psssst.. Somebody's watchin'

well i'm gonna start with an apologize to google :D

I thought they had a stupid bug in thier chrome but some how they were not the stupid...

Neither were I :D

I'm gonna show you what happened every time i use chrome to navigate to any website

and i remember i saw this screen on every navigation i perform on any web site even google.com

what i thought of at the begining that this is a bug in the chrome beta version ..

but a week ago i gave a friend of mine a password for an FTP server,

then in the next day i found some pages on this server have been altered with chinese pages

so i thought i have a sniffer in my network who uses a software to read all the packets in his network and extract such information

but when i checked the hacked web site i found just chinese text which meant some meaningless crap and a couple of names so that sniffer is not in my network and even not an egyptian

as egyptian hackers has a distinguished style "a black background or red with some marquee moving text with the biggest possible font where the hacker specify his name and the names of some of his friends , regardless his mobile number and how to contact that hacker

and most of the time he'll write "don't mess with the <His NickName>" where that nickName must contain "scorpion" or "black" :D " anyway..

so how could that happen ?!!..

and in that day when i was browsing through the internet i had that red screen in chrome again so i managed to notice it deeply and i found that thing during the normal browsing

this is the status bar that appears at the bottom left of the chrome browser during any activity

and every time i navigate to any page i find this waiting pops up as when i open google.com the status bar shows "Resolving Host" then "Connecting to google" then "Waiting for google"

and then it shows that waiting message and for the coincidence that site ends with ".cn"

which is China :D

So i figured out that this sniffer is just a trojan in my network that sniffes the data and sends it to a guy in china

and also when i checked the current arp table i found that the MAC addrress of the getway is not the one i know which means that all the browsing, chat or anything i do on the internet is through that guy :(

he might be reading this post right now :P ..

I really dont know what to do except not making any activity on the internet while i'm here as i'm busy to research in that  just chat :D

except praying to god that the guy on my network who have the trojan installs or update his Antivirus and AntiSpyware on his machine or trying to get that person kicked of the network i cant find a solution 

can u ?

Hey Jaqoup, As for browsing, you can use a web proxy with SSL support(where sniffing becomes a waste of the sniffer's resources :]) such as: https://www.xroxy.com Also, check out Tor! Never tried it out, but its model seems to be great! http://www.torproject.org/overview.html.en There are premium services for ssh tunneling aswell, if your data is sensitive and you have extra cash, consider subscribing into a one!
looooooooooooooooooooooooooooooooooooooooooooool @ "Dont mess with " ------- u seem quite sure that the sniffer is on some other machine ! .. so i will assume that this is the case and if so .. then as far as i know .. the only way he can do that .. is to have all your network packets route through his machine .. so he infects the ARP table to make ur PC send to his PC then modify the packet to go to china then sends it to the router .. instead of from your PC to the router to google right away.. [1] ------- or he can mess with the DNS history some how .. which i doubt is the case ------- solutions, all are not very easy... 1- well the ARP cache thing .. is simply the "NetCut method" .. and u have made a program to fight that .. so just use it .. or use Anti-netcut .. if it goes away then u won 2- encrypt all your TCP activity .. dont think that will work 3- kill your neighbor 4- kill the Chinese guy 5- make a DoS attack == ask all your friends to check that server over and over till it cracks .. there are programs to do that (Denial of Service attack) 6- let him take ur passwords we menno lelah :) .. we rabbena 3al moftary 7- use a proxy .. it will make his life abit harder to understand ur HTTP packets 8- eshtery 7'at lenafsak .. aw esta7'dem etesalat 9- if u can understand the ARP tables .. u can know which PC in the network is infected .. and u can block his mac address from the network .. that will stop him from messing with the tables 10- http://www.techspot.com/vb/topic115851.html if i got any ideas i will let u know ..
http://www.softperfect.com/products/networx/ it comes with very useful tools.. 1- use the Netstat tool to know what exe's are connected to the internet 2- then use the TraceRoute tool .. to see what path the packet takes to reach "google.com" for example the infected PC should be in your LAN .. it will be the first or the second in the TraceRoute table .. i doubt that he is in the WAN by any means .. wa ella teb2a fedee7a we momken terfa3 3alaihom adeya --- please, tell us how u will be able to solve this thing isA
well... thanx for you both and Fouad: the first thing i thought of was the ARP table and i managed to use my program but since i'm on Vista my program crashes every time i open it as in Vista the IP format changed and when i try to run an ARP command as "apr -d" it always fails even from the cmd :(
[...] psssst.. Somebody’s watchin’ what i thought of at the begining that this is a bug in the chrome beta version .. but a week ago i gave a friend of mine a password for an FTP server, then in the next day i found some pages on this server have been altered with &#8230; [...]