Rogue Local IP Address

[gypsygeek]

WOW!!

I cannot believe the information I have received from this post........I have learned much.
Thank you to all who posted.

From this info gathered and using suggestions from several of the replies I have narrowed it down to it being the server. ... cause when scanned the MAC comes up LOCAL and the
services running DHCP, IIS,Exchange etc.....this is the only machine on the network on the network running these services.

We have PPTP running as we have remote sites and have been trying to use the MS VPN...I wonder if it has to do with this. What bugs me is it communicates to external sites which I have traced to known spammers.....Thats why I thought it was relaying at first.

We only have one site using the VPN and it gets a different address when connected. I can see when they connect. Still irks me although I am getting closer. I am reapplying patches this weekend see if I can plug this up and close the unused VPN ports.....otherwise I am rebuilding as I cant be sure what this is or if the system has been compromised.

I am still going to try and find the source though....Im stubborn.....Ill be lurking : )

gg

[Palemoon]

Well lots of good info but also check the DHCP scope and narrow the IP's to within the 40 or so workstations. Also perhaps I missed it but outside the servers you did not say what the OS was on those 40 computers because Win98, Win98SE, WinME, NT Workstation all can show up different ways on a network throw in Win95 and you have a machine with a personal web server by default and usually UDP 137 can be noise or scans. I take it your data ports are labeled a bit of after hours work trace each data port and the CPU hooked to it at 40 stations will not take that long. Not all sources can be had from a server, heck things get nasty I call people on a telephone Good luck

[IchNiSan]

gypsygeek,

When you did the arp -a it gave you a list similar to this right

Interface a.b.c.d <---------------------your server outside address
a.b.c.e 33:33:33:33:33:33 default gateway

Interface 10.x.x.z <---------------------your server inside IP
10.x.x.y 11:11:11:11:11:11 dynamic
10.x.x.w 44:44:44:44:44:44 dynamic
10.x.x.x 00:00:00:00:00:00 LOCAL <-----------------------this is the address in question?

Is this what you are saying????????

Also, you most likely don't want to give your external IP here, but your internals seem to be in private address space, and are not routable over the internet, so, you should at least be able to give us a realistic description of your internal setup. change the subnet a bit if youare worried about it, but it may help.

Your VPN is set up using RAS right? RAS with pptp, etc... I don't remember how that was done with NT4 but it seems like that is close.

It seems to me that this may very well have something to do with what you have installed for your VPN. When you say the traffic from this is accessing known spammer sites, what do you mean? What services is it using, SMTP http, etc. ? This really worries me. Also, how did you trace these sites to be known spammer sites?

What firewall are you using? If you dont mind my asking.

If I were you I would seriously consider doing what someone else suggested and investing in a NAT router like a linksys, or even a bit higher end box like a watchguard soho, or some other hardware firewall. Or, one of my personal favorites, the Symantec VPN/Firewall Appliance 100. You can pick one of those up for about $350, get one for each site, and bingo, no more worrying about using the NT vpn functions, you can do it all with those two boxes.

[Dugganm]

Also try resolving the MAC address and looking up the manufacturer code - this will more than likely tell you if it's a printer, router, switch etc. If all your PCs ethernet cards are made by 3com or IBM (for instance), and it's a HP mac address, it's probably a printer.

I am having much the same problem, but on a much bigger network. How would I go about reslolving the MAC address? What do i use to do this?

I'm almost a complete novice, I've only recently taken anything to do with security on our network.

Basically we have an IP address trying to get out through our firewall from a PC which seems not to have been given a local IP address. Our local machines have IP 2.1.x.x this machine has an IP of 169.x.x.x

My machine cant ping the address as it seems to be on a different network segment. How would I go about resolving this address?

help!

[IchNiSan]

Dugganm,

To discover the manufacturer of the NIC in question, take the first three values of the mac address and then compare them to what you find on this site.

http://standards.ieee.org/regauth/oui/oui.txt

i.e. If your mac address was

00:03:93:67:5a:ee

you would look up

00:03:93

And discover that it identifies as Apple computer.

Those 169.x.x.x are windows default addresses, so Im guessing that you just have a machine misconfigured somewhere as opposed to a security issue.

The reason you cant ping it is because your machine thinks that it is on a non local network. because of the subnet masks.

If you don't know what the MAC address is, try the following,

If the IP address is 169.x.x.y, change the IP on your machine to 169.x.x.a, with a subnet mask of 255.255.255.0. You should then be able to ping that machine(if it is local) and then find out the MAC address by running arp -a. If it is not on the local network(although I dont think you would ever see traffic from it if it were not) this will obviously not work.

[Angrys Back]

you have any routers?

[gypsygeek]

Sorry for not getting back earlier...several other small fires to put out.

Mostly user error : )

Anyway.....

IchNiSan

I ping the loocal rogue(and recieve a response) and then I arp and it doesnt show up in the arp table??

I see it connect to sites in my PF logs that Proxy2 creates everyday.

I use a who is database to resolve the IPs(sam spade or specifically this link http://www.dshield.org/ipinfo.php?ip=) to look up the IPs then gooogle them to try and find out as much as I can about them.

OS of all machines is NT4 or W2K
Single server domain, DHCP 10.0.0.x-10.0.0.255
255.255.0.0

Have resolved all IP address to devices, machines, printer with the exception of this one that keeps on showing up.


LOCAL shows up when running GFI LANScan from the server to that IP.
Show all the same services as the domain server and that the MAC is Local
Shows noone logged in..........although I am logged in as Admin running the scan??

GG

[IchNiSan]

If it does not show up in the ARP tables after a ping, then it is without a doubt, a local(meaning on the server) address.

if you run ipconfig /all on the server what does it show you?

I'm out of ideas, maybe if I were physically in front of the box I could figure it out.

I would suggest that you cut your losses and wipe the box.

Sorry 8(((

IchNiSan