Unidentified IP address on the network -?

Are you sure that isn't a secondary address bound to one of your other machines?

If you have physically identified all equipment directly connected to your internal network and have ruled out that there is not an offending additional overlooked device or machine on your network, you should check to see if any of your machines have an alternate connection defined ie. multiple IP addresses assigned to an individual machine multiple ip configurations is possible in more recent NT based versions of windows and linux.

Well, port 25 is SMTP and 100 is POP3, so whatever it is, it wants to do mail.

Have you sniffed out the packets yet?  If it's actually doing POP3, those usernames and passwords are clear text.  That might help.

Do you have a mail server inside?

Might be you have a machine that's been infected with one of those wonderful Trojans that have their own SMTP server so that they can spam.  However that would generally respond to a ping.

Out of morbid curiousity, have you accounted for the router?  I'm guessing you have as you can look at it's attached devices.

HI PsiCop, mcmurrick, ihuckaby -

How do I check if there is a secondary address bound? or multiple Ip addresses assigned to single machine?
Yes, I have accounted for the router which is our gateway (192.168.1.1)

We do have a mail sever (Mdaemon Mail Server) behind netgear router. The only ports open to the internet through the firewall are 25 and 110
I have checked for trojans and viruses.. found none. .

Well, from what I can tell using eTrust Intrusion detection the machine(192.168.1.12)  is recieving ICMP request from the following clients
69.27.199.93
66.30.11.18
66.29.199.157
66.29.199.226
66.29.199.240
and so on.....

Thanks,

Kris

You can either look in the TCP/IP properties or do an IPCONFIG/ALL from a command prompt on each machine

Telnet to port 25 on that address and see what it says.

Steve

I also like the idea of telnetting to port 25 on that address and see what responds.

Once you telnet or even attempt to ping the device, an arp -a command should then show the physical address of the network interface in the mystery device.  Match that up with known phisical addresses to see if its a second address on an existing device.

I checked all the machines with ipconfig /all - but did not find a secondary address (192.168.1.12)

I cannot telnet to port 25 or 110 on the machine (192.168.1.12) or ping it

I check the router for port forwarding - to see if its forwording to the right machine (machine hosting the mail server). The settings are correct and it is not being forwarded to 192.168.1.12

The other I noticed unusual in the mail server smtp-out logs is the there are lot of emails (spam) try to go out. but all the email says sender not specified. I ran a trojan scanner to see if there were any .. could not find any. However the spam attempt to leave the mail server was unsuccessful.

This machine 192.168.1.12 has a physical address as detected by the etrust intrusion detection scanner 00:40:F4:6C:B1:CD
Does this mean that there is a physical device ? or ?

This is what I am seeing in the logs

Thu 13/Nov/2003 13:28:09 ICMP: 192.168.1.12:8 <- 69.27.197.77:8     0 + 64By,     0s      - unknown service: 192.168.1.12
Thu 13/Nov/2003 13:30:16 ICMP: 192.168.1.12:8 <- 69.30.10.66:8     0 + 64By,     0s      - unknown service: 192.168.1.12
Thu 13/Nov/2003 13:31:04 ICMP: 192.168.1.12:8 <- 69.27.243.180:8     0 + 64By,     0s      - unknown service: 192.168.1.12
Thu 13/Nov/2003 13:31:26 ICMP: 192.168.1.12:8 <- 69.33.99.218:8     0 + 64By,     0s      - unknown service: 192.168.1.12

Does that same physical address (00:40:F4:6C:B1:CD) match any other known device on your network?

I am not sure why I can't telnet to the machine. When I telent 192.168.1.12 110 or 25 .. its says cannot connect to host. operation timed out.

I checked  the ARP cache  after pinging all the IP addresses  on the network, but none of them compare to 192.168.1.12 (00:40:F4:6C:B1:CD)


Well, I don't what else to do.

Did you check the physical address of the machine you are on?

00:40:F4 belongs to Cameo Communications . . . You don't have any wireless stuff on your WAN do you?

Try adding the 00:40:F4 MAC address to your arp cache statically and see if you can telnet to it then. If it's a trojan it probably doesn't have the ability to respond to arp requests . . . which is why your scanner may have been able to detect it but you couldn't telnet to it.

. . . sounds more and more like a spam generator.


Good luck,
Steve

No we don't any wireless devices on the LAN

I tried adding the address
arp -s 192.168.1.12 00-40-F4-6C-B1-CD
to the arp cachce statically .. telnet did not work (no response)

I am still logging the ICMP logs almost every 2 minutes

Thanks,

Kris

Ofcourse, I checked the physical address on the machine I was on.
Found nothing- even ran a trojan scanner with current trojan definitions.. nothing at all

Sorry I've been absent.  Work called.

If those "home" addresses are pinging you "almost every two minutes", then I'd have to agree that you almost definitely have a Trojan / Spam generator installed on one of your machines, and it's planter is checking on it.

I would go with ShineOn's recommendations and try the web scanners.  Local antivirus solutions are fairly well known and frequently circumvented.

Depending on your layer 2 layout:  If you are using switches you might try sniffing individual ports.  You'd either need to span ports, or hook a hub up in between the end device and the switch.  One of them is going to have packets coming from that box (MAC address, IP address, etc.)  That will let you know which switchport it's coming in on, which might give you the machine if you can trace the cable back.  If you're all hubs, that won't help you.

Possibly a dumb question, but when you wrote that you ran your trojan scanner, was that just on the mail server?  You never mentioned running it elsewhere, and many of them only scan the local machine.

And thanks Steve, I know about address translation.  Just did a very bad job of expressing curiousity about those ICMP requests.  Guess I should have said "I'm not sure of any LEGITIMATE reason why they'd be pinging you".  Oops.

It's possible you have a rogue wireless access point, something someone has set up on their own.
If your switch supports it, you can tell which port (whatever the thing is) it's  plugged into by it's mac address.
Whatever it us, it needs an IP address so you can exclude that mac address from your DHCP server or null route the little bugger at your router to effectively disable it.

Is 192.168.1.12 sending out any traffic or are you only seeing incoming ICMP?
In the latter case, it may just be that port 8 on your router is forwarded to that address.

Coming from another angle, perhaps if you can get your network nice and quiet you can try to ping the device while watching the switch.   Even if the device doesn't respond, that should show you where the switch is directing the packets.

Is it possible the mac address is getting reprogrammed on something?  Can some interfaces be more than one mac at a time?  would be a nasty thing for a trojan to do to make it hard to find - use a secondary mac that doesn't show up in system configs...  I'd sniff the net with tcpdump et al and look at the actual traffic the intrusion system is seeing.  If you can identify the traffic and get a sense of frequency, then unplug systems one a time until you stop seeing it...

You may be infected with the swen worm or a variant.  It's a mass email worm that has its own smtp engine.  A variant may be doing ip masquerade.

http://securityresponse.symantec.com/avcenter/venc/data/w32.swen.a@mm.html

cheers

Yeah, Swen or variants is one of what I was talking about.  One of the things of interest with that particular worm -

>>Note: Due to the numerous changes that the worm makes to the Windows registry, the worm can be somewhat difficult to remove if it has already run and your Symantec antivirus product subsequently quarantined or deleted it.<<

Today's worms are such nasty, insidious things that once they get past your antivirus, are likely to trample all over your system, and you must be aware of what they can do and what changes they can make in order to find and clean them.

The ONLY way to be safe from these nasties is to be running a platform that has none of these vulnerabilities.

ihuckaby . . . I didn't mean to be condescending.
Hope you didn't take it that way.

Steve

Getting back to the OUI on the MAC address for Cameo.  Cameo Communications is a LAN hardware supplier specializing in ethernet cards, ethernet hubs, ethernet switches, ethernet transceiver, ethernet converter, USB hub, USB to ethernet converter, and gigabit switches.

Have you checked all your stuff?  I'm thinking it's a switch or some other device configured to foward ports 25 & 110 which would explain why you can't telnet to them.

--M

WHat kind of switch are youe using?
Can you diplay the spanning tree or CAM table?

I would still suspect a backdoor that someone used to plant a spam generator, even more so than a worm - otherwise, why would there be "home" addresses pinging it on a regular basis, and suspicious outgoing mail?  The errant IP address, coming from a device, may mean that the device was compromised to allow the hacker access to your network using your network, or that they are spoofing an address on your internal network through that device, so they can do their nasties.

More proof that NAT is not a firewall...

I tend to agree with ShineOn's assessment. You've got a compromised host somewhere. You need to identify the MAC address associated with the IP address and use that to find the machine.

Hi,
I really appreciate all your continuous help to resolve this.
Here's a brief summary of what all I done and what I have found and trying to use anything I can:
a) I have accounted for all the physical machines with IP addresses including the router
b) Performed Antivirus, trojan, and malaware spyware scans - None found. However when I ran Housecall from Trend Micro, it detected Nachi.A and cleaned it on two machines.
c) Tried to telenet to port 25 and 110 on 192.168.1.12 (unidentified machine) - no response
d) Used ipconfig /all on all the machines to see if there was a secondary IP bound to an adapter - Found none
e) Checked for Swen worm - none found
f) I found ICMP traffic directed to this machine(192.168.1.12) from external IP's  - using Kerio Network Monitor
g) Zone Alarm logs (blocked) shows that traffic is being routed to 192.168.1.12 from External IP
h) Etrust Intrustion Detection logs also show ICMP requests to this machine (192.168.1.12) . The alert logs say that there is DDoS attack daemon running on 192.168.1.204 - possible attacker 192.168.1.9 and also there is DDoS attack daemon running on 192.168.1.9 - possible attacker 192.168.1.204. So this incident is isolated between these two machines.
i) So I installed Link Ferret Network Montor on 192.168.1.9 (00:50:BA:C8:B3:C6) and captured the packets. There was only one adapter listed to capture the packets from (so hidden adapters) This is what I have -
The source: 00:09:5B:82:D8:C8 (192.168.1.1: 137) - This is the router
The Destination: 00-40-F4-6C-B1-CD (this is 192.168.1.12: 137)
ICMP request are being sent by the DNS servers 206.26.36.34 and 198.107.0.14)
NBNS (Name query requests are being sent by 192.168.1.1 (router) to 192.168.1.12 - port 137

When I ran the Link Ferret Network Monitor on 192.168.1.204 (this is where the mail server is) , I did not find anything unusual. However I did find hidden adapter that showed up in the drop down list in the Link ferret network monitor - to select the capture device. I don't know if this is the adapter that is bound to 192.168.1.12.

tcp port scan of 192.168.1.12 revealed port 25 and 110 open - could it be on 192.168.1.204 (since it is running mail server)

How do I remove this hidden adapter if this is what is causing the problem

Thanks again,

Kris

Where are you running Zone Alarm, Etrust and Kerio?  It's simply not possible for anyone to send anything to 192.168.* from outside because that's a network that isn't routed by ISPs.  It's reserved for private networks behind NAT routers.  If your router is routing things to those addresses, either a host with that address initiated the connection, or the router is configured to route outside connections (to your external address) to that internal address.

When you say source 192.168.1.1:137 destination 192.168.1.12:137, you're implying that your NAT router is configured to forward Microsoft Networking packets, which would be an extremely bad thing (though it could be that someone inside is mapping an external drive or possibly making rpc calls to an outside machine --- I'm not *that* familiar with MS networking).

But another question is how is your tcp port scan detecting port 25 and 110 open on 192.168.1.12 if you can't telnet to it?  One should imply the other.  Even if it's on the mail server, if you can port scan that address, you should be able to telnet to it (even if it doesn't do anything when you do).

And DDOS attacks from *inside* your LAN?  This isn't a campus dorm LAN by chance is it?

Nachi.A is also known as Welchia.

Port 137 is one of the NetBIOS name service ports.  Is your port 137 traffic UDP or TCP?  Actually, it really doesn't matter all that much..  What you probably have is some type of Denial of Service attack.  

You want to clean your mail server as deeply as you possibly can, and if that fails, you want to blow it away and reinstall everyting, then harden it as much as possible before letting it go on the Internet again.

Excellent point, Steve.

Ditto.

Well,

Here's the scenario now... Like I mentioned I isolated the incident to two machines (192.168.1.9) and (192.168.1.204)
I disconnected 192.168.1.9 from the network and ran a TCP port scan on the unknown machine (192.168.1.12) -- did not respond to ICMP and did not find any ports either. Now I disconnected (192.168.1.204) which is a windows 2000 server with Mdaemon mail server and ran a TCP port scan, it didn't respond to ICMP but scanned all the tcp (25, 110)  and udp (many)  ports .So now I know this machine is the one that is hiding the IP 192.168.1.12.

So how I get rid of this now.

Thanks for continous support.

Kris

Well, now it may be time to wipe that machine clean and reload everything on it. Before that, however, have you tried this?

http://www.agnitum.com/download/tauscan.html


They claim to be able to find and remove all sorts of backdoor / trojans. They offer a 30-day trial.

Say, Pete, regarding the page with your "ugly mug" . . . where'd you get the source code for the Clock3D? Did you write it?


Good luck,
Steve

The mdaemon mail server is the culprit?

You want to do a bunch of stuff.  You have to find out what is running on that server that doesn't belong there.  You will have to remove programs and clean up the registry.

First place to look is services.  Any nonstandard services are suspect.  Any services that could allow remote access are suspect.  Some backdoor-type services have innocent-sounding names.  Any that seem odd to you should be disabled.

Second, edit the registry and go to where the various RUN statements are in HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion and remove any entries that do not belong there.

I know this sounds like feeling around in the dark, but without knowing your system personally, I can't tell you what belongs and what doesn't.  You have to figure that out yourself.

If you can't figure all of that out, then you want to do as I and PsiCop and SteveJ said, and wipe it clean and start fresh.

Yes, once you verify the machine that's doing it, I'd wipe it.  It's sure, and it's probably easier.

Kris -

I just reread your last comment - is it the mdaemon server or is it the other, Win2K box that is the culprit?  Either way, you need to clean it, but if it's not your mail server, that's so much nicer for you.

Once again, wipe it clean and start fresh.  Make sure you have all your Win2K/XP/2K3 systems patched current, including security hotfixes.  Disable all services that aren't needed in your environment - to decide which ones to disable, go to http://www.blackviper.com/WIN2K/servicecfg.htm  for Win2K services, and http://www.blackviper.com/WinXP/servicecfg.htm for WinXP services, so you know what you need and don't need enabled.   Not only do you gain speed overall by disabling unnecessary services, you also gain a measure of stability and security and remove potential vulnerabilities.

<unsubscribes>

Thanks for closing the question and awarding points, but it would be very beneficial to the growth of the EE knowledgebase if you would let us know exactly what the problem was.

Thanks again.

You are right ShineOn..
Well, I couldn't exactly find the problem, but I isolated it two machines and using port scan while it was disconnected to network on individual machines I found the unidentified machine (192.168.1.12) on one of the machines. After running all kinds of trojan, and anti-virus scans I could not find anything - so as advised I reinstalled windows. not it seems to working fine.

Thanks,

kris

To rephrase, after isolating the unauthorized IP address to one of the machines, and after running all of the utilities you could think of or were advised of on that machine without the effect of "cleaning" the unauthorized IP, you were able to get rid of it by doing a clean install of Windows.  Is that correct?

Now I wish I had asked that you do an image of the errant machine to send to SARC or one of the other places that researches vulnerabilities.  Too bad you couldn't identify a particular trojan/backdoor/whatever, but I'm glad you got i fixed.

Keep those patches current!  A new one pops up every day (if not more...)

Completely patching Windoze is like trying to clean out the Aegean Stables with a whisk broom.

ROFLMAO!

More like trying to patch *every other* hole in a sieve with the expectation that it will stop the leaks. ;)

. . . untie the Gordian Knot with chopsticks.

It takes Occam's Razor to cut through a Gordian Knot... ;)

When you say you found the address, did you find some evidence on the machine?





[an error occurred while processing this directive]

Didn't Occam have a beard?

Hmmmmm...  does that mean Occam's razor is dull?

Hi Chicagoan,

I didn't really find any evidence or error. . Like I mentioned before after isolating the unauthorized or unidentified IP address to two different machines on the network. I disconnected each one from the network and ran a port scan on the individual machines for the IP (192.168.1.12) . I had the port scan configured to scna even if the host didn't respond to ping (ICMP). One of the machines came up with results for this IP - with port 25, 110, and several UDP ports open. This machine that I found the IP is a windows 2000 server SP4 with Mdaemon mail server on it. Now that I figured out where the source was - I ran every possible anti-virus, trojan, malaware, spyware scans, none of them picked up anything. Even the services that were running didn't look unusual. Well, as suggested was to start clean.. . and thats what I did.
I have no signs of that IP now neither I have any spam going out.

Hope this answers your question.

Thanks,

Kris

If it was your mailserver, it could be an open relay...

http://news.zdnet.co.uk/internet/security/0,39020375,39117923,00.htm