then !!!!
Perhaps if the ISPs paid people to actually monitor downloads thta would happen more often. AFAIK, ISPs don't make any money by watching what people download, especially to that level of detail (actually looking at every subscriber's downloaded files).

Can you tell me what "browsemaster" means in regard to poledit.exe?

( It seems to me to be along these same issues, I was wonderring if you would clarify it for me)

Sus~: I'm not positive, I can't remember the Browser Master being in the default poledit template. Since poledit is just a template to make registry changes, I would believe that the Browse Master and Master browser concepts are the same.

The Master Browser is the reference to the networked computer that keeps a list of all the MS File & Print Sharing resources on it's subnet. When another computer is looking for a shared resource it goes to the Master Browser to find it.

Generally with Win9x there are problems getting this service to work as you want so it is often easier to disable it on most computer Win9x computers. Then they will get the list from the correct Master Browser.

Originally posted by wallijonn
when all is said and done, there can be two pcs at the same time with the same ip address accessing the same website.

what happens if a ISP gives out a dhcp address and another ISP gives out the same address to someone else? you won't be able to play the game (Quake, Counter Strike, et. al.)

likewise your ip address is static.
a ISP gives out the same dhcp address (your pc was turned off. ip address now available (to other ISPs))....
I don't agree because of the TCP connection and IP routing that must take place.

Different ISPs do not give out the same public IP addresses without it being a mistake. Only one ISP would have that IP address in it's IP address pool (that it payed money for) and therefore only one ISP could properly route IP traffic to it from the rest of the Internet.

If two computers tried to use the same IP address to talk with another computer via TCP then both computers would think the data is addressed to them and both would sen their replies. If both send replies then the host computer would be confused because of the two different replies to the same data. It would make for unpredictable behavior.

Connections only showed up on Netstats.

The ISP was ticked off because someone was networking OFF of our computer without paying for their service.

What if they were using Netware and not tcp/ip to network off of the computer? Poledit shows file sharing and SAP. I found ref saying that if SAP is disallowed , then uploads to your computer are no longer possible( on a netware level )

The file sharing has nothing to do with the file sharing that the typical user CAN control.

Dos connections arent monitored by firewalls right?

Sus~: "Dos connections arent monitored by firewalls right?" - just because software runs in DOS doesn't mean a firewall can't monitor it. Some personal software firewalls may not be able to determins which DOS program is executing the commands but for a seperate firewall ALL connections that pass through will be bound by the firewall rules and any applicable monitoring.

"What if they were using Netware and not tcp/ip " I would have to presume "Netware" really means IPX/SPX in your case. ISPs normally don't route the IPX/SPX protocols so this shouldn't have been a factor for remote communications. As an additional note, Netware typically doesn't even have file sharing on the client PCs, just the Netware servers.

Netware typically doesn't even have file sharing on the client PCs, just the Netware servers.

Im confused. Ive looked at tons of computers in the past year. Every one of them had file sharing and SAP and auto netware login enabled when I looked at their POLEDIT. I was told~~ that this is how MS has altered their phone home program.
So everybody automatically phones home and connects to MS the first time they get on line.

I know that originally the netstat in question showed my computer connecting to a dial up Redmond(?) IP... but when I traced that IP it wasnt MS at all. That was on DSL BTW.

If your ISP talks to your external modem.. and it changes stuff in your registry.. what connection level are THEY using? Cant be tcp/IP right?? I figured it was netware/DOS.And I was using ZA pro set to high, and I still had huge downloads showing up even though I had like NO extra programs anywhere... and had gone through my HD with a fine tooth comb shutting every door and update program.(im still trying to understand how they did it.. obviously)

Cause I thought it was netware.

Zone ALarm teck support says there has never, ever been a DOS firewall. (Ive been looking for this for a while now)

SO what level of connections DOES the ISP use to alter your modem addresses/IPs/renewals etc?

ANd if you have a comment that might clarify my finding auto dial in and auto netware login on all those PCS I would sure like to hear it cause I would value your input.

Sus~: we may be confusing each others terminology. I didn't state there was/wasn't a DOS (disk operating system) firewall, only that DOS ran programs that access the Internet could be monitored just like any other programs that access the Internet.

Regarding "SO what level of connections DOES the ISP use to alter your modem addresses/IPs/renewals etc?", the ISP uses a DHCP server to control what IP address you receive and how long until it needs renewed. Even with this, the ISP doesn't go into your machine in any way. The DHCP server just responds to your computers broadcast asking for an IP address and your computer makes the appropriate changes to use that IP information.

As for the settings within the registry, you will find many settings in there that are not actually used until other settings are set accordingly.

The Netware Autologin is typically used for your PC to automatically apply a username/password for a Netware server. This does not apply to someone logging into your computer.

Hope this helps some. If you would like a faster response from me, I check the TechIMO forum ( http://www.techimo.com/forum/index.html ) several times a day. Sysopt I may check once a day.

Is that like SAP broadcast??
If thats enabled though.. that enables uploads to your computer using netware. Granted not allot of people USE netware.. but considerring it auto connects ( VIA windoze) .. isnt that a risk in itself?
( to .. bad sys administrators)