I am using fixed IP addresses 192.168.28.7 server and 192.168.28.6 client. These are the only machines on the LAN. I use a modem and dial out access.
In the activity window 5 to 10 spurious machines keep appearing and disappearing at random. They always have the IP addresses of 192.168.X.X The values of the last two octets seem to be totally random and keep changing. I can see no pattern to these octets.
The history window just fills up with spurious activity from these phantom machines. Being connected/disconnected from the Internet has no effect on this spurious activity.
I cannot see why noise etc could generate a properly formed IP address.
Any ideas what is happening? Apart from this everything else seems to be working fine.
Dave
Spurious IP addresses
Moderator: Qbik Staff
6 posts
• Page 1 of 1
Spurious IP addresses
by djcleckie » Mar 19 04 10:56 pm
- djcleckie
- Posts: 8
- Joined: Mar 18 04 4:24 am
- Location: Scotland
by erwin » Mar 22 04 9:31 am
Hi Dave
If you are seeing IP addresses appearing in WinGate that do not belong to your LAN then I would suggest you take a look at giving the network a scan for trojans and worms that may be embedded on a client machine and are trying to get to the internet.
You are correct in the fact that broadcasts etc shouldnt form proper IP addresses at random. Machines IP's if they have to broadcast most common network activity will always show their IP in WinGate (these are usually UDP broadcasts (137,138,139 for Netbios).
So I would be very suspect of this "random IP" generation and run a virus check to be sure. You can also check if necessary that the correct bindings are in place for each service, so that external IP/Interface is not being used, (which could potentially allow users from the Internet access to the service).
Regards
Erwin
If you are seeing IP addresses appearing in WinGate that do not belong to your LAN then I would suggest you take a look at giving the network a scan for trojans and worms that may be embedded on a client machine and are trying to get to the internet.
You are correct in the fact that broadcasts etc shouldnt form proper IP addresses at random. Machines IP's if they have to broadcast most common network activity will always show their IP in WinGate (these are usually UDP broadcasts (137,138,139 for Netbios).
So I would be very suspect of this "random IP" generation and run a virus check to be sure. You can also check if necessary that the correct bindings are in place for each service, so that external IP/Interface is not being used, (which could potentially allow users from the Internet access to the service).
Regards
Erwin
- erwin
- Qbik Staff
- Posts: 408
- Joined: Sep 03 03 2:54 pm
by djcleckie » Mar 25 04 12:14 pm
Hi
I run Norton Anti Virus but to be sure I updated my virus definitions and ran a full scan on the client. Nothing was found.
I then ran Ad-Aware 6 on the client and it found a lot of data miners. However after removing them the spurious machines kept appearing.
I have since disconnected the client from the network so the only machine is the server 192.168.28.7. In the activity window these phantom machines just keep appearing and disappearing at a rate of about 10 a minute.
It only takes a couple of minutes for the history window to fill up.
This all happens while I am disconected from the internet.
I am totally puzzled!
Dave
I run Norton Anti Virus but to be sure I updated my virus definitions and ran a full scan on the client. Nothing was found.
I then ran Ad-Aware 6 on the client and it found a lot of data miners. However after removing them the spurious machines kept appearing.
I have since disconnected the client from the network so the only machine is the server 192.168.28.7. In the activity window these phantom machines just keep appearing and disappearing at a rate of about 10 a minute.
It only takes a couple of minutes for the history window to fill up.
This all happens while I am disconected from the internet.
I am totally puzzled!
Dave
- djcleckie
- Posts: 8
- Joined: Mar 18 04 4:24 am
- Location: Scotland
by djcleckie » Mar 26 04 11:38 am
Hi
Not sure how I find this out. Properties on the phantom machine does not give a port number.
In about 2 hours it generated 1500 random phantom connections.
I put the history file into excel and sorted it by IP address. Every one is 192.168.X.X and they are all unique. This cannot happen by chance!
Do you wantto see the history log file? If so how would I send you it?
Dave
Not sure how I find this out. Properties on the phantom machine does not give a port number.
In about 2 hours it generated 1500 random phantom connections.
I put the history file into excel and sorted it by IP address. Every one is 192.168.X.X and they are all unique. This cannot happen by chance!
Do you wantto see the history log file? If so how would I send you it?
Dave
- djcleckie
- Posts: 8
- Joined: Mar 18 04 4:24 am
- Location: Scotland
6 posts
• Page 1 of 1
Who is online
Users browsing this forum: No registered users and 2 guests