Has the network been already compromised? - Page 2
Page 2 of 2 FirstFirst 12
Results 11 to 16 of 16

Thread: Has the network been already compromised?

  1. #11
    Banned
    Join Date
    Oct 2001
    Posts
    1,463
    LOL@preacherman481.... You still helped me find a mistake, so you deserved them

  2. #12
    Member
    Join Date
    Mar 2002
    Posts
    35
    Custy_J is on the right track here. Often intrusion attempts show up as 0.0.0.0, but if you have your ids set to show sa you sometimes get a reported address buried in the session info.
    It must be them again. Start the response cycle.

  3. #13
    Senior Member faust's Avatar
    Join Date
    Oct 2001
    Location
    Chicagoland/Murphysboro
    Posts
    105
    192.168.x.x are Internet Connection Sharing ips that are assigned by windows.

  4. #14
    Senior Member
    Join Date
    Apr 2002
    Posts
    712
    Ummm... guys? Might be better to just ask "which firewall."

    And, if I'm not mistaken, 0.0.0.0 is typically a listener that isn't bound to any specific
    interface... so, if you create a new, virtual interface, that listener should also answer
    on that particular port.

    For example, on my laptop, I have:

    Code:
    Proto Recv-Q Send-Q Local Address           Foreign Address         State
    tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN
    Which is just my SSH daemon, listening to port 22 from any host/port.


    And, looking at my sshd_config, I see:


    #ListenAddress 0.0.0.0
    #ListenAddress ::
    Which are commented out (I tend to leave the defaults for a given value
    commented out in my configs, personally, even if I don't explicitely set them).

    Now, if I connect back to myself on loopback, I get:

    Code:
    Proto Recv-Q Send-Q Local Address           Foreign Address         State
    tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN
    tcp        0      0 127.0.0.1:1274          127.0.0.1:22            ESTABLISHED
    tcp        0      0 127.0.0.1:22            127.0.0.1:1274          ESTABLISHED
    ...plus the normal listener, above... but if I connect to my machine by IP (after
    dropping the connection, above), we see (IP mangled below):

    Code:
    Proto Recv-Q Send-Q Local Address           Foreign Address         State
    tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN
    tcp        0      0 127.0.0.1:1274          127.0.0.1:22            TIME_WAIT
    tcp        0      0 10.1.7.20:1275          10.1.7.20:22            ESTABLISHED
    tcp        0      0 10.1.7.20:22            10.1.7.20:1275          ESTABLISHED
    Netstat's a beautiful command... but read it carefully.


    Now as far as addresses go, the following networks you will find in RFC1918...
    otherwise know as "private address space" or "non-routeable networks" (which
    just means that you can't use it out on the Internet and expect it to go anywhere).

    Code:
    10.0.0.0/8     -> 10.0.0.0    to 10.255.255.255
    172.16.0.0/12  -> 172.16.0.0  to 172.31.255.255
    192.168.0.0/16 -> 192.168.0.0 to 192.168.255.255
    Yes, a lot of VPN and VPN-like things tend to use these non-routeable addresses
    for simple IPs (eg. certain IMs when they're trying to establish a file transfer tunnel
    between clients) and many LANs use these before they hit a NAT and connect to
    the Internet (so, yeah, kind of "connection sharing" but, really, it's just a simple way
    to route packets).

    In any case... I hope this helps... considering it's 4am for me, I should probably
    sleep and hope this makes some sense to someone.
    \"Windows has detected that a gnat has farted in the general vicinity. You must reboot for changes to take affect. Reboot now?\"

  5. #15
    Antionline Quitter..Srsly
    Join Date
    Aug 2001
    Posts
    457
    well 192.168.x.x is NAT i am pretty sure and the 0.0.0.0.0 is pretty much a coonection that is just there doing nothing....kinda of a local packet that just is there.
    \"\"A weak mind is like a microscope, which magnifies trifling things but cannot receive great ones.\" G.K. Chesterton, 19th-century English essayist and poet\"

  6. #16
    Senior Member
    Join Date
    Sep 2001
    Posts
    1,027
    It would help if you gave us the name of the firewall you're using and some samples of the suspicous logs...

    Ammo
    Credit travels up, blame travels down -- The Boss

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides