September 30th, 2003, 07:48 AM
Am I Hacked????
In my Win2k DHCP server, I observed a few RAS entries with ip addresses not belonging any machines in the office. What is this?
September 30th, 2003, 08:45 AM
Sorry I for one need a little more info to help you, a couple bad entried doesn't mean that you have been hacked.
Let's see what are some of the questions I need to know
1. What firewall are you running.
2. Do you have a router?
3. Have you pingeed to see if the computers are up?
Those are a few, I mean we are good, but from what you gave I can't help you yet. A little more info and I will be able to.
September 30th, 2003, 09:39 AM
can u provide more info... maybe i can help or something. just provide more info. that condition is too broad.
If your curious, your probably interested.
September 30th, 2003, 09:40 AM
whizkid2300 said it, I will refine it ( again! )
(Don't give us your specific IP or network , the logs can be adjusted before you post, BUT )
What exactly are you referring to? How about a sample of the log that you are suspicious of ( with the name of the log ) ?
How is your network configured? This may seem like a dumb question, but is your DHCP server that you are referring to inside the LAN, behind the firewall that whizkid2300 asked about?
What are the RAS (Remote Access Services ) entries that you are worried about? Are they rouge machines connecting from within, or are they established machines connected to unfamiliar addresses outside, or is the server itself making connections or is it assigning these addresses?
As Johnny 5 said, “ need more input”
" And maddest of all, to see life as it is and not as it should be" --Miguel Cervantes
October 1st, 2003, 12:50 AM
I've seen what Minhajh is talking about, I think. He is looking at the listings in the DHCP leases and seeing some entries that don't add up. They have a RAS (remote access) designation on them.
Sometimes these are legitimate. However, if you don't allow remote access on your network, or if they are related to workstations on your network, this can be a problem.
If they are related to a workstation, check out the machine for a remote access network connection that may have been set up by an unauthorised user or a ChainCast compromise (Control Panel, Network Connections).
You can sort the listing, of course, by clicking on the column label at the top. This helps bunch the RAS entries in to one group. Check the MAC addresses in the list to make sure they belong to your systems, figure out which one it is and you can examine that machine for problems, if necessary.
If you authorise RAS on your network, those entries may be the home systems of the folks using remote access.
October 1st, 2003, 05:31 AM
My apologies to all for not providing sufficient info.
Reply to whizkid2300; I use a ZoneAlarm firewall, Analogx Proxy, in our MailServer, which is connected to a dialup, no routers.
Reply to rapier57; we have 22 workstations and these RAS entries MAC address doesn't belong to any of the machines in the office. I removed these entries couple of times, but they appeared again after sometimes, this is what made me suspicious. I have disabled remote access to all the users.
Reply to IKnowNOt; No we are not behind a firewall, ZoneAlarm runs on MailServer and one Admin Workstation only, which connects to the internet.