Results 1 to 6 of 6

Thread: Am I Hacked????

  1. #1
    Junior Member
    Join Date
    Sep 2003

    Question Am I Hacked????

    Hi all,

    In my Win2k DHCP server, I observed a few RAS entries with ip addresses not belonging any machines in the office. What is this?



  2. #2
    Join Date
    Jun 2003
    Sorry I for one need a little more info to help you, a couple bad entried doesn't mean that you have been hacked.

    Let's see what are some of the questions I need to know

    1. What firewall are you running.
    2. Do you have a router?
    3. Have you pingeed to see if the computers are up?

    Those are a few, I mean we are good, but from what you gave I can't help you yet. A little more info and I will be able to.

  3. #3
    Junior Member
    Join Date
    Mar 2003
    can u provide more info... maybe i can help or something. just provide more info. that condition is too broad.
    If your curious, your probably interested.

  4. #4
    Senior Member IKnowNot's Avatar
    Join Date
    Jan 2003
    whizkid2300 said it, I will refine it ( again! )

    (Don't give us your specific IP or network , the logs can be adjusted before you post, BUT )

    What exactly are you referring to? How about a sample of the log that you are suspicious of ( with the name of the log ) ?

    How is your network configured? This may seem like a dumb question, but is your DHCP server that you are referring to inside the LAN, behind the firewall that whizkid2300 asked about?

    What are the RAS (Remote Access Services ) entries that you are worried about? Are they rouge machines connecting from within, or are they established machines connected to unfamiliar addresses outside, or is the server itself making connections or is it assigning these addresses?

    As Johnny 5 said, “ need more input”
    " And maddest of all, to see life as it is and not as it should be" --Miguel Cervantes

  5. #5
    Join Date
    Apr 2003
    I've seen what Minhajh is talking about, I think. He is looking at the listings in the DHCP leases and seeing some entries that don't add up. They have a RAS (remote access) designation on them.

    Sometimes these are legitimate. However, if you don't allow remote access on your network, or if they are related to workstations on your network, this can be a problem.

    If they are related to a workstation, check out the machine for a remote access network connection that may have been set up by an unauthorised user or a ChainCast compromise (Control Panel, Network Connections).

    You can sort the listing, of course, by clicking on the column label at the top. This helps bunch the RAS entries in to one group. Check the MAC addresses in the list to make sure they belong to your systems, figure out which one it is and you can examine that machine for problems, if necessary.

    If you authorise RAS on your network, those entries may be the home systems of the folks using remote access.

  6. #6
    Junior Member
    Join Date
    Sep 2003
    My apologies to all for not providing sufficient info.

    Reply to whizkid2300; I use a ZoneAlarm firewall, Analogx Proxy, in our MailServer, which is connected to a dialup, no routers.

    Reply to rapier57; we have 22 workstations and these RAS entries MAC address doesn't belong to any of the machines in the office. I removed these entries couple of times, but they appeared again after sometimes, this is what made me suspicious. I have disabled remote access to all the users.

    Reply to IKnowNOt; No we are not behind a firewall, ZoneAlarm runs on MailServer and one Admin Workstation only, which connects to the internet.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts