General discussion

Locked

Strange IP

By MachineType ·
Okay, we just got a 3com office connect router. I have been looking through the logs and their is a mysterious IP trying to access the internet:

IP spoof detected 192.168.0.48, 137, LAN 64.49.216.149, 137, WAN MAC address: 00.04.75.AA.3E.56 09/30/2002 12:41:10.528

IP spoof detected 192.168.0.48, 137, LAN 205.158.35.113, 137, WAN MAC address: 00.04.75.AA.3E.56 09/30/2002 13:00:27.256

IP spoof detected 192.168.0.48, 137, LAN 208.34.32.7, 137, WAN MAC address: 00.04.75.AA.3E.56 09/30/2002 13:04:22.112

IP spoof detected 192.168.0.48, 137, LAN 64.49.216.149, 137, WAN MAC address: 00.04.75.AA.3E.56 09/30/2002 13:51:57.384

This is just one of them, we get about 3-4 a day. This 192.168.0.48 is out of our range of addresses that we assign. We assign 192.168.0.70-95 for printers and 192.168.0.100-200 for users. Another odd thing is every address this .48 tries to contact has no DNS or name records on the internet. As you can see it is using port 137 which is Netbios and I have heard that worms use this to access the internet?

Any help on this quandry would be greatly appriciated, Thanks

This conversation is currently closed to new comments.

8 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

Strange IP

by mshavrov In reply to Strange IP

It looks like you have one PC with, probably, manually configured IP address. You may need to perform some investigations.

1. First of all - this MAC address tells that it's 3Com network adapter (00:04:75 part of MAC Address). Check if you have PCs with 3Com Network Adapters.

2. This PC is trying to to access NetBIOS information of Internet hosts (it tries to access TCP port 137)

3. Try to ping this address from another PC or from your router. If you can ping it - it's alive and it's PC and you can move to another step.

4. Use NBTSTAT utility from your computer to see PC NetBIOS name and user who is logged-in up there. Type "nbtstat -A 192.168.0.48" at DOS prompt.

It's all. If it does not work - wait till tonigth, walk through office and shut down each and every PC. Then look if you have any traffic through your router. Look at your switch/hub to see if you have any ports active (LED lighted up). May be you have somebody tap'ed up to your network.

Good luck.

Collapse -

Strange IP

by MachineType In reply to Strange IP

See above, thanks

Collapse -

Strange IP

by MachineType In reply to Strange IP

After doing a ipconfig /all I found that this is the same card(mac address) as our external card on this server. This .48 address is listed in ipconfig as a NdisWan. (i did not think to look in ipconfig before) We do have a RAS running on this server(which is what the Ndis adapter is for), but why would this address be trying to access the internet 3-5 times per day? We rarley use this method of remote access (maybe one user once a week) So I am a step closer, but still not to the solution. Thanks for the help.

SLM

Collapse -

Strange IP

by Joseph Moore In reply to Strange IP

Actually, the first IP, 64.49.216.149, is registered to rackspace.com, and it hosts the web site www.nacsonline.com (the National Assoication of Convenience Stores). The 2nd and 3rd IPs are not hosting web sites (and the IP range is registered to XOcommunications and Sprint).
The 3rd IP is used by the Charlottesville City Shools in some fashion (no web server).
The 4th IP is the same as the first.
All of the IPs are filtered by firewalls, so your system is not probably gonna connect to them via NetBIOS.

What OS is your server? If it is a Windows machine, you can totally disable NetBIOS on the external NIC, to stop this, but keep NetBIOS running on the internal NIC. GRC.COM has good instructions on disabling NetBIOS on public web server interfaces. And in my opinion, the public interface of a Windows server should NEVER have NetBIOS enabled; too dangerous.

hope this helps

Collapse -

Strange IP

by Joseph Moore In reply to Strange IP

Oh, this server is your proxy server for your internal LAN? That's why!
Your proxy server is probably set to check for external page refreshes, so its proxy cache is up to date. So that is probably why the interface is going out on its own and hitting used web sites. It is updating its cache.
I therefore think that you do NOT have virus or trojan programs on this system. It is just the proxy cache doing what it is supposed to do.

And as for the name resolution program I use, it is SamSpade. A great program for DNS/WHOIS/DIG calls.
www.samspade.org

hope this helps

Collapse -

Strange IP

by MachineType In reply to Strange IP

Sounds like a winner...I will check out Sam Spade
I did not relize that proxys were pro-active about updating.

Thanks again

SLM

Collapse -

Strange IP

by MachineType In reply to Strange IP

What (whois?) program did you use to get that rackspace.com hosted www.nacsonline.com? I use
www.all-nettools.com and all the whios brought back was rackspace.com, but nothing pertaining to nacsonline.

Our company does use that specific website,www.nacsonline.com and we are located in charlottesville so I would assume one of the users are using the school site you mentioned. This machine is also our proxy. But that does not explain why it would be listed on this interface.

So I guess the question now is why would this interface (192.168.0.48 which is the ndis for RAS) be trying to access the sights that people are going out on with the proxy server?

Thanks for the help...

SLM

Collapse -

Strange IP

by MachineType In reply to Strange IP

This question was closed by the author

Back to Networks Forum
8 total posts (Page 1 of 1)  

Related Discussions

Related Forums