Has the network been already compromised? - Page 2
Page 2 of 2 FirstFirst 12
Results 11 to 16 of 16

Thread: Has the network been already compromised?

  1. #11
    Join Date
    Oct 2001
    LOL@preacherman481.... You still helped me find a mistake, so you deserved them

  2. #12
    Join Date
    Mar 2002
    Custy_J is on the right track here. Often intrusion attempts show up as, but if you have your ids set to show sa you sometimes get a reported address buried in the session info.
    It must be them again. Start the response cycle.

  3. #13
    Senior Member faust's Avatar
    Join Date
    Oct 2001
    192.168.x.x are Internet Connection Sharing ips that are assigned by windows.

  4. #14
    Senior Member
    Join Date
    Apr 2002
    Ummm... guys? Might be better to just ask "which firewall."

    And, if I'm not mistaken, is typically a listener that isn't bound to any specific
    interface... so, if you create a new, virtual interface, that listener should also answer
    on that particular port.

    For example, on my laptop, I have:

    Proto Recv-Q Send-Q Local Address           Foreign Address         State
    tcp        0      0    *               LISTEN
    Which is just my SSH daemon, listening to port 22 from any host/port.

    And, looking at my sshd_config, I see:

    #ListenAddress ::
    Which are commented out (I tend to leave the defaults for a given value
    commented out in my configs, personally, even if I don't explicitely set them).

    Now, if I connect back to myself on loopback, I get:

    Proto Recv-Q Send-Q Local Address           Foreign Address         State
    tcp        0      0    *               LISTEN
    tcp        0      0            ESTABLISHED
    tcp        0      0            ESTABLISHED
    ...plus the normal listener, above... but if I connect to my machine by IP (after
    dropping the connection, above), we see (IP mangled below):

    Proto Recv-Q Send-Q Local Address           Foreign Address         State
    tcp        0      0    *               LISTEN
    tcp        0      0            TIME_WAIT
    tcp        0      0            ESTABLISHED
    tcp        0      0            ESTABLISHED
    Netstat's a beautiful command... but read it carefully.

    Now as far as addresses go, the following networks you will find in RFC1918...
    otherwise know as "private address space" or "non-routeable networks" (which
    just means that you can't use it out on the Internet and expect it to go anywhere).

    Code:     ->    to  ->  to -> to
    Yes, a lot of VPN and VPN-like things tend to use these non-routeable addresses
    for simple IPs (eg. certain IMs when they're trying to establish a file transfer tunnel
    between clients) and many LANs use these before they hit a NAT and connect to
    the Internet (so, yeah, kind of "connection sharing" but, really, it's just a simple way
    to route packets).

    In any case... I hope this helps... considering it's 4am for me, I should probably
    sleep and hope this makes some sense to someone.
    \"Windows has detected that a gnat has farted in the general vicinity. You must reboot for changes to take affect. Reboot now?\"

  5. #15
    Antionline Quitter..Srsly
    Join Date
    Aug 2001
    well 192.168.x.x is NAT i am pretty sure and the is pretty much a coonection that is just there doing nothing....kinda of a local packet that just is there.
    \"\"A weak mind is like a microscope, which magnifies trifling things but cannot receive great ones.\" G.K. Chesterton, 19th-century English essayist and poet\"

  6. #16
    Senior Member
    Join Date
    Sep 2001
    It would help if you gave us the name of the firewall you're using and some samples of the suspicous logs...

    Credit travels up, blame travels down -- The Boss

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts