intrusos en la red [Solucionado]

Bueno, se me ocurre resetear el router ( "TD-W8901G") para cambiar de ip y cuando le hago reconectar al linux en la red inalámbrica ("Linux hp 2.6.30-2-686 #1 SMP Fri Dec 4 00:53:20 UTC 2009 i686 GNU/Linux") me aparece en el navegador(iceweasel, ephiphany) la página del router de otro, pero lo mas extraño es que mi red(hdcm) era a la cual estaba conectado.

Reseteando todo de vuelta hice lo siguiente, y desaparecido este fenómeno:

hp:/home/fernando# iwlist scanning
lo        Interface doesn't support scanning.

eth0      Interface doesn't support scanning.

pan0      Interface doesn't support scanning.

vboxnet0  Interface doesn't support scanning.

eth1      Scan completed :
          Cell 01 - Address: 00:23:CD:14:42:7E
                    ESSID:"hdcm"
                    Mode:Managed
                    Frequency:2.412 GHz (Channel 1)
                    Quality:5/5  Signal level:-38 dBm  Noise level:-91 dBm
                    IE: IEEE 802.11i/WPA2 Version 1
                        Group Cipher : TKIP
                        Pairwise Ciphers (1) : TKIP
                        Authentication Suites (1) : PSK
                    Encryption key:on
                    Bit Rates:1 Mb/s; 2 Mb/s; 5.5 Mb/s; 11 Mb/s; 6 Mb/s
                              9 Mb/s; 12 Mb/s; 18 Mb/s; 24 Mb/s; 36 Mb/s
                              48 Mb/s; 54 Mb/s
          Cell 02 - Address: 94:0C:6D:F7:68:42
                    ESSID:"otrared"
                    Mode:Managed
                    Frequency:2.422 GHz (Channel 3)
                    Quality:1/5  Signal level:-86 dBm  Noise level:-91 dBm
                    IE: IEEE 802.11i/WPA2 Version 1
                        Group Cipher : TKIP
                        Pairwise Ciphers (2) : CCMP TKIP
                        Authentication Suites (1) : PSK
                    IE: Unknown: DD830050F204104A0001101044000102103B0001031047001000000000000010000000940C6DF768421021000754502D4C494E4B10230009544C2D57523834314E10240003352E3010420003312E301054000800060050F20400011011001B576972656C657373204E20526F7574657220544C2D57523834314E100800020086103C000101
                    IE: WPA Version 1
                        Group Cipher : TKIP
                        Pairwise Ciphers (2) : CCMP TKIP
                        Authentication Suites (1) : PSK
                    Encryption key:on
                    Bit Rates:1 Mb/s; 2 Mb/s; 5.5 Mb/s; 11 Mb/s; 6 Mb/s
                              9 Mb/s; 12 Mb/s; 18 Mb/s; 24 Mb/s; 36 Mb/s
                              48 Mb/s; 54 Mb/s
          Cell 03 - Address: D8:5D:4C:D8:7C:AA
                    ESSID:"TP-LINK_CAR"
                    Mode:Managed
                    Frequency:2.412 GHz (Channel 1)
                    Quality:1/5  Signal level:-87 dBm  Noise level:-91 dBm
                    Encryption key:off
                    Bit Rates:1 Mb/s; 2 Mb/s; 5.5 Mb/s; 11 Mb/s; 6 Mb/s
                              9 Mb/s; 12 Mb/s; 18 Mb/s; 24 Mb/s; 36 Mb/s
                              48 Mb/s; 54 Mb/s
          Cell 04 - Address: 00:25:9C:32:CB:71
                    ESSID:"Red-Dario"
                    Mode:Managed
                    Frequency:2.437 GHz (Channel 6)
                    Quality:4/5  Signal level:-66 dBm  Noise level:-95 dBm
                    IE: IEEE 802.11i/WPA2 Version 1
                        Group Cipher : TKIP
                        Pairwise Ciphers (2) : CCMP TKIP
                        Authentication Suites (1) : PSK
                    IE: Unknown: DD7E0050F204104A0001101044000102103B00010310470010138140001DD211B29FFFC67E816B4BFB102100074C696E6B73797310230006526F7574657210240007575254353447321042000C43535630314A3834303734341054000800060050F204000110110011576972656C6573732D4720526F75746572100800020088
                    IE: WPA Version 1
                        Group Cipher : TKIP
                        Pairwise Ciphers (2) : CCMP TKIP
                        Authentication Suites (1) : PSK
                    Encryption key:on
                    Bit Rates:1 Mb/s; 2 Mb/s; 5.5 Mb/s; 11 Mb/s; 18 Mb/s
                              24 Mb/s; 36 Mb/s; 54 Mb/s; 6 Mb/s; 9 Mb/s
                              12 Mb/s; 48 Mb/s

Luego se me ocurrió, que podría haber alguien colado en mi red wifi.

hp:/home/fernando# nmap -sP 192.168.1.*

Starting Nmap 5.00 ( http://nmap.org ) at 2011-01-02 14:21 ART
Host 192.168.1.1 is up (0.00069s latency).
MAC Address: 00:23:CD:14:42:7E (Tp-link Technologies CO.)
Host 192.168.1.2 is up (0.028s latency).
MAC Address: 00:25:D3:1B:03:CA (AzureWave Technologies)
Host 192.168.1.5 is up (0.079s latency).
MAC Address: 00:30:67:27:BF:AA (Biostar Microtech Int'l)
Host 192.168.1.104 is up (0.00025s latency).
MAC Address: 00:08:54:46:7B:60 (Netronix)
Host 192.168.1.106 is up.
Host 192.168.1.110 is up (0.070s latency).
MAC Address: 00:E0:4D:31:5B:0B (Internet Initiative Japan)
Nmap done: 256 IP addresses (6 hosts up) scanned in 9.50 seconds
hp:/home/fernando# man arp
hp:/home/fernando# arp -v
Address                  HWtype  HWaddress           Flags Mask            Iface
192.168.1.1              ether   00:23:cd:14:42:7e   C                     eth0
192.168.1.104            ether   00:08:54:46:7b:60   C                     eth0
Entries: 2 Skipped: 0 Found: 2
hp:/home/fernando# arp -a
? (192.168.1.1) at 00:23:cd:14:42:7e [ether] on eth0
? (192.168.1.104) at 00:08:54:46:7b:60 [ether] on eth0

Las ips Host 192.168.1.106(mi maquina), Host 192.168.1.1(router), Host 192.168.1.104(un servidor con debian, con ftp,apache,postgres,firebird) son mias.
Pero las otras ips no, Host 192.168.1.2-Host, 192.168.1.5-Host, 192.168.1.110 de donde salieron?, Así que cambie claves, tipos de encriptacion, reincio todo, y todo sigue igual.

Desactivé el wifi, apagué el servidor, y deje solo mi maquina conectado por ethernet al router y ahi se normalizó, solo dos ip aparecieron.

Ahora enciendo el servidor, y nuevamente me aparencen esas ip, que no deberian estar en mi red. Alguien tiene una explicación mas o menos logica?, es como que esas ip quedaron ahi cacheadas, o algo asi, por que no encuentro explicación de como están ahi.

fernando

he reiniciado todo, pero ahora con todo conectado y el wifi habilitado(en el router), desde mi pc conectada por ethernet(con el wifi apagado) me da:

fernando@hp:~$ nmap -sP 192.168.1.*

Starting Nmap 5.00 ( http://nmap.org ) at 2011-01-02 16:01 ART
Host 192.168.1.1 is up (0.0061s latency).
Host 192.168.1.104 is up (0.0037s latency).
Host 192.168.1.106 is up (0.00048s latency).
Nmap done: 256 IP addresses (3 hosts up) scanned in 7.12 seconds
fernando@hp:~$ arp -a
bash: arp: no se encontró la orden
fernando@hp:~$ su
Contraseña:
hp:/home/fernando# arp -a
? (192.168.1.18) at <incomplete> on eth0
? (192.168.1.165) at <incomplete> on eth0
? (192.168.1.109) at <incomplete> on eth0
? (192.168.1.167) at <incomplete> on eth0
? (192.168.1.117) at <incomplete> on eth0
? (192.168.1.100) at <incomplete> on eth0
? (192.168.1.39) at <incomplete> on eth0
^C
hp:/home/fernando# nmap -sP 192.168.1.*

Starting Nmap 5.00 ( http://nmap.org ) at 2011-01-02 16:02 ART
Host 192.168.1.1 is up (0.00082s latency).
MAC Address: 00:23:CD:14:42:7E (Tp-link Technologies CO.)
Host 192.168.1.2 is up (0.030s latency).
MAC Address: C4:46:19:72:27:B9 (Unknown)
Host 192.168.1.4 is up (0.065s latency).
MAC Address: 00:1B:B9:C6:D5:2D (Elitegroup Computer System Co.)
Host 192.168.1.5 is up (0.096s latency).
MAC Address: 00:30:67:27:BF:AA (Biostar Microtech Int'l)
Host 192.168.1.100 is up (0.055s latency).
MAC Address: 00:E0:4D:8D:6B:C6 (Internet Initiative Japan)
Host 192.168.1.104 is up (0.00016s latency).
MAC Address: 00:08:54:46:7B:60 (Netronix)
Host 192.168.1.106 is up.
Host 192.168.1.110 is up (0.070s latency).
MAC Address: 00:E0:4D:31:5B:0B (Internet Initiative Japan)
Nmap done: 256 IP addresses (8 hosts up) scanned in 13.11 seconds
hp:/home/fernando#

el mismo resultado me dá si me conecto por medio del wifi.

nota: el router tiene autentificación por mac.

tienes que ir acotando

1 - prueba solo con ethernet
2 - prueba solo con wifi
3 - prueba limpiar cache.

ok, si lo voy a hacer mas tarde, he ejecutado wireshart para capturar el trafico de red

mas o menos este es un resumen:

15 36.394687 192.168.1.2 192.168.1.255 NBNS Name query NB SBI.COM.MX<00>
0000  ff ff ff ff ff ff 00 25  d3 1b 03 ca 08 00 45 00   .......% ......E.
0010  00 4e 61 5f 00 00 80 11  54 ee c0 a8 01 02 c0 a8   .Na_.... T.......
0020  01 ff 00 89 00 89 00 3a  33 14 b3 8b 01 10 00 01   .......: 3.......
0030  00 00 00 00 00 00 20 46  44 45 43 45 4a 43 4f 45   ...... F DECEJCOE
0040  44 45 50 45 4e 43 4f 45  4e 46 49 43 41 43 41 43   DEPENCOE NFICACAC
0050  41 43 41 43 41 41 41 00  00 20 00 01               ACACAAA. . ..   
---
16 37.182069 192.168.1.2 192.168.1.255 NBNS Name query NB SBI.COM.MX<00>
0000  ff ff ff ff ff ff 00 25  d3 1b 03 ca 08 00 45 00   .......% ......E.
0010  00 4e 61 6f 00 00 80 11  54 de c0 a8 01 02 c0 a8   .Nao.... T.......
0020  01 ff 00 89 00 89 00 3a  33 14 b3 8b 01 10 00 01   .......: 3.......
0030  00 00 00 00 00 00 20 46  44 45 43 45 4a 43 4f 45   ...... F DECEJCOE
0040  44 45 50 45 4e 43 4f 45  4e 46 49 43 41 43 41 43   DEPENCOE NFICACAC
0050  41 43 41 43 41 41 41 00  00 20 00 01               ACACAAA. . ..   
---
17 37.890398 192.168.1.2 192.168.1.255 NBNS Name query NB SBI.COM.MX<00>
0000  ff ff ff ff ff ff 00 25  d3 1b 03 ca 08 00 45 00   .......% ......E.
0010  00 4e 61 81 00 00 80 11  54 cc c0 a8 01 02 c0 a8   .Na..... T.......
0020  01 ff 00 89 00 89 00 3a  33 14 b3 8b 01 10 00 01   .......: 3.......
0030  00 00 00 00 00 00 20 46  44 45 43 45 4a 43 4f 45   ...... F DECEJCOE
0040  44 45 50 45 4e 43 4f 45  4e 46 49 43 41 43 41 43   DEPENCOE NFICACAC
0050  41 43 41 43 41 41 41 00  00 20 00 01               ACACAAA. . ..   
---
18 38.126688 192.168.1.2 192.168.1.255 BROWSER Local Master Announcement WINDOWS, Workstation, Server, NT Workstation, Potential Browser, Master Browser
0000  ff ff ff ff ff ff 00 16  ec 68 cf 3b 08 00 45 00   ........ .h.;..E.
0010  00 e5 3b d2 00 00 80 11  79 e4 c0 a8 01 02 c0 a8   ..;..... y.......
0020  01 ff 00 8a 00 8a 00 d1  71 b8 11 02 80 46 c0 a8   ........ q....F..
0030  01 02 00 8a 00 bb 00 00  20 46 48 45 4a 45 4f 45   ........  FHEJEOE
0040  45 45 50 46 48 46 44 43  41 43 41 43 41 43 41 43   EEPFHFDC ACACACAC
0050  41 43 41 43 41 43 41 43  41 00 20 45 48 46 43 46   ACACACAC A. EHFCF
0060  46 46 41 45 50 46 50 46  45 46 43 45 42 45 43 45   FFAEPFPF EFCEBECE
0070  42 45 4b 45 50 43 41 43  41 42 4f 00 ff 53 4d 42   BEKEPCAC ABO..SMB
0080  25 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   %....... ........
0090  00 00 00 00 00 00 00 00  00 00 00 00 11 00 00 21   ........ .......!
00a0  00 00 00 00 00 00 00 00  00 e8 03 00 00 00 00 00   ........ ........
00b0  00 00 00 21 00 56 00 03  00 01 00 00 00 02 00 32   ...!.V.. .......2
00c0  00 5c 4d 41 49 4c 53 4c  4f 54 5c 42 52 4f 57 53   .\MAILSL OT\BROWS
00d0  45 00 0f 00 80 fc 0a 00  57 49 4e 44 4f 57 53 00   E....... WINDOWS.
00e0  00 00 00 00 00 00 53 00  05 01 03 10 05 00 0f 01   ......S. ........
00f0  55 aa 00                                           U..            
--
19 177.987169 192.168.1.2 192.168.1.255 BROWSER Host Announcement CHALOMICA-PC, Workstation, Server, Print Queue Server, NT Workstation, Potential Browser
0000  ff ff ff ff ff ff 00 25  d3 1b 03 ca 08 00 45 00   .......% ......E.
0010  00 e5 63 2e 00 00 80 11  52 88 c0 a8 01 02 c0 a8   ..c..... R.......
0020  01 ff 00 8a 00 8a 00 d1  35 c2 11 02 b3 8d c0 a8   ........ 5.......
0030  01 02 00 8a 00 bb 00 00  20 45 44 45 49 45 42 45   ........  EDEIEBE
0040  4d 45 50 45 4e 45 4a 45  44 45 42 43 4e 46 41 45   MEPENEJE DEBCNFAE
0050  44 43 41 43 41 43 41 43  41 00 20 46 48 45 50 46   DCACACAC A. FHEPF
0060  43 45 4c 45 48 46 43 45  50 46 46 46 41 43 41 43   CELEHFCE PFFFACAC
0070  41 43 41 43 41 43 41 43  41 42 4e 00 ff 53 4d 42   ACACACAC ABN..SMB
0080  25 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   %....... ........
0090  00 00 00 00 00 00 00 00  00 00 00 00 11 00 00 21   ........ .......!
00a0  00 00 00 00 00 00 00 00  00 e8 03 00 00 00 00 00   ........ ........
00b0  00 00 00 21 00 56 00 03  00 01 00 00 00 02 00 32   ...!.V.. .......2
00c0  00 5c 4d 41 49 4c 53 4c  4f 54 5c 42 52 4f 57 53   .\MAILSL OT\BROWS
00d0  45 00 01 00 80 fc 0a 00  43 48 41 4c 4f 4d 49 43   E....... CHALOMIC
00e0  41 2d 50 43 00 00 00 00  06 01 03 12 01 00 0f 01   A-PC.... ........
00f0  55 aa 00                                           U..    
--
20 188.898070 192.168.1.2 192.168.1.255 NBNS Name query NB WPAD<00>
0000  ff ff ff ff ff ff 00 25  d3 1b 03 ca 08 00 45 00   .......% ......E.
0010  00 4e 64 13 00 00 80 11  52 3a c0 a8 01 02 c0 a8   .Nd..... R:......
0020  01 ff 00 89 00 89 00 3a  85 19 b3 8e 01 10 00 01   .......: ........
0030  00 00 00 00 00 00 20 46  48 46 41 45 42 45 45 43   ...... F HFAEBEEC
0040  41 43 41 43 41 43 41 43  41 43 41 43 41 43 41 43   ACACACAC ACACACAC
0050  41 43 41 43 41 41 41 00  00 20 00 01               ACACAAA. . ..   

esto es solo para la 192.168.1.2, no se si se puede concluir algo sobre esto.

luego veré sobre las otras ip que aparecen, con:

hp:/home/fernando# arp -a
? (192.168.1.253) at <incomplete> on eth0
? (192.168.1.221) at <incomplete> on eth0
? (192.168.1.173) at <incomplete> on eth0
? (192.168.1.90) at <incomplete> on eth0
? (192.168.1.182) at <incomplete> on eth0
? (192.168.1.110) at <incomplete> on eth0
? (192.168.1.192) at <incomplete> on eth0
? (192.168.1.36) at <incomplete> on eth0
^C
hp:/home/fernando# nmap -A  192.168.1.2

Starting Nmap 5.00 ( http://nmap.org ) at 2011-01-03 08:47 ART

hp:/home/fernando# nmap -sP 192.168.1.*

Starting Nmap 5.00 ( http://nmap.org ) at 2011-01-03 08:48 ART
Host 192.168.1.1 is up (0.00076s latency).
MAC Address: 00:23:CD:14:42:7E (Tp-link Technologies CO.)
Host 192.168.1.2 is up (0.030s latency).
MAC Address: 00:E0:4D:41:7A:82 (Internet Initiative Japan)
Host 192.168.1.100 is up (0.20s latency).
MAC Address: 00:E0:4D:8D:6B:C6 (Internet Initiative Japan)
Host 192.168.1.104 is up (0.00021s latency).
MAC Address: 00:08:54:46:7B:60 (Netronix)
Host 192.168.1.105 is up.
Host 192.168.1.110 is up (0.069s latency).
MAC Address: 00:19:21:03:4F:8B (Elitegroup Computer System Co.)
Nmap done: 256 IP addresses (6 hosts up) scanned in 8.73 seconds
hp:/home/fernando#
hp:/home/fernando# nmap -sP 192.168.1.*

Starting Nmap 5.00 ( http://nmap.org ) at 2011-01-03 08:50 ART
Host 192.168.1.1 is up (0.00077s latency).
MAC Address: 00:23:CD:14:42:7E (Tp-link Technologies CO.)
Host 192.168.1.2 is up (0.024s latency).
MAC Address: 00:E0:4D:41:7A:82 (Internet Initiative Japan)
Host 192.168.1.100 is up (0.097s latency).
MAC Address: 00:E0:4D:8D:6B:C6 (Internet Initiative Japan)
Host 192.168.1.104 is up (0.00019s latency).
MAC Address: 00:08:54:46:7B:60 (Netronix)
Host 192.168.1.105 is up.
Host 192.168.1.110 is up (0.065s latency).
MAC Address: 00:19:21:03:4F:8B (Elitegroup Computer System Co.)
Nmap done: 256 IP addresses (6 hosts up) scanned in 8.37 seconds
hp:/home/fernando# arp -a
? (192.168.1.253) at <incomplete> on eth0
? (192.168.1.221) at <incomplete> on eth0
? (192.168.1.173) at <incomplete> on eth0
^C
hp:/home/fernando# nmap -sP 192.168.1.*

Starting Nmap 5.00 ( http://nmap.org ) at 2011-01-03 08:51 ART
Host 192.168.1.1 is up (0.00079s latency).
MAC Address: 00:23:CD:14:42:7E (Tp-link Technologies CO.)
Host 192.168.1.2 is up (0.030s latency).
MAC Address: 00:1B:B9:E5:8A:55 (Elitegroup Computer System Co.)
Host 192.168.1.104 is up (0.00019s latency).
MAC Address: 00:08:54:46:7B:60 (Netronix)
Host 192.168.1.105 is up.
Stats: 0:00:07 elapsed; 106 hosts completed (4 up), 150 undergoing ARP Ping Scan
ARP Ping Scan Timing: About 40.33% done; ETC: 08:51 (0:00:03 remaining)
Host 192.168.1.110 is up (0.062s latency).
MAC Address: 00:19:21:03:4F:8B (Elitegroup Computer System Co.)
Nmap done: 256 IP addresses (5 hosts up) scanned in 8.16 seconds
hp:/home/fernando#


Host 192.168.1.2 is up (0.030s latency). y
Host 192.168.1.110 is up (0.062s latency).

me olvidaba, wireshark tiene como columnas;
[no,time,source,destination,Protocol,info]

Bueno he conseguido resolver el problema.

Resumen de lo que pasaba:

- al reconectarme, después de resetear el router para conseguir una ip publica nueva, en el navegador me redirigia a la página del router de otra persona. Empecé a observar que aparecían host activos en mi red que no debían estar (usando el comando nmap sP 192.168.1.*). Otros fenómenos en el cual podía ver el trafico (con wireshark) de estos host fantasmas y un parpadeo de las luces de link de las bocas activas del router, donde las maquinas conectadas no tenían procesos que generen trafico en la red.

Lo que hice:
- reemplazar ese router (tp-link TD-W8901G) por el "huawei mt882" que da arnet al contratar el servicio (está preconfigurado con la características propias de ellos), y vi que todo funcionaba normalmente.

- volví a conectar el el tp-link, lo resetee con valores de fabrica y le actualice el firmware.
Cuando lo configuré, fije mal el "virtual circuit" (PVC), cuando me di cuenta lo deshabilité y le configuré el correcto. Seguía igual que antes.
Lo resetee con los valores default de nuevo, y lo configuré con los valores que correspondia, y se arregló

Posibles causas.
- Algún desbordamiento interno, todo esto empezó mas o menos después de una trasferencia de ficheros enormes por ftp y al abrirle el puerto 8080. Otros factores el calor, o algún golpe de tensión le produjo algún daño al soft del aparato, o bien todo junto, no sé.

Igualmente, el firmware de tp-link habría que pulirlo un poquito, estuve mirando un firmware alternativo (DD-WRT), pero no es soportado por los router tp-link.

Pasalo a Solucionado

Totalmente aconsejable el firmware DD-WRT; pero has de tener un router soportado.
El aparato gana muchísimo en prestaciones y configurabilidad.