I had an interesting situation come up this morning while at work. I was trying to get a laptop's wireless connection working when I noticed a new SSID being broadcast in my area. The SSID was "Free Public WiFi". Now we have 15 APs at my company, and all of them were broadcasting the correct SSID. So figured that someone had installed a rogue access point. It was then that I noticed that the AP for the "Free Public WiFi" SSID was actually showing up in Windows as a Peer-to-Peer wireless network, rather than a true AP. This obviously concerned me.
So I loaded NetStumbler onto my laptop and did a brief tour of the campus to see where the signal was strongest, and I traced it to the laptop of a user that isn't in the office today, though the laptop was running and the user was logged in. Netstumbler showed that the MAC associated with the "AP" began with the "02-15-00" sequence, which according to the IEEE is not an assigned sequence. NetStumbler identifies the manufacturer as "user-defined". Apparently this "AP" is being generated in software, and it seems like it is trying to hide details of it's existance.
I wanted to make sure that I did have the correct culprit, so I hit the button to disable the WiFi card on that user's laptop. Netstumbler showed the AP disappearing. When I re-enabled the WiFi card it immediately showed up again, only the MAC address had changed (though it still started with the "02-15-00" manufacturer code. So I definitely know what device is responsible.
I was able to unlock the user's PC without logging them out, and I didn't see anything out of the ordinary. The only programs that were installed that aren't part of our standard were MSN and Windows Desktop Search. I couldn't see anything fishy about the way that WiFi was configured (no connection bridging, etc). So I decided to reboot and log in as admin to see if I could find anything else. However, when I rebooted the "AP" disappeared, and didn't come back when I logged in. So I logged out and logged in as the user who the laptop belongs to, and it still didn't show up. I tried enabling/disabling WiFi several times but it didn't show back up again.
I have two working theories. The first is that the user (or some piece of malware unknowingly installed by the user) has created this peer-to-peer wireless hotspot and is allowing anyone who stops by unsecured wireless access to my LAN and/or the Internet. The second theory is that the user (or the malware) has created a fake hotspot, possibly proxying true web requests, in order to capture passwords, credit card numbers, etc. Either way, it's bad. I just can't find any details about what it might actually be, and how to remove it. Googling "Free Public WiFi" results in thousands of hits pointing to articles about cities that are implementing Free Public WiFi. McAfee and Symantec don't have anything referring to that phrase in their databases. Does anyone have any idea what it is that I am seeing?
So I loaded NetStumbler onto my laptop and did a brief tour of the campus to see where the signal was strongest, and I traced it to the laptop of a user that isn't in the office today, though the laptop was running and the user was logged in. Netstumbler showed that the MAC associated with the "AP" began with the "02-15-00" sequence, which according to the IEEE is not an assigned sequence. NetStumbler identifies the manufacturer as "user-defined". Apparently this "AP" is being generated in software, and it seems like it is trying to hide details of it's existance.
I wanted to make sure that I did have the correct culprit, so I hit the button to disable the WiFi card on that user's laptop. Netstumbler showed the AP disappearing. When I re-enabled the WiFi card it immediately showed up again, only the MAC address had changed (though it still started with the "02-15-00" manufacturer code. So I definitely know what device is responsible.
I was able to unlock the user's PC without logging them out, and I didn't see anything out of the ordinary. The only programs that were installed that aren't part of our standard were MSN and Windows Desktop Search. I couldn't see anything fishy about the way that WiFi was configured (no connection bridging, etc). So I decided to reboot and log in as admin to see if I could find anything else. However, when I rebooted the "AP" disappeared, and didn't come back when I logged in. So I logged out and logged in as the user who the laptop belongs to, and it still didn't show up. I tried enabling/disabling WiFi several times but it didn't show back up again.
I have two working theories. The first is that the user (or some piece of malware unknowingly installed by the user) has created this peer-to-peer wireless hotspot and is allowing anyone who stops by unsecured wireless access to my LAN and/or the Internet. The second theory is that the user (or the malware) has created a fake hotspot, possibly proxying true web requests, in order to capture passwords, credit card numbers, etc. Either way, it's bad. I just can't find any details about what it might actually be, and how to remove it. Googling "Free Public WiFi" results in thousands of hits pointing to articles about cities that are implementing Free Public WiFi. McAfee and Symantec don't have anything referring to that phrase in their databases. Does anyone have any idea what it is that I am seeing?