Link to home
Start Free TrialLog in
Avatar of TTCLIVE
TTCLIVE

asked on

Is my ISP out to harm my network?

Running a windows 2003 server and 15+ workstations. The server is handling DNS/DHCP, the router is handling the NAT and port forwarding. The router is configured by our ISP, it's an Adtran (I think it's a TSU 600 but I'm not in front of it right now to tell you for sure). The Adtran passes all of our data and voice out to the T1 in our building's phone room.

We were having some internet problems, so I started doing some investigating. I wanted to see all the computers on my network at the same time, so I downloaded and ran LanSpy which returned results for all the computers on my network.

Well, it also found some computers that are not on my network! We use a 192.168.0.1/254 IP scheme, and I found 4 computers in the 192.168.11.100 scheme showing up. The program scans all the UDP ports as well, and it returned this information:

[] 192.168.11.113
 Round Trip Time (RTT): <10 ms
 Time To Live (TTL): 250
 UDP ports (14) 42 Name => Name Server
 53 domain => Domain Name Server
 67 bootps => Bootstrap Protocol Server
 88 kerberos => Kerberos
 123 NTP => Network Time Protocol
 137 netbios-ns => NetBios Name Service
 161 SNMP => Simple Network Management Protocol
 389 ldap => Light Directory Access Protocol
 500 isakmp => Isakmp
 1433 ms-sql-s => Microsoft-SQL-Server
 1512 wins => Microsoft's Windows Internet Name Service
 2049 nfsd => Network File System daemon
 3127 trojan => W32.Mydoom
 4672 eD2Kt => eD2K P-2-P Transport
 
[] 192.168.11.114
 Round Trip Time (RTT): <10 ms
 Time To Live (TTL): 252
 UDP ports (15) 42 Name => Name Server
 53 domain => Domain Name Server
 67 bootps => Bootstrap Protocol Server
 88 kerberos => Kerberos
 135 epmap => DCE endpoint resolution
 138 netbios-dgm => NetBios Datagram Service
 161 SNMP => Simple Network Management Protocol
 162 snmptrap => SNMP Trap
 445 microsoft-ds => Microsoft-DS
 520 router => Router routed RIPv.1, RIPv.2
 1434 ms-sql-s => Microsoft-SQL-Server
 1900 ssdp => Simple Service Discovery Protocol
 3003 cgms => CGMS
 4500 ipsec-nat-t => IPsec NAT-Traversal
 27015 hle => Half-Life Engine

[] 192.168.11.157
 Round Trip Time (RTT): <10 ms
 Time To Live (TTL): 250
 UDP ports Firewall presented. Do not check state of UDP ports.
 
[] 192.168.11.158
 Round Trip Time (RTT): <11 ms
 Time To Live (TTL): 252
 UDP ports (15) 42 Name => Name Server
 53 domain => Domain Name Server
 67 bootps => Bootstrap Protocol Server
 88 kerberos => Kerberos
 135 epmap => DCE endpoint resolution
 138 netbios-dgm => NetBios Datagram Service
 161 SNMP => Simple Network Management Protocol
 162 snmptrap => SNMP Trap
 445 microsoft-ds => Microsoft-DS
 520 router => Router routed RIPv.1, RIPv.2
 1434 ms-sql-s => Microsoft-SQL-Server
 1900 ssdp => Simple Service Discovery Protocol
 3003 cgms => CGMS
 4500 ipsec-nat-t => IPsec NAT-Traversal
 27015 hle => Half-Life Engine

When I do a tracert, it hits the Adtran 192.168.0.1, hits our public IP Address, hits 216.185.190.213 (Eschelon Telecom our ISP), then routed to 216.185.190.202 (also Eschelon), then the IP Address.

Does this mean that these computers (shown above) are connected are at our ISP's office? If so, why are so many of their computers connecting to my box? And since this first computer shown 192.168.11.113 has a trojan, can it infect my network? Are they using my bandwith or providing it? Any help here would be great!

Oh yeah, also, I disconnected the adtran from the network and tried to ping these ip's and got failures, as soon as I connected back up there they were again, so it's not a computer in-house, it's deffinately external.
ASKER CERTIFIED SOLUTION
Avatar of thur6165
thur6165

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of thur6165
thur6165

Top one would appear to be a linux box.
Avatar of TTCLIVE

ASKER

So there is a route in the Adtran that they set there? That means I can stop them from accessing it if I can get control of the configuration?
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of TTCLIVE

ASKER

Okay, I am pretty new to a lot of this, can you walk me through using a sniffer "to see if there is any traffic originating, or being sent to, this subnet"

Is there something built in to windows that I can use, or a freeware/shareware program I can use to do this? And what am I looking for?
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of TTCLIVE

ASKER

Okay, I ran the program, and I did not see any traffic from the offending IP's, so I guess I'm okay but I will have to talk to my ISP like you suggested thur6165.

     *** Oh, on a side note, I understand my mistake in IP shorthand now, shat I was trying to say originally was we have an IP scheme that runs from 192.168.0.1 -> 192.168.0.254.

trinak96, thanks for the program link, big help!
thur6165 thanks for the quick response and great explinations.