Rogue Local IP Address
Page 1 of 2 12 LastLast
Results 1 to 10 of 18

Thread: Rogue Local IP Address

  1. #1
    Banned
    Join Date
    Jul 2002
    Posts
    44

    Unhappy Rogue Local IP Address

    Hi there,

    I currently administrate a small network, approx 40 users, using NT4 SP6 and all the patches I can find. I have found a local IP address continuing to show up in my PF logs.........no computer appears to be associated with it.
    When I try to ping this local address from any computer on the network it comes back unreachable. When I try and ping from the server (2 NICs, IIS 4) I get a response. I also can scan the IP from the server (using LANguard)......but again I cannot get a netbios name.
    This is a Local IP address 10.x.x.x.
    The thing that irks me is I cant ping it from my WS...just the server which leads me to believe it isnt on my local network at all. Also in my packet filter logs it show it connecting on port 137 UDP.

    I am new to this security stuff and have lurked here at AO for a couple of months.
    I am hoping someone can help me find this and maybe block it out.

    One thing I have looked at is I have a NETBIOS Packet filter setup allowing both directions.
    I think I should delete this??

    Your thoughts are muchly appreciated.

    GG

  2. #2
    Senior Member
    Join Date
    Jul 2001
    Posts
    343

    Red face NetBios-Share your drive with the world

    A good tool is at www.rawlogic.com
    better check port 139.....
    and use a NAT router like a Linksys

    You may be sharing your network with the world.
    Franklin Werren at www.bagpipes.net
    Yes I do play the Bagpipes!

    And learning to Play the Bugle

  3. #3
    I'd rather be fishing DjM's Avatar
    Join Date
    Aug 2001
    Location
    The Great White North
    Posts
    1,867

    Re: Rogue Local IP Address

    Originally posted here by gypsygeek
    This is a Local IP address 10.x.x.x.
    My understanding about these IP address are they are 'non-routeable'. That would lead me to believe that it would have to be internal to your network. I guess 'spoofing' may be an option here but i don't think so.

    When I try and ping from the server (2 NICs, IIS 4) I get a response.
    Does this server have have a firewall on it, if so, you may be able to check (logs) to see if your ping request leaves your network to find this address.

    Cheers:
    DjM

  4. #4
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    I currently administrate a small network, approx 40 users, using NT4 SP6 and all the patches I can find. I have found a local IP address continuing to show up in my PF logs.........no computer appears to be associated with it.
    When I try to ping this local address from any computer on the network it comes back unreachable.
    In all likelihood the person probably either has their services wrapped or has a personal firewall installed, ICMP/ping type things are usually a bad way to determine something on your network.

    When I try and ping from the server (2 NICs, IIS 4) I get a response. I also can scan the IP from the server (using LANguard)......but again I cannot get a netbios name.
    This is a Local IP address 10.x.x.x.
    This leads to questions, 1) why two nics? two different networks? Is your workstation on a different network than the other box you are trying to ping?

    2) Is this a domain server? If so, the person probably has a personal firewall that allows the domain server in so they can do things...and just because you can ping them doesn't mean that it is a windows box or that it doesn't have a firewall restricting it or that it isn't running netbios (in other words, lots of possibilities as to why no netbios names).

    The thing that irks me is I cant ping it from my WS...just the server which leads me to believe it isnt on my local network at all. Also in my packet filter logs it show it connecting on port 137 UDP.
    Microsoft is chatty that way, and it tends to try to do stuff like netbios names if it thinks it sees you in the network neighborhood, so it isn't necessarily something to be worried about (not saying that you shouldn't worry though). As to why you can't ping it, see above.


    I am new to this security stuff and have lurked here at AO for a couple of months.
    I am hoping someone can help me find this and maybe block it out.

    One thing I have looked at is I have a NETBIOS Packet filter setup allowing both directions.
    I think I should delete this??
    What you need to think about is, do you really need to be allowing people to utilize netbios services on your computer? Do you have a need to log into a domain? Do you havea neeed to map drives? Do people have a need to map your drives? Depending on the answers to those questions, I could recommend several different actions. My personal opinion, is that netbios is a disaster of an implementation, and I try to avoid it all costs, but then again, that is just my personal opinion.

    One last suggestion, you say you are an administrator of the network, but that is kind of vague. Are you a microsoft domain administrator? If so, you could probably find out more information with some of the mickie soft administration stuff... If you have access or controls to switches you could also use the information from them to pursue the address a little more, if you could be a little more specific that would also be helpful

    Sorry to answer your questions with more of questions, but I hope I have helped, and if you can get a little more information out there, I could be a little more helpful

    That make sense?

    /nebulus
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  5. #5
    Senior Member
    Join Date
    Jan 2002
    Posts
    1,207
    Try running tcpdump to capture all broadcasts from that IP address on your lan.

    If it's a Windows box, more than likely it'll be shouting its name on Netbios. You can get the binary packets and look for strings in them or use something like ethereal which will decode them.

    Also try resolving the MAC address and looking up the manufacturer code - this will more than likely tell you if it's a printer, router, switch etc. If all your PCs ethernet cards are made by 3com or IBM (for instance), and it's a HP mac address, it's probably a printer.

    Also if you look for any other broadcasts from its MAC address, printers etc usually shout in IPX and other protocols.

    Maybe the reason you can ping it from some boxes but not others is that its netmask has been set incorrectly. I expect if you're network admin and have joined the company recently it's just some old printer or pc somewhere that the old admin assigned a static address to and never told you.

    Oh yes, one other idea...

    If you have a managed switch, find its MAC address (by using the arp command on a machine that can ping it), look it up on the managed switch, work out what port it's attached to then follow the cables back from the wiring cabinet.

    Seeing as you have 40 users, presumably you don't have more than about 80 machines, so the wiring won't be that tricky?

  6. #6
    Banned
    Join Date
    Jul 2002
    Posts
    44
    Thanks for your responses.

    yes the server acts as a firewall.One nic has an internal address and the second is for internet access.
    The server is a Domain controller Running MS SBS4.5 with exchange5.5 and Proxy in use.
    the Exchange is not relaying as I have this tested from outside sources.

    I set and now administrate the whole network.
    The workstations are all on the same network.

    I deleted the NetBios custom Packet filter.

    Another thing I did was unplug the dsl modem (connected to the 2nd NIC) and then tried to ping this address. I could still ping which leads me to believe the IP is local.

    When scanned it shows as an NT4.0 server......with IIS 4. We only have one NT4 server on the network.

    This address shows up in the Packet filter Logs accessing known spammer sites.
    Originally I thought I was relaying or something.


    Could someone internally be doing something???

    I really appreciate any suggestions.
    as I said before I have been lurking for months and have gotten a wealth of info from this great site.

    Thanks again

    GG

  7. #7
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    I'm going to assume that it isn't possible for you to administer the box using your domain privelages (for example, that server probably isn't running in the domain). The fact that the box is running IIS4, apparently unauthorized, is kind of disturbing (at least to me). Depending on how your network is layed out and whether or not you are using managed switches, you may be able to narrow down what office this computer resides. Just check you arp tables on routers/switches and you may be able to track down the rough physical location of the offender (of course, this heaviliy depends on your topology and your network equipment).

    I do not think you have to worry about spoofing in this instance. I think that the person probably has a personal firewall or port filters on their computer that restrict access from the rest of your network, but that allow access from your domain server/gateway (for obvious reasons I hope).

    However, this still probably leads you to wonder who/where this computer is. You have mentioned IIS is running, but you haven't mentioned what services. I recommend taking a look through them and seeing if you can't figure out some names attached (it has been my experience that if people create an unauthorized personal web server, they usually include their name or email somewhere in there ). So if they have a web page, browse around it for a bit, see if you can't gleam some information that would give away who it is...If they are running ftp, see if you can log in anonymously, see what files you can see, this might help out, if they are running smtp, send an email to the postmaster asking them to talk to you.

    If all of this fails, and you are not able to access any managed switches to track down the MAC of the pc in question, and you are not able to manage the station from the domain controller, you are pretty much going to be forced to go around and do a manual audit of pc's to track this person down.

    One last thing, you mentioned that it shows up as an NT4.0 with IIS4, have you compared the known server on your network MAC to the MAC of the address you are looking for ? If they are the same, they will match... (to get the MAC, look in your own arp table, since you pinged it from the domain controller, it will have the MAC cached). Another thing you could consider doing, is blocking access to the network from that IP and then keep an eye out and see if it changes, or maybe you get a complaint that so and so can't get to the network.

    Good luck and happy hunting.

    /nebulus
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  8. #8
    Senior Member
    Join Date
    Sep 2001
    Posts
    1,027
    Dammit slarty, you're always saying what I was going to say (after reading the original post) before me!

    Well I'll try to go further then:
    My bet (like nebulus) is you have a user that installed a personal firewall on his/her machine, and configured it to only let trough connections/packets from the server...

    To figure out, I'd start with everything slarty has said...
    (for MAC address lookup: on the server, at command prompt, do: "arp -a").

    Also, do you assign IPs dynamically (DHCP)? If so, check your dhcp logs to see who acquired that address.

    You might also want to try a diffrent approche to identifing the particular host:
    on the server, at the command prompt, do: "nbtstat -a THEIPADDRESS". It might/should give you the netbios name of the machine...

    Ammo
    Credit travels up, blame travels down -- The Boss

  9. #9
    Senior Member
    Join Date
    Aug 2001
    Posts
    251
    That sounds like a problem...

    It most definately sounds like a something connected to you (physical?) lan, you don't use WiFi for anything, no 802.11b? If not, then it has to be something actually plugged in.

    can NT have 2 IPs for one NIC? I know its possible in some setting to get 2 sererate webservers running on one box..., but it seems unlikely. I through this out because its possible that if at one time you guys didn't have non-local address, there could have been somekind of server running for internal purposes, that for what ever reason got forgotted, or your server could be not completely under your control anymore, in which case someone set up a piggybacked server just to screw with your head...

    How long does the address show up in your logs?

    I don't think that it is odd that you can only ping it from your server, the 10.x.x.x addy is not a valid address on your network. If your box does all those things, I assume that it is the only server, so it does all your network stuff, it is your main router(implied by firewall), and all further network equipment is just switches/hubs/printers/nics... So since it is the router, when you try to connect to the 10.x.x.x addy from your normal box, the router (your server) goes whatcho talkin' 'bout Willis? and dumps the packet. We have a couple rogue 10.x.x.x addies on my campus because someone has an Airport BaseStation DHCP serving invalid address to a couple of our buildings, but since the buildings are all switches and hubs linked to the rest of the campus through the router (gotta love sub-nets), it is localized to the building it is in (and if it is a big building with more than one network closet, it is limitted to only the connection in that closet)... Can't ping em from anywhere. I've tried. But since your going strait from what is essentially your router, it knows what to do...

    The thing I don't understand is why your router is letting it connect out..., though you did say proxy, and that worries me. 'Cause why is it letting an invalid IP connect through it?

    I'd trace it back to the computer and try to find logs that incriminate someone. Then I would ensure that the proxy only lets valid IP address through it. And maybe invest in a stand-alone firewall. The problem of centralizing everything to one machine is if it goes everything goes with it, and when I say goes I mean everything possible in badness, from hardware problems, to software, to being hacked, DoS'd all that evil. So just seperating the firewall/proxy/router from the machine would give you a lot more room to play in. And a firewall for a network of 40 comps wouldn't be to terrible expensive, you don't need a Nokia Router with CheckPoint FW1 costing more than my car..., you just need something to de-centralize certain services.

    I don't like the sound of the rogue addy connecting to spam sites..., it makes it sound like a non-friendly. Here with our rogues it is just idiot students that can't figure out how to go into start/settings/control panels/ network and then hit dhcp, or the dummass that can't figure out how to use is Airport station, I mean it is a Macintosh product, the instruction were probably Big and colorful and written for a 3rd grader. I know I use Mac, its nice to get manuals that an idiot can read with the box. I put RAM in the bottom slot, a process that involves removing the processor daughter card from the MoBo, because the instructions were a quicktime video, damn kids.

    Oops, I rant...

    Your going to need to check over your network for signs of misdeeds, and while doing so I would look for places where you could use some improvemt, patchs not install, version numbers with known exploits, users that don't realize that you have to run the virus scanner for it to catch viruses...

    I'm probably useless, so I'm going to shutup and go to work..., see if I can't fix a Mac or two...

    Dhej

  10. #10
    Senior Member
    Join Date
    Jul 2001
    Posts
    461
    Couple of quick suggestions.

    Unplug network cable(s) from server, internal and external(one at a time), try to ping that address. If that works, then you know that you have an additional IP bound to the NIC in the server. I forget exactly were that is in NT 4, but you can set additional IP addresses which the server will answer to under the properties of TCP/IP in network settings, I think there is an advanced button. I currently don't have any NT 4 servers up and running, so I cannot check.

    Failing that, at some time when that other IP is responding, open a dos prompt ping that address and then type

    arp -a

    That will give you a list of IP's and MAC addresses associated with them(only of machines that have recently communicated with the server). Maybe you can find some correlation with other IP's that you recognize. In case one of you legit computers has a second IP set up on their nic.

    If you want to deny that particular IP access, here is a quick and dirty way. This is only really of limited use, but it will prevent that IP address from communicating with the server, or the outside world.

    from a dos prompt on the server type

    route add IPADDRESSTODENY AFALSEROUTE

    for an example with numbers,

    route add 10.0.0.9 10.0.0.245

    with 10.0.0.9 being the adress you dont know about, and 10.0.0.245 being a random unsused IP in your subnet.

    with NT 4 you may have to type

    route add 10.0.0.9 255.255.255.255 10.0.0.245

    instead.

    Of course, this solution is only really good as a temporary testing measure. As the other computer can always have its IP changed. Also, unless you add the p switch, it will go away the next time youo restart your server. p makes it persistent.

    route add -p 10.0.0.9 10.0.0.245 adds this entry to your routing table permanently.

    Last but not least, if none of the other things help you get a better idea about it, start unplugging wires from your hub/switch one at a time. Pinging after each one to see when it goes away. At least then you will know where to start tracing it. I am hoping whoever wired your facility labelled the network jacks, and the patch panel in your server room so you know where they all go. If not, you are in for a fun evening.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •