Strange Unknown Lan Connection

I was working on the system and I noticed one of the VPN's dropping when I went to ping it. I missed a digit and found 192.167.22.1 was pingable.

This subnet is not setup as a VPN on our system. I'm wondering if someone has hacked us?  I did a tracert and it went from my location and timed out near Paris...
LVL 1
KCDeanAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

KCDeanAuthor Commented:
Need some way of tracking who might be the system and that has a VPN hack on there computer. Can I track this from our SW Pro 2040?
0
Leon TealePenetration TesterCommented:
hmmm... in network connections..does this show up as a physical LAn connection
0
KCDeanAuthor Commented:
I checked network groups, and all I have is my domain and workgroup... Which I just use for readding to the domain when I need to.

Good Idea I also tried going to there systems by IP as I use scanner to scan that subnet. I found 18 alive IP's on that subnet so I attempted to get in and see if it was a system.

eg: \\192.167.22.14\c$

But I just got a timeout and no connection.
0
The Ultimate Tool Kit for Technolgy Solution Provi

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more!

Leon TealePenetration TesterCommented:
hmm...ipconfig /all

what did that bring up?
0
KCDeanAuthor Commented:
I also have been testing VMWare out to see how that all works. I see its created two local connections with 192.168.40.x subnets and 192.168.42.x

I disabled them.

But that other subnet is still pingable, I also pinged from other systems in the office.

C:\Documents and Settings\BJ3432>ping -a  192.167.22.1

Pinging 192.167.22.1 with 32 bytes of data:

Reply from 192.167.22.1: bytes=32 time=165ms TTL=236
Reply from 192.167.22.1: bytes=32 time=165ms TTL=235
Reply from 192.167.22.1: bytes=32 time=166ms TTL=236
Reply from 192.167.22.1: bytes=32 time=195ms TTL=235

Ping statistics for 192.167.22.1:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 165ms, Maximum = 195ms, Average = 172ms
0
KCDeanAuthor Commented:
Performed an ipconfig /all

It pulled up all normal IP info on the local subnet as well as DNS info etc.
Everything in that area looks normal
0
KCDeanAuthor Commented:
Going to run netlimiter see if there's any unknown traffic flitering out of the systems
0
Leon TealePenetration TesterCommented:
go onto your DC and then go to admin tools -> DNS

and then for your site it will ive you a list of ip's just sort by ascending or something liek that then find the rogue ip and then see what records it had with it
0
KCDeanAuthor Commented:
I checked forward and reverse lookup zones. There is no entry's showing as rogue ip's for that subnet...
I haven't checked everyone's machine but netlimiter seems to be idle on all machines so far that I have checked.
So strange I wish I could pinpoint the orgin of that internal ip... When I do the tracert this is what I get...

0
Leon TealePenetration TesterCommented:
no there is no entry for rougue ip i was refering to the 192.167.22.1 ip.

it should be under the forward look up zone for your domain...do you not see a big list of ip's for your computers?
0
KCDeanAuthor Commented:
Nothing at all for the 192.167.x.x subnet. I found no records. I have a feeling this might be something to do with our secondary backup wan connection. Check out the last part of this tracert.

 10    33 ms    28 ms    55 ms  ae-5.ebr2.chicago2.level3.net [4.69.140.194]
 11   134 ms     *        *     ae-2.ebr2.washington1.level3.net [4.69.132.70]
 12     *        *        *     Request timed out.
 13   139 ms   131 ms   129 ms  ae-2-54.edge1.Paris1.Level3.net [4.68.109.109]
 14     *        *        *     Request timed out.
 15     *        *        *     Request timed out.
 16     *        *        *     Request timed out.
 17     *        *        *     Request timed out.
 18     *        *        *     Request timed out.
 19     *        *        *     Request timed out.
 20     *        *        *     Request timed out.
 21     *        *        *     Request timed out.
 22     *        *        *     Request timed out.
 23     *        *        *     Request timed out.
 24     *        *        *     Request timed out.
 25     *        *        *     Request timed out.
 26     *        *        *     Request timed out.
 27     *        *        *     Request timed out.
 28     *        *        *     Request timed out.
 29     *        *        *     Request timed out.
 30     *        *        *     Request timed out.

Trace complete.
0
KCDeanAuthor Commented:
I then looked up the last ip address and it points to a huge backbone structure.
ip: 4.68.109.109

Level 3 Communications NASDAQ: LVLT is a communications and information services company headquartered in Broomfield, Colorado, USA. It has operating locations throughout the US and Europe. The company operates one of the largest communications and Internet backbones in the world. Level 3 is a Tier 1 network and the current owner of AS1, but it operationally uses AS3356, which as of 2007 consistently has one of the highest ranked connectivity degrees on the Internet.[1][2]
0
Leon TealePenetration TesterCommented:
do you have any one that hosts your gateway etc?
0
KCDeanAuthor Commented:
When I look at my secondary WAN information. None of IP's or DNS even point to a Subnet that near that 192.167.x.x....  Still baffled unless I call them and they might have some thoughts on that.
0
Leon TealePenetration TesterCommented:
192.167.x.x is local tho so it must me attached to your network somewhere
0
KCDeanAuthor Commented:
I hear yea... Do you know of a tool that will scan multiple subnets at a time. I'm curious now if there is anything else that looks off.
0
Leon TealePenetration TesterCommented:
do you have a hub or switch? or any bridged connections?
0
Leon TealePenetration TesterCommented:
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
KCDeanAuthor Commented:
I guess I could block it from the firewall but then how do you find out what service its running to block. If you can't pinpoint but yet its pingable. Can you do a ping that tells you the service that its pinging on?
0
Leon TealePenetration TesterCommented:
not that im aware....you tried that software?
0
KCDeanAuthor Commented:
I did try it but it's going to take some time, for now I did a scan on the 192.167.x.x

Exported from that program (it didn't sort very well but these are the live ones.

192.167.0.1      Alive      topolino.ct.infn.it      274                        0.0.0.0.0.0
192.167.0.2      Alive      gwipisdn.ct.infn.it      277                        0.0.0.0.0.0
192.167.0.9      Alive      pcauger188.ct.infn.it      277                        0.0.0.0.0.0
192.167.0.250      Alive      alessia338.ct.infn.it      168                        0.0.0.0.0.0
192.167.0.212      Alive      C/R      186                        0.0.0.0.0.0
192.167.0.67      Alive      C/R      291                        0.0.0.0.0.0

192.167.0.184      Alive      palmeri306.ct.infn.it      179                        0.0.0.0.0.0

192.167.0.193      Alive      C/R      202                        0.0.0.0.0.0

192.167.0.5      Alive      C/R      283                        0.0.0.0.0.0

192.167.0.141      Alive      C/R      194                        0.0.0.0.0.0

192.167.0.181      Alive      C/R      186                        0.0.0.0.0.0

192.167.0.182      Alive      badala304.ct.infn.it      184                        0.0.0.0.0.0

192.167.0.201      Alive      C/R      196                        0.0.0.0.0.0



192.167.0.225      Alive      C/R      204                        0.0.0.0.0.0

192.167.0.13      Alive      C/R      285                        0.0.0.0.0.0

192.167.0.186      Alive      C/R      174                        0.0.0.0.0.0

192.167.0.214      Alive      C/R      183                        0.0.0.0.0.0

192.167.0.213      Alive      C/R      180                        0.0.0.0.0.0

192.167.0.52      Alive      C/R      292                        0.0.0.0.0.0

192.167.0.209      Alive      C/R      192                        0.0.0.0.0.0

192.167.0.113      Alive      C/R      200                        0.0.0.0.0.0

192.167.0.191      Alive      puccio313.ct.infn.it      190                        0.0.0.0.0.0

192.167.0.86      Alive      C/R      194                        0.0.0.0.0.0

192.167.0.126      Alive      giove274.ct.infn.it      183                        0.0.0.0.0.0

192.167.0.177      Alive      C/R      168                        0.0.0.0.0.0

192.167.0.210      Alive      C/R      194                        0.0.0.0.0.0

192.167.0.245      Alive      C/R      181                        0.0.0.0.0.0

192.167.0.211      Alive      cms333.ct.infn.it      188                        0.0.0.0.0.0

192.167.0.248      Alive      C/R      166                        0.0.0.0.0.0

0
KCDeanAuthor Commented:
If you try to ping it from your location you can't get a connection can you?

let say

ping -a 192.167.0.1  
0
KCDeanAuthor Commented:
Would that be the deadzone, I remember in class they talked about a subnet that is basically used for nothing. (but I can't recall now it was a good 5 years ago)
0
KCDeanAuthor Commented:
I think I found the answer....
0
Leon TealePenetration TesterCommented:
sorry about the delay in replying..yes you are correct about the dead zone...
what have you worked out is could be then?
0
KCDeanAuthor Commented:
Its basically a live network on the internet and it should not be used for internal networks.  I basically thought this was an internal VPN subnet connected to our network that I was not aware of...  

After testing that subnet from different locations and businesses I found out this network in pingable everywhere, leads meed to believe it some sort of internet zone. I think it might be connected to a very large backbone structure, if you do a trace route on it you can see it ends up Europe.
These could be very large Nodes, I'm not sure and it's to far past my scope.

Did you want some points?
0
Leon TealePenetration TesterCommented:
dude can i get some points for this ;)
0
KCDeanAuthor Commented:
I gave you 250 points (thanks for the help)
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.