[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 775
  • Last Modified:

Is my ISP out to harm my network?

Running a windows 2003 server and 15+ workstations. The server is handling DNS/DHCP, the router is handling the NAT and port forwarding. The router is configured by our ISP, it's an Adtran (I think it's a TSU 600 but I'm not in front of it right now to tell you for sure). The Adtran passes all of our data and voice out to the T1 in our building's phone room.

We were having some internet problems, so I started doing some investigating. I wanted to see all the computers on my network at the same time, so I downloaded and ran LanSpy which returned results for all the computers on my network.

Well, it also found some computers that are not on my network! We use a 192.168.0.1/254 IP scheme, and I found 4 computers in the 192.168.11.100 scheme showing up. The program scans all the UDP ports as well, and it returned this information:

[] 192.168.11.113
 Round Trip Time (RTT): <10 ms
 Time To Live (TTL): 250
 UDP ports (14) 42 Name => Name Server
 53 domain => Domain Name Server
 67 bootps => Bootstrap Protocol Server
 88 kerberos => Kerberos
 123 NTP => Network Time Protocol
 137 netbios-ns => NetBios Name Service
 161 SNMP => Simple Network Management Protocol
 389 ldap => Light Directory Access Protocol
 500 isakmp => Isakmp
 1433 ms-sql-s => Microsoft-SQL-Server
 1512 wins => Microsoft's Windows Internet Name Service
 2049 nfsd => Network File System daemon
 3127 trojan => W32.Mydoom
 4672 eD2Kt => eD2K P-2-P Transport
 
[] 192.168.11.114
 Round Trip Time (RTT): <10 ms
 Time To Live (TTL): 252
 UDP ports (15) 42 Name => Name Server
 53 domain => Domain Name Server
 67 bootps => Bootstrap Protocol Server
 88 kerberos => Kerberos
 135 epmap => DCE endpoint resolution
 138 netbios-dgm => NetBios Datagram Service
 161 SNMP => Simple Network Management Protocol
 162 snmptrap => SNMP Trap
 445 microsoft-ds => Microsoft-DS
 520 router => Router routed RIPv.1, RIPv.2
 1434 ms-sql-s => Microsoft-SQL-Server
 1900 ssdp => Simple Service Discovery Protocol
 3003 cgms => CGMS
 4500 ipsec-nat-t => IPsec NAT-Traversal
 27015 hle => Half-Life Engine

[] 192.168.11.157
 Round Trip Time (RTT): <10 ms
 Time To Live (TTL): 250
 UDP ports Firewall presented. Do not check state of UDP ports.
 
[] 192.168.11.158
 Round Trip Time (RTT): <11 ms
 Time To Live (TTL): 252
 UDP ports (15) 42 Name => Name Server
 53 domain => Domain Name Server
 67 bootps => Bootstrap Protocol Server
 88 kerberos => Kerberos
 135 epmap => DCE endpoint resolution
 138 netbios-dgm => NetBios Datagram Service
 161 SNMP => Simple Network Management Protocol
 162 snmptrap => SNMP Trap
 445 microsoft-ds => Microsoft-DS
 520 router => Router routed RIPv.1, RIPv.2
 1434 ms-sql-s => Microsoft-SQL-Server
 1900 ssdp => Simple Service Discovery Protocol
 3003 cgms => CGMS
 4500 ipsec-nat-t => IPsec NAT-Traversal
 27015 hle => Half-Life Engine

When I do a tracert, it hits the Adtran 192.168.0.1, hits our public IP Address, hits 216.185.190.213 (Eschelon Telecom our ISP), then routed to 216.185.190.202 (also Eschelon), then the IP Address.

Does this mean that these computers (shown above) are connected are at our ISP's office? If so, why are so many of their computers connecting to my box? And since this first computer shown 192.168.11.113 has a trojan, can it infect my network? Are they using my bandwith or providing it? Any help here would be great!

Oh yeah, also, I disconnected the adtran from the network and tried to ping these ip's and got failures, as soon as I connected back up there they were again, so it's not a computer in-house, it's deffinately external.
0
TTCLIVE
Asked:
TTCLIVE
  • 3
  • 3
  • 2
4 Solutions
 
thur6165Commented:
If you can ping these IPs and they are not in your subnet then they have a route set in this adtran router pointing to another network.  Which basically means that these machines can reach your network.  I would call them and ask them why they are routing traffic to another private network.  This is probably some strange setup on their part and not another customers network.  One can only hope.  These apear to be 2 SQL servers and a RRAS.
0
 
thur6165Commented:
Top one would appear to be a linux box.
0
 
TTCLIVEAuthor Commented:
So there is a route in the Adtran that they set there? That means I can stop them from accessing it if I can get control of the configuration?
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
thur6165Commented:
192.168.0.1/254? do you mean 192.168.0.1/23(255.255.254.0) which is 192.168.0.1-192.168.1.254.

192.168.0.1/31(255.255.255.254) would render no usable ip addresses.

double check your addressing scheme.

Yes, in order to get ouside your subnet their as to be a route to 192.168.11.x or else the router will drop the packets to that network.  This means there is a entry in the config on the router.  This may be done automatically with a routing protocol or manually entered like a static route.  Either way I would recommend you talk it over with your ISP as you'll probably break your terms of agreement by fooling around with the router.

Also, refering to the last part of your question.  This doesn't mean that they are accessing your network and using your bandwitdth.  It simply mean that this rouge network can see you and you can see it.  The trojan port refereneced is most likely a linux machine, that tool labels that port as a trojan because it is known as that on windows.  You'll never be sure and yes if it were a trojan it could spread to your network depending on the security configured on the router, which we can't see.

0
 
trinak96Commented:
Also, i would use a sniffer on the same machine you used to scan the network to see if there is any traffic originating, or being sent to, this subnet.

If there is then you will have the evidence to supply the ISP.
0
 
TTCLIVEAuthor Commented:
Okay, I am pretty new to a lot of this, can you walk me through using a sniffer "to see if there is any traffic originating, or being sent to, this subnet"

Is there something built in to windows that I can use, or a freeware/shareware program I can use to do this? And what am I looking for?
0
 
trinak96Commented:
ttclive,

goto www.ethereal.com, download the app and winpcap drivers. Once your running look for ip addresses from the "suspect" lan.
0
 
TTCLIVEAuthor Commented:
Okay, I ran the program, and I did not see any traffic from the offending IP's, so I guess I'm okay but I will have to talk to my ISP like you suggested thur6165.

     *** Oh, on a side note, I understand my mistake in IP shorthand now, shat I was trying to say originally was we have an IP scheme that runs from 192.168.0.1 -> 192.168.0.254.

trinak96, thanks for the program link, big help!
thur6165 thanks for the quick response and great explinations.
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

  • 3
  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now