Questions

Help! Why is my network spewing spam?

+
0 Votes
Locked

Help! Why is my network spewing spam?

Lizzie_B
I'm stumped. I have a small network - 10 machines on the LAN (9 WinXP/2K, 1 FreeBSD) + 3 laptops. I have a Linksys RV082 router and a Linksys 16 port managed switch, plus one 5 port switch to split our two static IPs. I'm on a 4 watt, 5.8 GHz SDSL line about 2 blocks from my ISP's tower. The FreeBSD system is our public server - web, mail and (Heaven help me) the DNS server for all of our domains. It's on one of the static IPs; the other goes to the office LAN.

Part the First:
We got hit with Mega-D on one machine back in mid-February - according to the logs, about 3 Gig of messages went out. The volume got high enough that it shut down their mail server. I wiped the disk and did a clean reinstall.

Today, my ISP called while I was at doctor's appointment to tell me we were spamming again, but only 2 - 3 messages per second. By the time I got in, my assistant had unplugged all the office LAN cables from the switch and the router, trying to isolate the infected machine. I guess he didn't know how to use the switch's management console to take the ports down. The only thing left on was the FreeBSD server, the router, the splitter hub and the SDSL radio. The spam was still going out. So, I pulled the ethernet cable from the server. Guess what? Yep, still sending spam with just the RV082, a dumb gigabit switch and the 5.8 GHz radio. Cycling the power on the router seemed to end the problem for now.

How?

Part the Second: about 5 weeks ago, we started having problems with our data rates. Two weeks ago, it reached the point that we were no longer able to access the net reliably and our upload speeds were down to about 4 Kbytes/second. We're an event photography studio, I have to be able to upload full resolution images to our retail site's hosts. Last week, I had an odd thing happen - I had two "phantom" workstations and one "phantom" workgroup show up on my LAN - machines that were not attached in the studio. When I called the ISP, they alternated between saying it couldn't happen because we're behind a firewall and saying that it was nothing to worry about, we were seeing other systems on their subnet that weren't firewalled. Then they decided it was because someone had cracked our wireless access point - except that we don't have one. So they went back to the subnet theory, trying to assure me that we were not at risk. Translation: they don't know what's going on.

Last Thursday they sent their tech over to try to figure out why our data rates were so low - he concluded that there's an interfering signal that's causing a 97% packet loss on the uplink. The downlink seems to be fine; the signal strength is excellent. The ISP doesn't have the necessary equipment to locate the source of interference.

I have two possibilities:

The first is that my RV082 router has been hacked and is being used somehow to relay spam from an outside point. It seems unlikely to me, but the router is equipped with a simple e-mail engine, used to send alerts.

The second is that someone has cracked my SDSL radio and is piggy-backing on it.

Both incidents occurred just before extremely busy times for the studio. The February infection hit just before a four-day event at which we shot about 5000 pictures. The current incident is just before our graduation season, when I expect to have to deal with about 15,000 images in a six week period. There are two technically competent former employees who have grudges against us. One of them was the person who set up the FreeBSD server, the other was a consultant who specified and purchased most of the hardware we're currently using. The first one is a stable individual who ended up with a much higher paying job after he left, the second is unstable, may be currently unemployed and has made one known attempt to take down the business. So there is a slight possibility that we might be being specifically, deliberately targeted. And yes, ALL the passwords have been changed.

So, does anyone out in TR Land know of a method that could compromise the RV082 from outside or of a method where the 5.8 GHz SDSL radio can be cracked and used to relay spam?

[Minor edits to correct network description and correct grammar]