Wireless adhoc network problem - modem uploading all time

Can anyone help with this problem?

I have installed a wireless network.

I have a Desktop PC and two laptops, all running Win Xp. The desktop
connects to the net via a USB ADSL modem.

I've set them up as an ad hoc wireless network using a Wireless Access
Point on the desltop and PMCIA wireless network cards in the laptops.

All is working fine (despite the instructions supplied with the kit
being as much use as a chocolate teapot.) after several hours of
setting it up and a lot of looking stuff up online. All three machines
can see each other, share files and access the net.

However, I have noticed that the modem is now constantly active. If I
click on the connection properties, despite there having been little
to no net activity, in 45 minutes it has sent over 55MB of data.

I've literally cold booted all three machines and yet still as soon as
the network is up and running the uplink activity starts.
Any ideas anyone?
--
Mike Plowman
Coronation Street Visual Updates - www.csvu.net
"There was life before Coronation Street,
but it didn't amount to much." Russell Harty


Mike Plowman

On Tue, 02 Sep 2003 21:24:54 +0100, Mike Plowman
<(E-Mail Removed)> wrote:

>Can anyone help with this problem?
>
>I have installed a wireless network.
>
>I have a Desktop PC and two laptops, all running Win Xp. The desktop
>connects to the net via a USB ADSL modem.
>
>I've set them up as an ad hoc wireless network using a Wireless Access
>Point on the desltop and PMCIA wireless network cards in the laptops.
>
>All is working fine (despite the instructions supplied with the kit
>being as much use as a chocolate teapot.) after several hours of
>setting it up and a lot of looking stuff up online. All three machines
>can see each other, share files and access the net.
>
>However, I have noticed that the modem is now constantly active. If I
>click on the connection properties, despite there having been little
>to no net activity, in 45 minutes it has sent over 55MB of data.
>
>I've literally cold booted all three machines and yet still as soon as
>the network is up and running the uplink activity starts.
>Any ideas anyone?

Have you checked your machines for viruses or trojans?

Have the updates on your machines upto date?

Have you set your access point to ONLY allow traffic from MAC
addresses corresponding to the cards in the two laptops?

Have you turned on WEP?

Have you turned off SSID broadcasting?

Can you check that ONLY your two laptops are connecting to your access
point?

Because right now it sounds like your network is wide open and owned
by someone else.
--
"I doubt if such a word exists, and if it does, it shouldn't", retorted
Purvis, with the aplomb of Sir Alan Herbert dropping a particularly
revolting neologism into his killing jar.
-- Arthur C. Clarke

On Tue, 02 Sep 2003 22:16:28 +0100, Derek <(E-Mail Removed)>
wrote:

>
>Have you checked your machines for viruses or trojans?

Yes, as mentioned in earlier post I had the W32/Nachi worm.

>Have the updates on your machines upto date?

They are now.
>
>Have you set your access point to ONLY allow traffic from MAC
>addresses corresponding to the cards in the two laptops?
>
I'm using a D-link DWL2000AP. Can't find anything that would let me do
that.

>Have you turned on WEP?

Yes.
>
>Have you turned off SSID broadcasting?

Not yet. Once all the machines are clean I will disconnect the WAP.
Unfortunately I need to download some work stuff before I can take it
off.
>
>Can you check that ONLY your two laptops are connecting to your access
>point?

I'm not sure how I'd do that. The application manager supplied with
the unit doesn't show what's connected to it in ad-hoc/peer to peer
mode. Is there a way to check?

>Because right now it sounds like your network is wide open and owned
>by someone else.

I'm in the UK where Wi-Fi isn't exactly widespread and know all my
neighbours within range. Most of them don't even have a PC let alone a
network. and the range on this unit isn't exactly wide. Plus,
wouldn't they need to know the SSID?

One machine still to be cleaned and it's reduced the amount of data
being sent out in 20mins from 20Mb to less than 10 so hopefully it's
just the worm that's caused it. Mcafee's site says it causes vastly
increased ICMP traffic. Fingers crossed.

Wasn't life a lot simpler when we hall had Commodore Amigas and floppy
disk drives?
--
Mike Plowman
Coronation Street Visual Updates - www.csvu.net
"There was life before Coronation Street,
but it didn't amount to much." Russell Harty

On Tue, 02 Sep 2003 23:15:26 +0100, Mike Plowman
<(E-Mail Removed)> wrote:

>On Tue, 02 Sep 2003 22:16:28 +0100, Derek <(E-Mail Removed)>
>wrote:
>
>>Have you checked your machines for viruses or trojans?
>
>Yes, as mentioned in earlier post I had the W32/Nachi worm.

Ahm ... that doesn't seem to have made it out.

>>Have the updates on your machines upto date?
>
>They are now.

Good.

>>Have you set your access point to ONLY allow traffic from MAC
>>addresses corresponding to the cards in the two laptops?
>>
>I'm using a D-link DWL2000AP. Can't find anything that would let me do
>that.

I would have admit that I'm somewhat shocked by that.

>>Have you turned on WEP?
>
>Yes.

You may wish to consider changing the keys on a regular basis.

>>Can you check that ONLY your two laptops are connecting to your access
>>point?
>
>I'm not sure how I'd do that. The application manager supplied with
>the unit doesn't show what's connected to it in ad-hoc/peer to peer
>mode. Is there a way to check?

You might try "netstat -a -n" on the machine that's sharing your
internet connection and filter it for addresses in the range that
being allocated by DHCP. (I'm assuming that you're using ICS)

By "the application manager", would you mean the logging facility on
the AP?

>>Because right now it sounds like your network is wide open and owned
>>by someone else.
>
> I'm in the UK where Wi-Fi isn't exactly widespread and know all my
>neighbours within range. Most of them don't even have a PC let alone a
>network. and the range on this unit isn't exactly wide.

Mike, excuse me for sounding very P/O'd, but, despite the newserver I
post through, I'm in the UK too; One of the things I'm seeing is an
increasing number of unsecured wireless networks, which really are
just ripe for abuse.

BTW, you were infected from the internet by something for which
workrounds and a vendor patch have been available for for, what, 6
weeks now.

> Plus,
>wouldn't they need to know the SSID?

That would be why you need to turn off SSID broadcast if you possibly
can.

>One machine still to be cleaned and it's reduced the amount of data
>being sent out in 20mins from 20Mb to less than 10 so hopefully it's
>just the worm that's caused it. Mcafee's site says it causes vastly
>increased ICMP traffic. Fingers crossed.

Be thankful it wasn't something that acts as a backdoor or dropper.

>Wasn't life a lot simpler when we hall had Commodore Amigas and floppy
>disk drives?

At the time, I was using ST's as a cheap development platform for
68Ks.

Which games manufacturer was it that issued a bunch of infected disks
for the Amiga? You must remember the one, it blanked the screen, and
caused a lot of Amigas to be returned as faulty.

Derek
--
The Seventh Commandment for Technicians:
Work thou not on energized equipment, for if thou dost, thy fellow workers
will surely buy beers for thy widow and console her in other ways.

On Wed, 03 Sep 2003 00:43:28 +0100, Derek <(E-Mail Removed)>
wrote:

>
>Mike, excuse me for sounding very P/O'd, but, despite the newserver I
>post through, I'm in the UK too; One of the things I'm seeing is an
>increasing number of unsecured wireless networks, which really are
>just ripe for abuse.
>
>BTW, you were infected from the internet by something for which
>workrounds and a vendor patch have been available for for, what, 6
>weeks now.

Not according to MCafee. The worm was identified on the 18/08/03. I'm
no historian but that seems rather less than six weeks to me! :-) But
as you correctly state, it was totally my own fault.

>> Plus,
>>wouldn't they need to know the SSID?
>
>That would be why you need to turn off SSID broadcast if you possibly
>can.
>
>>One machine still to be cleaned and it's reduced the amount of data
>>being sent out in 20mins from 20Mb to less than 10 so hopefully it's
>>just the worm that's caused it. Mcafee's site says it causes vastly
>>increased ICMP traffic. Fingers crossed.
>
>Be thankful it wasn't something that acts as a backdoor or dropper.

I am. No-one else to blame butmyself for being too keen to see if the
wireless network would work instead of taking care of the basics
first. Lesson learned.

Anyway, all three machines fully updated and up to date AV on and the
problem is solved! Steep learning curve over the last couple of days
but it's been very useful.

>>Wasn't life a lot simpler when we hall had Commodore Amigas and floppy
>>disk drives?
>
>At the time, I was using ST's as a cheap development platform for
>68Ks.

A better machine than the Aniga but the Amiga sold because of the vast
number of games available.

>Which games manufacturer was it that issued a bunch of infected disks
>for the Amiga? You must remember the one, it blanked the screen, and
>caused a lot of Amigas to be returned as faulty.

I don't recall that one I'm afraid. I've always been useless at
computer games!

Anyway, thanks again for the tips and advice. Very much appreciated
indeed.
All the best
--
Mike Plowman
Coronation Street Visual Updates - www.csvu.net
"There was life before Coronation Street,
but it didn't amount to much." Russell Harty

On Wed, 03 Sep 2003 13:21:46 +0100, Tim <(E-Mail Removed)> wrote:

>
>Just because there was nothing taking advantage of the vulnerability
>until this worm was identified does not mean that the security
>vulnerability was not there, nor that there were no vendor patches or
>workarounds. Best (and sane) practice is to patch holes BEFORE
>something comes along to use them, not after a worm/virus/exploit is
>identified in the wild.

A very good point. I have to confess I've never much bothered with
Windows updates in the past but have set the network to check and
install any new ones in the wee small hours in future.

>I strongly advise everyone to subscribe to the security mailing list
>from their OS Vendor so they are aware of holes and patch them before
>exploits/worms/viruses appear. MSBlast wouldn't have been half the
>problem it was if people had patched when MS released the patch (apart
>from people who patched, then updated to 2k SP4, which disabled the
>sodding patch, meaning you needed to re-apply it).

Good old MS.
--
Mike Plowman
Coronation Street Visual Updates - www.csvu.net
"There was life before Coronation Street,
but it didn't amount to much." Russell Harty