PDA

View Full Version : Unused IP On Static Network is Pingable



Deb
08-26-08, 11:10 PM
I run an old school NT server w/ about half a dozen windows and
linux boxes on my home LAN. All hard wired with static IP's.

I was just going through my router logs (linksys befsr41 v3 w/
updated firmware) and I noticed packets to and from IP
192.168.0.200. This IP is assigned to my network printer but
that printer is currently disconnected. I pinged the IP and
got replies!

As an aside, I also notice that some times the zonealarm
firewalls on my windoze machines will flag spooler sub system
for trying to access the internet zone. This usually happens
when I connect to a share on another machine. All my machines
are in the trusted zone (private ip block 192.168.0.0 -
192.168.0.256) so I see no need for the spooler to look else
where.

To top it all off, I also noticed that my routers DMZ was set
to the same IP (192.168.0.200) I recently set on of my boxes up
in the DMZ for some temporary torrent downloads (legal linux
distos) but the 192.168.0.200 ip was not the one I set up!

I disabled DMZ and rebooted the router but was still able to
ping the 192.168.0.200 address for over an hour before it
finally stopped responding.

I don't have a clue about why a device would respond to pings
when it is not even connected to the LAN nor why my DMZ address
would be automagically changed so I am assuming that somethings
been hacked. I can't find anything on the boxes, no rootkits,
spyware, virus's etc.

I know zonealarms not the best but I don't have cash to buy
anything better especially for NT server. Nevertheless, I
haven't had a problem with this set up in over six years. Any
ideas?

Thanks in advance,

Deb

Jim Watt
08-27-08, 12:54 PM
On Wed, 27 Aug 2008 04:10:28 GMT, Deb <support@beeswax.com> wrote:

>I run an old school NT server w/ about half a dozen windows and
>linux boxes on my home LAN. All hard wired with static IP's.
>
>I was just going through my router logs (linksys befsr41 v3 w/
>updated firmware) and I noticed packets to and from IP
>192.168.0.200. This IP is assigned to my network printer but
>that printer is currently disconnected. I pinged the IP and
>got replies!
>
>As an aside, I also notice that some times the zonealarm
>firewalls on my windoze machines will flag spooler sub system
>for trying to access the internet zone. This usually happens
>when I connect to a share on another machine. All my machines
>are in the trusted zone (private ip block 192.168.0.0 -
>192.168.0.256) so I see no need for the spooler to look else
>where.
>
>To top it all off, I also noticed that my routers DMZ was set
>to the same IP (192.168.0.200) I recently set on of my boxes up
>in the DMZ for some temporary torrent downloads (legal linux
>distos) but the 192.168.0.200 ip was not the one I set up!
>
>I disabled DMZ and rebooted the router but was still able to
>ping the 192.168.0.200 address for over an hour before it
>finally stopped responding.
>
>I don't have a clue about why a device would respond to pings
>when it is not even connected to the LAN nor why my DMZ address
>would be automagically changed so I am assuming that somethings
>been hacked. I can't find anything on the boxes, no rootkits,
>spyware, virus's etc.
>
>I know zonealarms not the best but I don't have cash to buy
>anything better especially for NT server. Nevertheless, I
>haven't had a problem with this set up in over six years. Any
>ideas?


192.168.x.x

is not going anywhere over the Internet because its a non
routable block. You should have run tracert which may
have been interesting.

DMZ's are best avoided.
--
Jim Watt
http://www.gibnet.com

Ari
08-27-08, 01:32 PM
On Wed, 27 Aug 2008 04:10:28 GMT, Deb wrote:

> I run an old school NT server w/ about half a dozen windows and
> linux boxes on my home LAN. All hard wired with static IP's.
>
> I was just going through my router logs (linksys befsr41 v3 w/
> updated firmware) and I noticed packets to and from IP
> 192.168.0.200. This IP is assigned to my network printer but
> that printer is currently disconnected. I pinged the IP and
> got replies!
>
> As an aside, I also notice that some times the zonealarm
> firewalls on my windoze machines will flag spooler sub system
> for trying to access the internet zone. This usually happens
> when I connect to a share on another machine. All my machines
> are in the trusted zone (private ip block 192.168.0.0 -
> 192.168.0.256) so I see no need for the spooler to look else
> where.
>
> To top it all off, I also noticed that my routers DMZ was set
> to the same IP (192.168.0.200) I recently set on of my boxes up
> in the DMZ for some temporary torrent downloads (legal linux
> distos) but the 192.168.0.200 ip was not the one I set up!
>
> I disabled DMZ and rebooted the router but was still able to
> ping the 192.168.0.200 address for over an hour before it
> finally stopped responding.
>
> I don't have a clue about why a device would respond to pings
> when it is not even connected to the LAN nor why my DMZ address
> would be automagically changed so I am assuming that somethings
> been hacked. I can't find anything on the boxes, no rootkits,
> spyware, virus's etc.
>
> I know zonealarms not the best but I don't have cash to buy
> anything better especially for NT server. Nevertheless, I
> haven't had a problem with this set up in over six years. Any
> ideas?
>
> Thanks in advance,
>
> Deb

Are you MAC filtering?
--
http://www.bushflash.com/idiot.html

Deb
08-28-08, 01:08 PM
Ari <DROPTheJooseIsLoose@gmail.comCAPITALLETTERS> wrote in
news:6hlkt0FmicfiU1@mid.individual.net:

> On Wed, 27 Aug 2008 04:10:28 GMT, Deb wrote:
>
>> I run an old school NT server w/ about half a dozen windows and
>> linux boxes on my home LAN. All hard wired with static IP's.
>>
>> I was just going through my router logs (linksys befsr41 v3 w/
>> updated firmware) and I noticed packets to and from IP
>> 192.168.0.200. This IP is assigned to my network printer but
>> that printer is currently disconnected. I pinged the IP and
>> got replies!
>>
>> As an aside, I also notice that some times the zonealarm
>> firewalls on my windoze machines will flag spooler sub system
>> for trying to access the internet zone. This usually happens
>> when I connect to a share on another machine. All my machines
>> are in the trusted zone (private ip block 192.168.0.0 -
>> 192.168.0.256) so I see no need for the spooler to look else
>> where.
>>
>> To top it all off, I also noticed that my routers DMZ was set
>> to the same IP (192.168.0.200) I recently set on of my boxes up
>> in the DMZ for some temporary torrent downloads (legal linux
>> distos) but the 192.168.0.200 ip was not the one I set up!
>>
>> I disabled DMZ and rebooted the router but was still able to
>> ping the 192.168.0.200 address for over an hour before it
>> finally stopped responding.
>>
>> I don't have a clue about why a device would respond to pings
>> when it is not even connected to the LAN nor why my DMZ address
>> would be automagically changed so I am assuming that somethings
>> been hacked. I can't find anything on the boxes, no rootkits,
>> spyware, virus's etc.
>>
>> I know zonealarms not the best but I don't have cash to buy
>> anything better especially for NT server. Nevertheless, I
>> haven't had a problem with this set up in over six years. Any
>> ideas?
>>
>> Thanks in advance,
>>
>> Deb
>
> Are you MAC filtering?


No MAC filtering here, I change hardware fairly often and it just adds
one
more thing to keep track of. BTW, 6-10 machines is a bit overkill for 2
users. So, I strive to keep a balance between security and convienence.


>192.168.x.x

>is not going anywhere over the Internet because its a non
>routable block. You should have run tracert which may
>have been interesting.

Of course, 192.168.x.x is not routable thats why we use it for internal,
right? :) I will run a trace route if the issue comes up again. In fact,
if I find time I may set up the situation again so that I can run a
trace.


>DMZ's are best avoided.
I disabled the DMZ, it was just a temporay setup in order to do a legal
torrent download. (I ran a web server farm for 12 years...) so, sometimes
for somethings, and in some situations it really can't be avoided.
But you right, DMZ is often full of bad news.

I am still really curious as to how an IP that is unassinged responds to
ping. That is the question here. Also why does my router logs show LAN
traffic to and from this IP! My guess is that it has something to do
with
the NT domain and spooler trying to find the missing printer. Still a
weird one overall... and I don't care much for guesses anyway. :)

Hey thanks for the help, it's much a appreciated.


Deb

Ari
08-28-08, 06:45 PM
On Thu, 28 Aug 2008 18:08:18 GMT, Deb wrote:

> I am still really curious as to how an IP that is unassinged responds to
> ping. That is the question here. Also why does my router logs show LAN
> traffic to and from this IP! My guess is that it has something to do
> with
> the NT domain and spooler trying to find the missing printer. Still a
> weird one overall... and I don't care much for guesses anyway. :)

What are the chances that this offline printer IP was hacked and there
was a real computer on the other side?

Deb
08-28-08, 10:05 PM
Ari <DROPTheJooseIsLoose@gmail.comCAPITALLETTERS> wrote in
news:6horl0Fnarq0U1@mid.individual.net:

> On Thu, 28 Aug 2008 18:08:18 GMT, Deb wrote:
>
>> I am still really curious as to how an IP that is unassinged responds
>> to ping. That is the question here. Also why does my router logs
>> show LAN traffic to and from this IP! My guess is that it has
>> something to do with
>> the NT domain and spooler trying to find the missing printer. Still
>> a weird one overall... and I don't care much for guesses anyway. :)
>
> What are the chances that this offline printer IP was hacked and there
> was a real computer on the other side?
>

The points you make are both true.

It is all so obvious that unconnected devices are not pingable nor do
they show up in router logs (both incoming/outgoing.) I'm just trying to
understand how this occured...

I appreciate your replies very much.


Thanks,

Deb

Jim Watt
08-29-08, 02:51 AM
On Fri, 29 Aug 2008 03:05:39 GMT, Deb <support@beeswax.com> wrote:

>It is all so obvious that unconnected devices are not pingable nor do
>they show up in router logs (both incoming/outgoing.) I'm just trying to
>understand how this occured...

if you can recreate the situation again, do so and then
start removing devices physically until you find out which
one is using that address, and then investigate why.
--
Jim Watt
http://www.gibnet.com

Ari
08-29-08, 01:00 PM
On Fri, 29 Aug 2008 09:51:15 +0200, Jim Watt wrote:

> On Fri, 29 Aug 2008 03:05:39 GMT, Deb <support@beeswax.com> wrote:
>
>>It is all so obvious that unconnected devices are not pingable nor do
>>they show up in router logs (both incoming/outgoing.) I'm just trying to
>>understand how this occured...
>
> if you can recreate the situation again, do so and then
> start removing devices physically until you find out which
> one is using that address, and then investigate why.

Jim, this is a good approach but doesn't address the use of a "vacant"
IP. What happens if she pulls off the devices to find she still has a
"phantom" returning pings from a dead IP address?

Deb
08-29-08, 06:52 PM
Ari <DROPTheJooseIsLoose@gmail.comCAPITALLETTERS> wrote in
news:6hqrp1Fnjj1mU1@mid.individual.net:

> On Fri, 29 Aug 2008 09:51:15 +0200, Jim Watt wrote:
>
>> On Fri, 29 Aug 2008 03:05:39 GMT, Deb <support@beeswax.com> wrote:
>>
>>>It is all so obvious that unconnected devices are not pingable nor do
>>>they show up in router logs (both incoming/outgoing.) I'm just trying
>>>to understand how this occured...
>>
>> if you can recreate the situation again, do so and then
>> start removing devices physically until you find out which
>> one is using that address, and then investigate why.
>
> Jim, this is a good approach but doesn't address the use of a "vacant"
> IP. What happens if she pulls off the devices to find she still has a
> "phantom" returning pings from a dead IP address?
>

Hey guys thanks for hanging in there with me on this. its much
appreciated.

I sort of already tried the device by device approach, I set the
individual firewalls on each machine to block all traffic. It appeared to
be the router that was was responding. That's when I checked the routers
settings and found the DMZ set to the "phantom" addresss i.e
102.168.0.200. As mentioned in my orginal post, I had set the DMZ to a
different IP. How it got changed is my real concern here... The other
odd thing is that after I disabled the DMZ and rebooted the router; The
ping responds continued for about another hour.

Thanks again everyone,

Deb

Jim Watt
08-30-08, 04:42 AM
On Fri, 29 Aug 2008 23:52:17 GMT, Deb <support@beeswax.com> wrote:

>Ari <DROPTheJooseIsLoose@gmail.comCAPITALLETTERS> wrote in
>news:6hqrp1Fnjj1mU1@mid.individual.net:
>
>> On Fri, 29 Aug 2008 09:51:15 +0200, Jim Watt wrote:
>>
>>> On Fri, 29 Aug 2008 03:05:39 GMT, Deb <support@beeswax.com> wrote:
>>>
>>>>It is all so obvious that unconnected devices are not pingable nor do
>>>>they show up in router logs (both incoming/outgoing.) I'm just trying
>>>>to understand how this occured...
>>>
>>> if you can recreate the situation again, do so and then
>>> start removing devices physically until you find out which
>>> one is using that address, and then investigate why.
>>
>> Jim, this is a good approach but doesn't address the use of a "vacant"
>> IP. What happens if she pulls off the devices to find she still has a
>> "phantom" returning pings from a dead IP address?
>>
>
>Hey guys thanks for hanging in there with me on this. its much
>appreciated.
>
>I sort of already tried the device by device approach, I set the
>individual firewalls on each machine to block all traffic. It appeared to
>be the router that was was responding. That's when I checked the routers
>settings and found the DMZ set to the "phantom" addresss i.e
>102.168.0.200. As mentioned in my orginal post, I had set the DMZ to a
>different IP. How it got changed is my real concern here... The other
>odd thing is that after I disabled the DMZ and rebooted the router; The
>ping responds continued for about another hour.
>
>Thanks again everyone,
>
>Deb

It sounds like 'a feature' rather than something
malevolent.

Most routers allow you to opt in and out of configuring
them from the WAN side, make sure its off.
--
Jim Watt
http://www.gibnet.com