Hey, s'up? Just have a question, IP addresses starting with 192.168.x.x are internal IP addresses, rite? Now, however, when I ran a test over at PC FLANK.COM, my firewalls report connections always from the IP address set including: 192.168.x.x and 0.0.0.0 What does this mean? Has my network been already compromised? What can I do to really trace out the real IP address of the connection?

0.0.0.0 is a sign of an inactive connection or connection within your system. Also your firewall might block out some of your connection or perhaps theirs. That is sorta the job of the firewall.

THe Firewall might be using NAT (Network Address Translation) and just throwing out a bogus IP list for security... although NAT will usuallly show a public IP ......
?????

Yeah, but some firewalls can have the option to turn that on or turn it off. Check the default settings about that... Also did you edit it from the default settings?

0.0.0.0 means that someone established a null session to your computer, if im not mistaken... This can be done wit the net use //IP//$IPC ""USERNAME:password""
It could be someone on the inside of the network or even on the outside... Set a firewall to log all incoming connection attempts to all ports (TCP and UDP) and see what happens

Hey Ac1d,

What's a "null session"?

Preacherman481: Null Session is when you use a blank username and password to authenticate.

Ok, A null session is best descibed as a connection to the computer that is made by using a blank username and password, null sessions are mostly used for processes and services (Apache, IIS, others)... A regular session would be when a user logs onto the system with a username and password (ex: USER- John PASS- Doe)

So in other words I just proved myself wrong :) A null session would be established by doing a net use //IP/$share """" or something similar.... Thanks for pointing out my mistake :D

EDIT: Damn, he posted at the same time as me :rolleyes:

Errrm, thanks for the greenies ac1d, but I didn't know you said anything wrong. I was just asking for information. I really didn't know what a "null session" was.

And After thinking about the problem for awhile:


The events from IP address 0.0.0.0, are from two likely causes. The first, and most common, is that for some reason your machine received a badly formed packet.
The other situation is when the source IP is spoofed, or faked. Spoofed packets may be a sign that someone is scanning around looking for trojans, and they happened to try your machine.

LOL@preacherman481.... You still helped me find a mistake, so you deserved them :)

Custy_J is on the right track here. Often intrusion attempts show up as 0.0.0.0, but if you have your ids set to show sa you sometimes get a reported address buried in the session info.

192.168.x.x are Internet Connection Sharing ips that are assigned by windows.

Ummm... guys? Might be better to just ask "which firewall."

And, if I'm not mistaken, 0.0.0.0 is typically a listener that isn't bound to any specific
interface... so, if you create a new, virtual interface, that listener should also answer
on that particular port.

For example, on my laptop, I have:



Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN



Which is just my SSH daemon, listening to port 22 from any host/port.


And, looking at my sshd_config, I see:



#ListenAddress 0.0.0.0
#ListenAddress ::



Which are commented out (I tend to leave the defaults for a given value
commented out in my configs, personally, even if I don't explicitely set them).

Now, if I connect back to myself on loopback, I get:



Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:1274 127.0.0.1:22 ESTABLISHED
tcp 0 0 127.0.0.1:22 127.0.0.1:1274 ESTABLISHED



...plus the normal listener, above... but if I connect to my machine by IP (after
dropping the connection, above), we see (IP mangled below):



Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:1274 127.0.0.1:22 TIME_WAIT
tcp 0 0 10.1.7.20:1275 10.1.7.20:22 ESTABLISHED
tcp 0 0 10.1.7.20:22 10.1.7.20:1275 ESTABLISHED



Netstat's a beautiful command... but read it carefully.


Now as far as addresses go, the following networks you will find in RFC1918...
otherwise know as "private address space" or "non-routeable networks" (which
just means that you can't use it out on the Internet and expect it to go anywhere).



10.0.0.0/8 -> 10.0.0.0 to 10.255.255.255
172.16.0.0/12 -> 172.16.0.0 to 172.31.255.255
192.168.0.0/16 -> 192.168.0.0 to 192.168.255.255



Yes, a lot of VPN and VPN-like things tend to use these non-routeable addresses
for simple IPs (eg. certain IMs when they're trying to establish a file transfer tunnel
between clients) and many LANs use these before they hit a NAT and connect to
the Internet (so, yeah, kind of "connection sharing" but, really, it's just a simple way
to route packets).

In any case... I hope this helps... considering it's 4am for me, I should probably
sleep and hope this makes some sense to someone.

well 192.168.x.x is NAT i am pretty sure and the 0.0.0.0.0 is pretty much a coonection that is just there doing nothing....kinda of a local packet that just is there.

It would help if you gave us the name of the firewall you're using and some samples of the suspicous logs...

Ammo