Hi

Couple of months back I was testing Linux with different encryption
levels and left the encryption level to WEP on my access point. I
normally use WPA2 AES.

Yesterday, I was checking my broadband bill and was surprised to find
out that they had charged me for downloading an extra 4 GB of data. I
checked my usage online for the current month and it was already 8GB!
This is despite the fact that I have been on holiday for ten days, and
my normal usage involves casual browsing and downloading e-mails.

Furthermore, I never exceeded my download limit since I started with
my ISP. My ISP also confirms that this is quite unusual and against my
normal usage pattern. I have asked them to provide me some usage
statistics but they can only give me the data that I already see on my
account online.

I am quite certain that somebody hacked into my wireless lan. But I
want to confirm this. The admin consoles (web interfaces) of my
wireless access point and ADSL modem-router do not give me the option
to see any logs from which I could extract usage stats.

I have read in some posts that one can access log files on routers and
access points. If so, I just want to find out how to do that.

Can anyone help me with this? I'd really appreciate it.

My wireless access point is: EW-7206APg Wireless LAN Access Point
Modem router: Speed Touch 510 Alcatel

Thanks.

On 4 May, 19:47, Yousaf <yousaf.has...@gmail.com> wrote:
> Yesterday, I was checking my broadband bill and was surprised to find
> out that they had charged me for downloading an extra 4 GB of data. I
> checked my usage online for the current month and it was already 8GB!

You might ask them what steps they take to prevent
unsolicited traffic being counted against your bill.

e.g. someone outside trying to connect to you.

They may well not take any and if that is the case
cannot reasonably charge you for downloads.

They may well of course be able to charge unreasonably:)

I have a sophisticated router and in the last 4 days
at least 31866 / 2687544 or 1% of packets have not been
requested by me. Now this is a small amount however
there is every liklelyhood that some internet routers
receive more then this. Your ISP's IP range could for
example have become the target of a botnet.

"Yousaf" <yousaf.hassan@gmail.com> wrote in message
news:076e5362-6ad0-4bc4-bcec-01825425df7d@r34g2000vbi.googlegroups.com...

>
> Can anyone help me with this? I'd really appreciate it.
>
> My wireless access point is: EW-7206APg Wireless LAN Access Point
> Modem router: Speed Touch 510 Alcatel
>
> Thanks.

Where are you at, are you on cable? and/or did you add video on demand, or
digital voice/voip to your system? Have a Tivo/DVR? Here in baltimore with
comcast as the isp we added DV/Voip in the home, and started using video on
demand... (we already had cable internet) and for some strange reason they
add all video and audio to the data sent/received...

silly q, why not just set your security on wireless back to what it used to
be?

Yousaf wrote:

> left the encryption level to WEP on my access point.

Don't do that.

> I am quite certain that somebody hacked into my wireless lan. But I
> want to confirm this. The admin consoles (web interfaces) of my
> wireless access point and ADSL modem-router do not give me the option
> to see any logs from which I could extract usage stats.

I don't think either of those can be configured to keep logs or to feed
logs to something that will keep logs such as WallWatcher.

> My wireless access point is: EW-7206APg Wireless LAN Access Point
> Modem router: Speed Touch 510 Alcatel

No logs for past events which wasn't logged. Probably no logs for future
events that I can find.

Secure your network.


--
Mike Easter

On Mon, 4 May 2009 11:47:07 -0700 (PDT), Yousaf
<yousaf.hassan@gmail.com> wrote:


>Couple of months back I was testing Linux with different encryption
>levels and left the encryption level to WEP on my access point. I
>normally use WPA2 AES.

WEP encryption is an open invitation to hackers. It's now incredibly
easy to crack. In my opinion, WEP should be banned from future
products.

>Yesterday, I was checking my broadband bill and was surprised to find
>out that they had charged me for downloading an extra 4 GB of data. I
>checked my usage online for the current month and it was already 8GB!
>This is despite the fact that I have been on holiday for ten days, and
>my normal usage involves casual browsing and downloading e-mails.

See the lights on the front of the router and DSL modem. They flash
when there's traffic. It takes quite a while to download 4+8GB of
whatever. Didn't you notice the lights flashing?

>Furthermore, I never exceeded my download limit since I started with
>my ISP. My ISP also confirms that this is quite unusual and against my
>normal usage pattern. I have asked them to provide me some usage
>statistics but they can only give me the data that I already see on my
>account online.

<http://www.edimax.com/en/produce_detail.php?pd_id=18&pl1_id=1&pl2_id=5>

The Edimax EW-7206APG runs Linux firmware. I think (not sure and too
lazy to check) that it supports SNMP out of the box. You can setup
MRTG or RRDTool to generate the required traffic history graphs. The
catch is that you'll need to leave the Linux box on 24/7 as a data
collector. Unfortunately, it appears that the EW-7206APg does NOT
support DD-WRT or other alternative Linux based firmware with SNMP.

If not, there's also syslog. I'm again too lazy to check, but if
there's a log page, it might allow you some control over what to log.
You won't get traffic info, but you will get the URL's and IP's of
whatever is generating the traffic.

>I am quite certain that somebody hacked into my wireless lan.

Assumption, the mother of all screwups. Any chance you also have a
virus infected Windoze box that's been compromised and is spewing spam
and garbage all over the internet? If Linux, the most common screwup
is to use RDIST or similar synchronization software sending giant
files. Ask your ISP is the traffic is mostly incoming or outgoing,
which should offer a clue.

>But I
>want to confirm this.

Yep. It's more fun to first assign the blame, then confirm the
first guess. See "witch hunt" for how it's done.

>The admin consoles (web interfaces) of my
>wireless access point and ADSL modem-router do not give me the option
>to see any logs from which I could extract usage stats.

Yep. That's normally not a common feature. Look into DD-WRT
firmware, which does have daily traffic graphs. However, that might
require a new wireless access point.

>I have read in some posts that one can access log files on routers and
>access points. If so, I just want to find out how to do that.

The log files are usually wiped after a power cycle. DD-WRT retains
the log files in NVRAM, but that's unusual. More commonly, the
traffic data is sent to a syslog server, or collected via an SNMP
logger. Some routers also have a feature to email or ftp the syslog
file to an email address or ftp server. However, the features are
very limited and the content (and passwords) are NOT encrypted. Not
recommended.

>Can anyone help me with this? I'd really appreciate it.

>My wireless access point is: EW-7206APg Wireless LAN Access Point
>Modem router: Speed Touch 510 Alcatel

Is there a router and firewall anywhere in the system, possibly the
Linux box? If Linux, it can be used to collect statistics going
THROUGH the Linux server/router/whatever.


--
# Jeff Liebermann 150 Felker St #D Santa Cruz CA 95060
# 831-336-2558 jeffl@comix.santa-cruz.ca.us
# http://802.11junk.com jeffl@cruzio.com
# http://www.LearnByDestroying.com AE6KS

"Peter Pan" <pponvistaNOSPAM@MarcAlanNOSPAM.Info> wrote in message
news:3pKdnX7My5OXz2LUnZ2dnUVZ_hCdnZ2d@earthlink.com...
>
> "Yousaf" <yousaf.hassan@gmail.com> wrote in message
> news:076e5362-6ad0-4bc4-bcec-01825425df7d@r34g2000vbi.googlegroups.com...
>
>>
>> Can anyone help me with this? I'd really appreciate it.
>>
>> My wireless access point is: EW-7206APg Wireless LAN Access Point
>> Modem router: Speed Touch 510 Alcatel
>>
>> Thanks.

From http://www.thinkbroadband.com/hardware/reviews/18-st510.html

a ways down the page under routing (cli command)

second screen image, transfer statistics

may give you the info you want

Thanks for replying Jeff. See my comments below:

On May 5, 5:34*am, Jeff Liebermann <je...@cruzio.com> wrote:

> WEP encryption is an open invitation to hackers. *It's now incredibly
> easy to crack. *In my opinion, WEP should be banned from future
> products.

I have gone back to WPA2 AES once again. The only reason I was
checking other encryptions was to enable wireless on my Fedora box.
Anyway, it's working now with WPA2 on Fedora with Network Manager.

> See the lights on the front of the router and DSL modem. *They flash
> when there's traffic. *It takes quite a while to download 4+8GB of
> whatever. *Didn't you notice the lights flashing?

My access point and DSL modem was left on and I am usually out most of
the day. I have started to turn it off now. Whenever I get a chance, I
monitor active clients using the wireless router admin interface.

> <http://www.edimax.com/en/produce_detail.php?pd_id=18&pl1_id=1&pl2_id=5>
>
> The Edimax EW-7206APG runs Linux firmware. *I think (not sure and too
> lazy to check) that it supports SNMP out of the box. *You can setup
> MRTG or RRDTool to generate the required traffic history graphs. *The
> catch is that you'll need to leave the Linux box on 24/7 as a data
> collector. *Unfortunately, it appears that the EW-7206APg does NOT
> support DD-WRT or other alternative Linux based firmware with SNMP.
>
> If not, there's also syslog. *I'm again too lazy to check, but if
> there's a log page, it might allow you some control over what to log.
> You won't get traffic info, but you will get the URL's and IP's of
> whatever is generating the traffic.

Great! I'll look into this.

> Assumption, the mother of all screwups. *Any chance you also have a
> virus infected Windoze box that's been compromised and is spewing spam
> and garbage all over the internet? *If Linux, the most common screwup
> is to use RDIST or similar synchronization software sending giant
> files. *Ask your ISP is the traffic is mostly incoming or outgoing,
> which should offer a clue.
>

>
> Yep. *It's more fun to first assign the blame, then confirm the
> first guess. *See "witch hunt" for how it's done.

You definitely have a point here. Another thing I didn't take into
account is that my partner started video conferencing (Windows Live
Messenger) with her family and friends about two months ago. She had
one chat yesterday and the usage stats showed 150MB more! I have to
look into this as well.


> Yep. *That's normally not a common feature. *Look into DD-WRT
> firmware, which does have daily traffic graphs. *However, that might
> require a new wireless access point.
>

>
> The log files are usually wiped after a power cycle. *DD-WRT retains
> the log files in NVRAM, but that's unusual. *More commonly, the
> traffic data is sent to a syslog server, or collected via an SNMP
> logger. *Some routers also have a feature to email or ftp the syslog
> file to an email address or ftp server. *However, the features are
> very limited and the content (and passwords) are NOT encrypted. *Not
> recommended.


I won't be able to change my access point but I'll definitely look
into other tools you've mentioned.

> Is there a router and firewall anywhere in the system, possibly the
> Linux box? *If Linux, it can be used to collect statistics going
> THROUGH the Linux server/router/whatever.

I'll look into this as well.

Thanks again for replying. I'll look into everthing you've mentioned
and report back here.
Y

On Tue, 5 May 2009 05:16:43 -0700 (PDT), Yousaf
<yousaf.hassan@gmail.com> wrote:

>My access point and DSL modem was left on and I am usually out most of
>the day. I have started to turn it off now. Whenever I get a chance, I
>monitor active clients using the wireless router admin interface.

Use a crontab entry to enable or disable internet access from the
wireless port. For example, if the interface was eth2:
ifconfig eth2 up (turn on)
ifconfig eth2 down (turn off)

>You definitely have a point here. Another thing I didn't take into
>account is that my partner started video conferencing (Windows Live
>Messenger) with her family and friends about two months ago. She had
>one chat yesterday and the usage stats showed 150MB more! I have to
>look into this as well.

There are plenty of other bandwidth suckers available. I'm not sure
what speed your ISP delivers, but it takes considerable time to suck
12GB of data. Such a low limit is usually not a feature of cable
modems, which limit their abusers to about 100GBytes/month. A few DSL
providers have limits, but most are in the same area. Which service
provider has a 10(?)GByte monthly limit? Satellite?

>I won't be able to change my access point but I'll definitely look
>into other tools you've mentioned.

Why not? Access points are nothing more than wireless routers with
the router section disabled or disconnected. You can turn *ANY*
wireless router into an access point by simply ignoring the WAN
connector, and disabling the DHCP server. No big deal. Once you have
a reasonably intelligent access pont running Linux, you have the
ability to do some useful monitoring. Low end WRT54G and similar
consumer wireless routers sell for $30 to $80.

--
Jeff Liebermann jeffl@cruzio.com
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558