Has the network been already compromised?
Page 1 of 2 12 LastLast
Results 1 to 10 of 16

Thread: Has the network been already compromised?

  1. #1
    Banned
    Join Date
    Aug 2001
    Posts
    131

    Has the network been already compromised?

    Hey, s'up? Just have a question, IP addresses starting with 192.168.x.x are internal IP addresses, rite? Now, however, when I ran a test over at PC FLANK.COM, my firewalls report connections always from the IP address set including: 192.168.x.x and 0.0.0.0 What does this mean? Has my network been already compromised? What can I do to really trace out the real IP address of the connection?

  2. #2
    Banned
    Join Date
    Mar 2002
    Posts
    520
    0.0.0.0 is a sign of an inactive connection or connection within your system. Also your firewall might block out some of your connection or perhaps theirs. That is sorta the job of the firewall.

  3. #3
    Member
    Join Date
    Mar 2002
    Posts
    52
    THe Firewall might be using NAT (Network Address Translation) and just throwing out a bogus IP list for security... although NAT will usuallly show a public IP ......
    ?????

  4. #4
    Banned
    Join Date
    Mar 2002
    Posts
    520
    Yeah, but some firewalls can have the option to turn that on or turn it off. Check the default settings about that... Also did you edit it from the default settings?

  5. #5
    Banned
    Join Date
    Oct 2001
    Posts
    1,463
    0.0.0.0 means that someone established a null session to your computer, if im not mistaken... This can be done wit the net use //IP//$IPC ""USERNAMEassword""
    It could be someone on the inside of the network or even on the outside... Set a firewall to log all incoming connection attempts to all ports (TCP and UDP) and see what happens

  6. #6
    Senior Member
    Join Date
    Feb 2002
    Posts
    856
    Hey Ac1d,

    What's a "null session"?
    For the wages of sin is death, but the free gift of God is eternal life in Christ Jesus our Lord.
    (Romans 6:23, WEB)

  7. #7
    Member
    Join Date
    Mar 2002
    Posts
    52
    Preacherman481: Null Session is when you use a blank username and password to authenticate.

  8. #8
    Banned
    Join Date
    Oct 2001
    Posts
    1,463
    Ok, A null session is best descibed as a connection to the computer that is made by using a blank username and password, null sessions are mostly used for processes and services (Apache, IIS, others)... A regular session would be when a user logs onto the system with a username and password (ex: USER- John PASS- Doe)

    So in other words I just proved myself wrong A null session would be established by doing a net use //IP/$share """" or something similar.... Thanks for pointing out my mistake

    EDIT: Damn, he posted at the same time as me

  9. #9
    Senior Member
    Join Date
    Feb 2002
    Posts
    856
    Errrm, thanks for the greenies ac1d, but I didn't know you said anything wrong. I was just asking for information. I really didn't know what a "null session" was.
    For the wages of sin is death, but the free gift of God is eternal life in Christ Jesus our Lord.
    (Romans 6:23, WEB)

  10. #10
    Member
    Join Date
    Mar 2002
    Posts
    52
    And After thinking about the problem for awhile:


    The events from IP address 0.0.0.0, are from two likely causes. The first, and most common, is that for some reason your machine received a badly formed packet.
    The other situation is when the source IP is spoofed, or faked. Spoofed packets may be a sign that someone is scanning around looking for trojans, and they happened to try your machine.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides