WinGate Forums

[bztips]

I posted a couple weeks ago on this same issue.

Wingate 5.2.2, ENS enabled, std. firewall settings. We have a fractional T-1 connection to our ISP, network interface is marked as external and untrusted in Wingate.

After discovering an external machine listed on our internal network, someone on this forum suggested we test using grc.com's ShieldsUP program; so I did that, and indeed found some ports mistakenly open. Now they've been closed, and we pass the grc ports test.

But an external machine is still listed on our internal network with a valid 192.168.0.x address; this machine shows up in Gatekeeper's network tab, but NOT in Windows Network Neighborhood. If I blackhole the address in Wingate, eventually the machine shows up again later with a different 192.168.0.y address.

How can we tell if this a real intruder into our network even though we can't see him in Network Neighborhood? Any ideas on how to really fix the problem rather than play cat and mouse with changing internal IP addresses?

Thx.
/Bill

[Pascal]

But an external machine is still listed on our internal network with a valid 192.168.0.x address; this machine shows up in Gatekeeper's network tab, but NOT in Windows Network Neighborhood. If I blackhole the address in Wingate, eventually the machine shows up again later with a different 192.168.0.y address.

How can we tell if this a real intruder into our network even though we can't see him in Network Neighborhood? Any ideas on how to really fix the problem rather than play cat and mouse with changing internal IP addresses?

That sounds positively strange. Can you reach the machine in any way ?

I.e.

ping -a 192.168.0.y OR
nbstat -a 192.168.0.y OR
\\192.168.0.y

This is not perhaps a laptop / some other device that has been connected by one of the users in your organisation ?

[bztips]

Hi Pascal.

No I can't ping this mystery computer. FYI, under the Local Network section of the Network tab in Wingate, there are two groups listed under Microsoft Windows Network:

One is our corporate workgroup, which has all the legit internal workstations on our intranet listed.

The other has the generic name "Workgroup", and it lists only one user -- the mystery computer, along with the notation "Not Accessible".

/Bill

[Pascal]

The other has the generic name "Workgroup", and it lists only one user -- the mystery computer, along with the notation "Not Accessible"./Bill

If it's listed as "Not accessible" it means we couldn't communicate with it. This sounds most peculiar - do you have any of the Microsoft Networking components bound to your external adapter on the WG Server ?

Second question, does your WG Server have a direct internet connection or is it going out through a device with a built in firewall ?

[groch]

Hi.
for me it sounds more like someone has connected to your Local Area Network (not form outside, but inside) so its not wingate essue. check u'r cables where the are going to form switchs,hubs and so on.
the fastest way to find it is to wait for this strange computer do some internet activity then shutdown all client computer, leaving only server running and see which diode on a switch is blinking(showing activity) then just follow the wire :))

[kalvos]

Something happened about 20 minutes ago -- an IP address popped up at the head of the activity list, before the WinGate server, and quickly disappeared.

I noticed a slowdown in network activity, and brought up the GateKeeper -- it was an IP address that looked like it began with 11., but that was all I could see before it disappeared.

Activity returned to normal, and the firewall showed nothing. I found no changes in the registry (at least not yet).

I have since turned on history logging, but it has not reappeared.

What sort of thing might this have been that appeared ahead of the GateKeeper? It wasn't an auto-update (that was polled two days ago, and I already have the latest version). Could this have been a firewall breach?

Heading for the GRC.com test right now...

Thanks,
Dennis