TTCLIVE
asked on
Is my ISP out to harm my network?
Running a windows 2003 server and 15+ workstations. The server is handling DNS/DHCP, the router is handling the NAT and port forwarding. The router is configured by our ISP, it's an Adtran (I think it's a TSU 600 but I'm not in front of it right now to tell you for sure). The Adtran passes all of our data and voice out to the T1 in our building's phone room.
We were having some internet problems, so I started doing some investigating. I wanted to see all the computers on my network at the same time, so I downloaded and ran LanSpy which returned results for all the computers on my network.
Well, it also found some computers that are not on my network! We use a 192.168.0.1/254 IP scheme, and I found 4 computers in the 192.168.11.100 scheme showing up. The program scans all the UDP ports as well, and it returned this information:
[] 192.168.11.113
Round Trip Time (RTT): <10 ms
Time To Live (TTL): 250
UDP ports (14) 42 Name => Name Server
53 domain => Domain Name Server
67 bootps => Bootstrap Protocol Server
88 kerberos => Kerberos
123 NTP => Network Time Protocol
137 netbios-ns => NetBios Name Service
161 SNMP => Simple Network Management Protocol
389 ldap => Light Directory Access Protocol
500 isakmp => Isakmp
1433 ms-sql-s => Microsoft-SQL-Server
1512 wins => Microsoft's Windows Internet Name Service
2049 nfsd => Network File System daemon
3127 trojan => W32.Mydoom
4672 eD2Kt => eD2K P-2-P Transport
[] 192.168.11.114
Round Trip Time (RTT): <10 ms
Time To Live (TTL): 252
UDP ports (15) 42 Name => Name Server
53 domain => Domain Name Server
67 bootps => Bootstrap Protocol Server
88 kerberos => Kerberos
135 epmap => DCE endpoint resolution
138 netbios-dgm => NetBios Datagram Service
161 SNMP => Simple Network Management Protocol
162 snmptrap => SNMP Trap
445 microsoft-ds => Microsoft-DS
520 router => Router routed RIPv.1, RIPv.2
1434 ms-sql-s => Microsoft-SQL-Server
1900 ssdp => Simple Service Discovery Protocol
3003 cgms => CGMS
4500 ipsec-nat-t => IPsec NAT-Traversal
27015 hle => Half-Life Engine
[] 192.168.11.157
Round Trip Time (RTT): <10 ms
Time To Live (TTL): 250
UDP ports Firewall presented. Do not check state of UDP ports.
[] 192.168.11.158
Round Trip Time (RTT): <11 ms
Time To Live (TTL): 252
UDP ports (15) 42 Name => Name Server
53 domain => Domain Name Server
67 bootps => Bootstrap Protocol Server
88 kerberos => Kerberos
135 epmap => DCE endpoint resolution
138 netbios-dgm => NetBios Datagram Service
161 SNMP => Simple Network Management Protocol
162 snmptrap => SNMP Trap
445 microsoft-ds => Microsoft-DS
520 router => Router routed RIPv.1, RIPv.2
1434 ms-sql-s => Microsoft-SQL-Server
1900 ssdp => Simple Service Discovery Protocol
3003 cgms => CGMS
4500 ipsec-nat-t => IPsec NAT-Traversal
27015 hle => Half-Life Engine
When I do a tracert, it hits the Adtran 192.168.0.1, hits our public IP Address, hits 216.185.190.213 (Eschelon Telecom our ISP), then routed to 216.185.190.202 (also Eschelon), then the IP Address.
Does this mean that these computers (shown above) are connected are at our ISP's office? If so, why are so many of their computers connecting to my box? And since this first computer shown 192.168.11.113 has a trojan, can it infect my network? Are they using my bandwith or providing it? Any help here would be great!
Oh yeah, also, I disconnected the adtran from the network and tried to ping these ip's and got failures, as soon as I connected back up there they were again, so it's not a computer in-house, it's deffinately external.
We were having some internet problems, so I started doing some investigating. I wanted to see all the computers on my network at the same time, so I downloaded and ran LanSpy which returned results for all the computers on my network.
Well, it also found some computers that are not on my network! We use a 192.168.0.1/254 IP scheme, and I found 4 computers in the 192.168.11.100 scheme showing up. The program scans all the UDP ports as well, and it returned this information:
[] 192.168.11.113
Round Trip Time (RTT): <10 ms
Time To Live (TTL): 250
UDP ports (14) 42 Name => Name Server
53 domain => Domain Name Server
67 bootps => Bootstrap Protocol Server
88 kerberos => Kerberos
123 NTP => Network Time Protocol
137 netbios-ns => NetBios Name Service
161 SNMP => Simple Network Management Protocol
389 ldap => Light Directory Access Protocol
500 isakmp => Isakmp
1433 ms-sql-s => Microsoft-SQL-Server
1512 wins => Microsoft's Windows Internet Name Service
2049 nfsd => Network File System daemon
3127 trojan => W32.Mydoom
4672 eD2Kt => eD2K P-2-P Transport
[] 192.168.11.114
Round Trip Time (RTT): <10 ms
Time To Live (TTL): 252
UDP ports (15) 42 Name => Name Server
53 domain => Domain Name Server
67 bootps => Bootstrap Protocol Server
88 kerberos => Kerberos
135 epmap => DCE endpoint resolution
138 netbios-dgm => NetBios Datagram Service
161 SNMP => Simple Network Management Protocol
162 snmptrap => SNMP Trap
445 microsoft-ds => Microsoft-DS
520 router => Router routed RIPv.1, RIPv.2
1434 ms-sql-s => Microsoft-SQL-Server
1900 ssdp => Simple Service Discovery Protocol
3003 cgms => CGMS
4500 ipsec-nat-t => IPsec NAT-Traversal
27015 hle => Half-Life Engine
[] 192.168.11.157
Round Trip Time (RTT): <10 ms
Time To Live (TTL): 250
UDP ports Firewall presented. Do not check state of UDP ports.
[] 192.168.11.158
Round Trip Time (RTT): <11 ms
Time To Live (TTL): 252
UDP ports (15) 42 Name => Name Server
53 domain => Domain Name Server
67 bootps => Bootstrap Protocol Server
88 kerberos => Kerberos
135 epmap => DCE endpoint resolution
138 netbios-dgm => NetBios Datagram Service
161 SNMP => Simple Network Management Protocol
162 snmptrap => SNMP Trap
445 microsoft-ds => Microsoft-DS
520 router => Router routed RIPv.1, RIPv.2
1434 ms-sql-s => Microsoft-SQL-Server
1900 ssdp => Simple Service Discovery Protocol
3003 cgms => CGMS
4500 ipsec-nat-t => IPsec NAT-Traversal
27015 hle => Half-Life Engine
When I do a tracert, it hits the Adtran 192.168.0.1, hits our public IP Address, hits 216.185.190.213 (Eschelon Telecom our ISP), then routed to 216.185.190.202 (also Eschelon), then the IP Address.
Does this mean that these computers (shown above) are connected are at our ISP's office? If so, why are so many of their computers connecting to my box? And since this first computer shown 192.168.11.113 has a trojan, can it infect my network? Are they using my bandwith or providing it? Any help here would be great!
Oh yeah, also, I disconnected the adtran from the network and tried to ping these ip's and got failures, as soon as I connected back up there they were again, so it's not a computer in-house, it's deffinately external.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Top one would appear to be a linux box.
ASKER
So there is a route in the Adtran that they set there? That means I can stop them from accessing it if I can get control of the configuration?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Okay, I am pretty new to a lot of this, can you walk me through using a sniffer "to see if there is any traffic originating, or being sent to, this subnet"
Is there something built in to windows that I can use, or a freeware/shareware program I can use to do this? And what am I looking for?
Is there something built in to windows that I can use, or a freeware/shareware program I can use to do this? And what am I looking for?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Okay, I ran the program, and I did not see any traffic from the offending IP's, so I guess I'm okay but I will have to talk to my ISP like you suggested thur6165.
*** Oh, on a side note, I understand my mistake in IP shorthand now, shat I was trying to say originally was we have an IP scheme that runs from 192.168.0.1 -> 192.168.0.254.
trinak96, thanks for the program link, big help!
thur6165 thanks for the quick response and great explinations.
*** Oh, on a side note, I understand my mistake in IP shorthand now, shat I was trying to say originally was we have an IP scheme that runs from 192.168.0.1 -> 192.168.0.254.
trinak96, thanks for the program link, big help!
thur6165 thanks for the quick response and great explinations.