Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Strange Unknown Lan Connection

Posted on 2008-11-04
28
Medium Priority
?
625 Views
Last Modified: 2013-11-16
I was working on the system and I noticed one of the VPN's dropping when I went to ping it. I missed a digit and found 192.167.22.1 was pingable.

This subnet is not setup as a VPN on our system. I'm wondering if someone has hacked us?  I did a tracert and it went from my location and timed out near Paris...
0
Comment
Question by:KCDean
  • 17
  • 11
28 Comments
 
LVL 1

Author Comment

by:KCDean
ID: 22876814
Need some way of tracking who might be the system and that has a VPN hack on there computer. Can I track this from our SW Pro 2040?
0
 
LVL 6

Expert Comment

by:Leon Teale
ID: 22876826
hmmm... in network connections..does this show up as a physical LAn connection
0
 
LVL 1

Author Comment

by:KCDean
ID: 22876919
I checked network groups, and all I have is my domain and workgroup... Which I just use for readding to the domain when I need to.

Good Idea I also tried going to there systems by IP as I use scanner to scan that subnet. I found 18 alive IP's on that subnet so I attempted to get in and see if it was a system.

eg: \\192.167.22.14\c$

But I just got a timeout and no connection.
0
When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

 
LVL 6

Expert Comment

by:Leon Teale
ID: 22876947
hmm...ipconfig /all

what did that bring up?
0
 
LVL 1

Author Comment

by:KCDean
ID: 22876980
I also have been testing VMWare out to see how that all works. I see its created two local connections with 192.168.40.x subnets and 192.168.42.x

I disabled them.

But that other subnet is still pingable, I also pinged from other systems in the office.

C:\Documents and Settings\BJ3432>ping -a  192.167.22.1

Pinging 192.167.22.1 with 32 bytes of data:

Reply from 192.167.22.1: bytes=32 time=165ms TTL=236
Reply from 192.167.22.1: bytes=32 time=165ms TTL=235
Reply from 192.167.22.1: bytes=32 time=166ms TTL=236
Reply from 192.167.22.1: bytes=32 time=195ms TTL=235

Ping statistics for 192.167.22.1:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 165ms, Maximum = 195ms, Average = 172ms
0
 
LVL 1

Author Comment

by:KCDean
ID: 22877000
Performed an ipconfig /all

It pulled up all normal IP info on the local subnet as well as DNS info etc.
Everything in that area looks normal
0
 
LVL 1

Author Comment

by:KCDean
ID: 22877081
Going to run netlimiter see if there's any unknown traffic flitering out of the systems
0
 
LVL 6

Expert Comment

by:Leon Teale
ID: 22877140
go onto your DC and then go to admin tools -> DNS

and then for your site it will ive you a list of ip's just sort by ascending or something liek that then find the rogue ip and then see what records it had with it
0
 
LVL 1

Author Comment

by:KCDean
ID: 22878095
I checked forward and reverse lookup zones. There is no entry's showing as rogue ip's for that subnet...
I haven't checked everyone's machine but netlimiter seems to be idle on all machines so far that I have checked.
So strange I wish I could pinpoint the orgin of that internal ip... When I do the tracert this is what I get...

0
 
LVL 6

Expert Comment

by:Leon Teale
ID: 22878147
no there is no entry for rougue ip i was refering to the 192.167.22.1 ip.

it should be under the forward look up zone for your domain...do you not see a big list of ip's for your computers?
0
 
LVL 1

Author Comment

by:KCDean
ID: 22878206
Nothing at all for the 192.167.x.x subnet. I found no records. I have a feeling this might be something to do with our secondary backup wan connection. Check out the last part of this tracert.

 10    33 ms    28 ms    55 ms  ae-5.ebr2.chicago2.level3.net [4.69.140.194]
 11   134 ms     *        *     ae-2.ebr2.washington1.level3.net [4.69.132.70]
 12     *        *        *     Request timed out.
 13   139 ms   131 ms   129 ms  ae-2-54.edge1.Paris1.Level3.net [4.68.109.109]
 14     *        *        *     Request timed out.
 15     *        *        *     Request timed out.
 16     *        *        *     Request timed out.
 17     *        *        *     Request timed out.
 18     *        *        *     Request timed out.
 19     *        *        *     Request timed out.
 20     *        *        *     Request timed out.
 21     *        *        *     Request timed out.
 22     *        *        *     Request timed out.
 23     *        *        *     Request timed out.
 24     *        *        *     Request timed out.
 25     *        *        *     Request timed out.
 26     *        *        *     Request timed out.
 27     *        *        *     Request timed out.
 28     *        *        *     Request timed out.
 29     *        *        *     Request timed out.
 30     *        *        *     Request timed out.

Trace complete.
0
 
LVL 1

Author Comment

by:KCDean
ID: 22878220
I then looked up the last ip address and it points to a huge backbone structure.
ip: 4.68.109.109

Level 3 Communications NASDAQ: LVLT is a communications and information services company headquartered in Broomfield, Colorado, USA. It has operating locations throughout the US and Europe. The company operates one of the largest communications and Internet backbones in the world. Level 3 is a Tier 1 network and the current owner of AS1, but it operationally uses AS3356, which as of 2007 consistently has one of the highest ranked connectivity degrees on the Internet.[1][2]
0
 
LVL 6

Expert Comment

by:Leon Teale
ID: 22878278
do you have any one that hosts your gateway etc?
0
 
LVL 1

Author Comment

by:KCDean
ID: 22878299
When I look at my secondary WAN information. None of IP's or DNS even point to a Subnet that near that 192.167.x.x....  Still baffled unless I call them and they might have some thoughts on that.
0
 
LVL 6

Expert Comment

by:Leon Teale
ID: 22878334
192.167.x.x is local tho so it must me attached to your network somewhere
0
 
LVL 1

Author Comment

by:KCDean
ID: 22878360
I hear yea... Do you know of a tool that will scan multiple subnets at a time. I'm curious now if there is anything else that looks off.
0
 
LVL 6

Expert Comment

by:Leon Teale
ID: 22878364
do you have a hub or switch? or any bridged connections?
0
 
LVL 6

Accepted Solution

by:
Leon Teale earned 1500 total points
ID: 22878376
0
 
LVL 1

Author Comment

by:KCDean
ID: 22878391
I guess I could block it from the firewall but then how do you find out what service its running to block. If you can't pinpoint but yet its pingable. Can you do a ping that tells you the service that its pinging on?
0
 
LVL 6

Expert Comment

by:Leon Teale
ID: 22878422
not that im aware....you tried that software?
0
 
LVL 1

Author Comment

by:KCDean
ID: 22878617
I did try it but it's going to take some time, for now I did a scan on the 192.167.x.x

Exported from that program (it didn't sort very well but these are the live ones.

192.167.0.1      Alive      topolino.ct.infn.it      274                        0.0.0.0.0.0
192.167.0.2      Alive      gwipisdn.ct.infn.it      277                        0.0.0.0.0.0
192.167.0.9      Alive      pcauger188.ct.infn.it      277                        0.0.0.0.0.0
192.167.0.250      Alive      alessia338.ct.infn.it      168                        0.0.0.0.0.0
192.167.0.212      Alive      C/R      186                        0.0.0.0.0.0
192.167.0.67      Alive      C/R      291                        0.0.0.0.0.0

192.167.0.184      Alive      palmeri306.ct.infn.it      179                        0.0.0.0.0.0

192.167.0.193      Alive      C/R      202                        0.0.0.0.0.0

192.167.0.5      Alive      C/R      283                        0.0.0.0.0.0

192.167.0.141      Alive      C/R      194                        0.0.0.0.0.0

192.167.0.181      Alive      C/R      186                        0.0.0.0.0.0

192.167.0.182      Alive      badala304.ct.infn.it      184                        0.0.0.0.0.0

192.167.0.201      Alive      C/R      196                        0.0.0.0.0.0



192.167.0.225      Alive      C/R      204                        0.0.0.0.0.0

192.167.0.13      Alive      C/R      285                        0.0.0.0.0.0

192.167.0.186      Alive      C/R      174                        0.0.0.0.0.0

192.167.0.214      Alive      C/R      183                        0.0.0.0.0.0

192.167.0.213      Alive      C/R      180                        0.0.0.0.0.0

192.167.0.52      Alive      C/R      292                        0.0.0.0.0.0

192.167.0.209      Alive      C/R      192                        0.0.0.0.0.0

192.167.0.113      Alive      C/R      200                        0.0.0.0.0.0

192.167.0.191      Alive      puccio313.ct.infn.it      190                        0.0.0.0.0.0

192.167.0.86      Alive      C/R      194                        0.0.0.0.0.0

192.167.0.126      Alive      giove274.ct.infn.it      183                        0.0.0.0.0.0

192.167.0.177      Alive      C/R      168                        0.0.0.0.0.0

192.167.0.210      Alive      C/R      194                        0.0.0.0.0.0

192.167.0.245      Alive      C/R      181                        0.0.0.0.0.0

192.167.0.211      Alive      cms333.ct.infn.it      188                        0.0.0.0.0.0

192.167.0.248      Alive      C/R      166                        0.0.0.0.0.0

0
 
LVL 1

Author Comment

by:KCDean
ID: 22878702
If you try to ping it from your location you can't get a connection can you?

let say

ping -a 192.167.0.1  
0
 
LVL 1

Author Comment

by:KCDean
ID: 22878788
Would that be the deadzone, I remember in class they talked about a subnet that is basically used for nothing. (but I can't recall now it was a good 5 years ago)
0
 
LVL 1

Author Comment

by:KCDean
ID: 22879674
I think I found the answer....
0
 
LVL 6

Expert Comment

by:Leon Teale
ID: 22884051
sorry about the delay in replying..yes you are correct about the dead zone...
what have you worked out is could be then?
0
 
LVL 1

Author Comment

by:KCDean
ID: 22886117
Its basically a live network on the internet and it should not be used for internal networks.  I basically thought this was an internal VPN subnet connected to our network that I was not aware of...  

After testing that subnet from different locations and businesses I found out this network in pingable everywhere, leads meed to believe it some sort of internet zone. I think it might be connected to a very large backbone structure, if you do a trace route on it you can see it ends up Europe.
These could be very large Nodes, I'm not sure and it's to far past my scope.

Did you want some points?
0
 
LVL 6

Expert Comment

by:Leon Teale
ID: 22941130
dude can i get some points for this ;)
0
 
LVL 1

Author Comment

by:KCDean
ID: 22941173
I gave you 250 points (thanks for the help)
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Like many others, when I created a Windows 2008 RRAS VPN server, I connected via PPTP, and still do, but there are problems that can arise from solely using PPTP.  One particular problem was that the CFO of the company used a Virgin Broadband Wirele…
Overview Often, we set up VPN appliances where the connected clients are on a separate subnet and the company will have alternate internet connections and do not use this particular device as the gateway for certain servers or clients. In this case…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

578 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question