one4games
join:2001-02-25
Vallejo, CA
|  First Time Spoofed!!!
Well it finally happened, I received my first (obvious) spoofed address. The person was trying to gain access to my network using 192.168.1.254. With no success mind you, but it did send a alarm to my logging program.
If only I could get my wife's purse to be a secure as my network. It was stolen and then recovered, with only a cell phone and gas card missing (everything else was at home, thank god). 
--
Life is all about upgrading. |
|
DelaWhere_Steve
join:2001-03-21 | Wow, that is either cool or scary? How did he know there was even a PC at your IP? Also wondering what worked in stopping this exploit? Good for you |
|
Steve
I'm a PC, so shut up
Consultant
join:2001-03-10
Yorba Linda, CA
| reply to one4games
Could you be a little more specific about what you saw? There is no way that 192.168.x.x could get routed to you from other locations on the internet, so perhaps your logs are suggesting something else.
Steve
--
Stephen J. Friedl / Software Consultant / Tustin, California USA / »www.unixwiz.net |
|
one4games
join:2001-02-25
Vallejo, CA
| This what my logs for linklogger had reported.
Dir / Date time /src ip /src port /dest ip /dest port
in /8-26-01 7:26am /192.168.1.254/137 /192.168.1.xxx/137
And this was right as I booted up this morning. There is no pc at the destination ip either.
--
Life is all about upgrading. |
|
Steve
I'm a PC, so shut up
Consultant
join:2001-03-10
Yorba Linda, CA
| said by one4games:
This what my logs for linklogger had reported.
What kind of firewall do you have? Are you on a cable modem?
This is more likely a misconfigured Windows machine than it is a spoof: 137/udp traffic is often generated from machines that have either two NIC cards or a VPN connection often send NETBIOS nameserver scans with a bogus source address. It's possible that it's spoofed, but in this case it's more likely a neighbor has a badly configured machine.
In any case you're right that you can ignore it.
Steve
--
Stephen J. Friedl / Software Consultant / Tustin, California USA / »www.unixwiz.net |
|
DelaWhere_Steve
join:2001-03-21
| reply to one4games
Since the 192.168 range of addresses is defined as private and exists on millions of local LANs the xxx representation of your last octet is not hiding anything worth keeping private. This alert is coming from your own PC or, perhaps, another one attached to your LAN, I think.
--
"The end cannot justify the means, for the simple and obvious reason that the means employed determine the nature of the ends produced."
Aldous Huxley 1894-1963 |
|
Wildcatboy
Premium,Mod
join:2000-10-30
Toronto, ON | reply to one4games
I agree, it's most likely wrong configuration. 192.168.xxx.xxx range IP addresses can be spoofed in certain cases but in this particular case I doubt it was. |
|
one4games
join:2001-02-25
Vallejo, CA
| I have no machine with the ip 192.168.1.254 and second the ip 192.168.1.200 is forwarded at the router and there is no machine with this ip either. I use ZAP on all machines and allow no in or out traffic of port 137 on any of my pc's and non of the firewall's report any such infringements of rules. So if it is not from the outside and I have no pc's with such ip addresses then how is it that Linklogger reports this?
Oh and I don't use VPN and all pc's have only one nic. My connection is DSL.
--
Life is all about upgrading.
[text was edited by author 2001-08-26 17:24:42] |
|
ellane
join:2000-06-02
Charlotte, NC
 ·AT&T Southeast
|  Hi,
I'm curious about this topic in that I have been probed 130 times by source addresses that begin with 192.168.
Should I be concerned about this?
I've copied a few of the latest from ZoneAnalyzer.
FWIN 8/20/01 9:35:18 AM -4:00 GMT 192.168.0.1 137 209.214.xx.xxx 137 UDP No
FWIN 8/25/01 9:05:32 PM -4:00 GMT 192.168.1.14 N/A 0 209.214.xx.xxx 0 TCP No
FWIN 8/25/01 10:30:34 PM -4:00 GMT 192.168.1.14 N/A 2048 208.61.xxx.xx 1150 TCP (flags:R) No
FWIN 8/26/01 10:46:00 AM -4:00 GMT 192.168.1.14 N/A 0 208.61.xxx.xxx 0 TCP No
FWIN 8/17/01 12:45:43 PM -4:00 GMT 192.168.254.23 137 209.214.xx.xx 137 UDP No |
|
one4games
join:2001-02-25
Vallejo, CA
| reply to DelaWhere_Steve
I have one more question, why would my logs for the Linky router show incoming traffic for 192.168.1.254 (this is from the wan side not the lan)? If it were a misconfigured computer on the lan side it would show up in my software firewall logs, correct?
--
Life is all about upgrading. |
|
DelaWhere_Steve
join:2001-03-21 | 192.168.1.254 is in your LAN I think. It is an unassigned address available for PCs on the Linky |
|
one4games
join:2001-02-25
Vallejo, CA
| True I could assign a pc to 192.168.1.254, but there are no pc's presently assigned that number and second linklogger shows it coming in from the wan side not from lan. So how could this be a pc on the lan side?
--
Life is all about upgrading. |
|
DelaWhere_Steve
join:2001-03-21
| 192.168.1.254 can not route on the internet. I really doubt it is from the WAN. OOPs sorry Nevermind
[text was edited by author 2001-08-26 19:28:39] |
|
Steve
I'm a PC, so shut up
Consultant
join:2001-03-10
Yorba Linda, CA
| said by DelaWhere_Steve:
192.168.1.254 can not route on the internet. I really doubt it is from the WAN.
The source address -- which is what I think he's seeing -- is not used for routing and has no trouble traveling the bulk of the internet. I commonly see hits from the various private IP spaces in my firewall logs from systems that are badly configured.
Steve
--
Stephen J. Friedl / Software Consultant / Tustin, California USA / »www.unixwiz.net |
|
ellane
join:2000-06-02
Charlotte, NC | Does this mean that there's no reason to be concerned when these source addresses probe?
I'm using ZAPro on high security.
Thanks |
|
Steve
I'm a PC, so shut up
Consultant
join:2001-03-10
Yorba Linda, CA
| For one thing, anything with a source address of 192.168.x.x will never get back to the real "source", so in practice they can't do anything. So the short answer is "don't be concerned". But it's smarter to look at the target service being probed: if it's for a service that you're not even running, ZoneAlarm will be taking the credit for saving you from nothing independent of the source.
Steve
--
Stephen J. Friedl / Software Consultant / Tustin, California USA / »www.unixwiz.net |
|
one4games
join:2001-02-25
Vallejo, CA
| reply to DelaWhere_Steve
Ok let's say it is not on wan side.
1. Why would Linklogger say that it is?
2. Why would the Linky forward port 137 to the specified address?
3. How would it be on lan side if there are no pc's with that address?
4. If it were lan side how come my software firewalls don't show a log for the infraction?
5. Is it possible the Linky is going capput or is it the Linklogger program?
These are some of the questions that I have, maybe you will know the answer.
Oh and I have had my Linky for about a year and have not messed with the settings for about 2 maybe 3 months and have never seen this type of traffic before.
It makes you think doesn't it?
--
Life is all about upgrading.
[text was edited by author 2001-08-26 19:40:53] |
|
one4games
join:2001-02-25
Vallejo, CA
| reply to Steve
Your right, no reason to be concerned if it is being stopped in it's tracks. I just thought it was an interesting log and thought I would share with all of you guru's to see what you all thought. I am still fairly green when it comes to security, but have learned a lot since I have come to dslreports.
--
Life is all about upgrading.
[text was edited by author 2001-08-26 19:52:42] |
|
ellane
join:2000-06-02
Charlotte, NC
·AT&T Southeast
| reply to ellane
I'm sorry, but I don't understand. Should I be concerned about these probes or not?
Do I need to alert my ISP that I've received 130 probes from these addresses since 7/30 or just ignore it?
I love these forums but I'm definitely not very technical, so I count on your advice. |
|
Steve
I'm a PC, so shut up
Consultant
join:2001-03-10
Yorba Linda, CA
| said by ellane:
Should I be concerned about these probes or not?
I'll make it easy: don't give them another thought.
--
Stephen J. Friedl / Software Consultant / Tustin, California USA / »www.unixwiz.net |
|
