Tools for tracing IP
Todd Hought
plug-discuss@lists.plug.phoenix.az.us
Thu, 11 Apr 2002 18:22:14 -0700 (MST)
Well, it's been a while since I supported a win98 box, but IIRC,
169.254.101.152 is one of those goofy IP's that win98 will assign itself
when it can't get an IP from a dhcp server, but it still gives itself one
anyways.
Can't imagine how a machine that has that IP could be sending traffic tho.
if you've got a good packet sniffer, you can usually see what mac addr is
tied to that IP, and perhaps go theu your local switch to find it.
Not sure if that helps, but it might. :-)
-T
On Thu, 11 Apr 2002 alandd@mindspring.com wrote:
> On my Win98 box here at work I recently installed ZoneAlarm so I could catch any "funny" apps going out to the internet without me knowing. Today ZoneAlarm has been yelling every couple of hours about attempted NetBIOS connections from an IP outside our company NAT firewall. This puzzles me greatly. Ping and traceroute from the Win98 box to the IP come back without a domain name and with "Destination host unreachable" errors.
>
> I assume my PC has been "zombified" and the "master" is outside trying to get in. I don't know how it is doing this through the NAT. I have not seen any unknown programs trying to get out through ZoneAlarm.
>
> Not being experienced in tracking these things, I don't know what else I can learn about this when all I have is the IP address. What tools or resources are available in Linux to find out where this port scan is coming from and what on my computer would want to answer?
>
> Details------------
> Summary:
> Source IP: 169.254.101.152
> Source ports: 4335, 4615, 4618, 4621, 4995, 4998, 3626, 3632
> My IP (behind firewall/NAT):192.168.200.xxx
> My port: 139
>
> ZoneAlarm Log text:
> type,date,time,source,destination,transport
> FWIN,2002/04/11,10:12:00 -7:00 GMT,169.254.101.152:4335,192.168.200.xxx:139,TCP (flags:S)
> FWIN,2002/04/11,10:13:55 -7:00 GMT,169.254.101.152:4615,192.168.200.xxx:139,TCP (flags:S)
> FWIN,2002/04/11,10:13:55 -7:00 GMT,169.254.101.152:4618,192.168.200.xxx:139,TCP (flags:S)
> FWIN,2002/04/11,10:13:55 -7:00 GMT,169.254.101.152:4621,192.168.200.xxx:139,TCP (flags:S)
> FWIN,2002/04/11,12:59:47 -7:00 GMT,169.254.101.152:4995,192.168.200.xxx:139,TCP (flags:S)
> FWIN,2002/04/11,12:59:47 -7:00 GMT,169.254.101.152:4998,192.168.200.xxx:139,TCP (flags:S)
> FWIN,2002/04/11,16:28:38 -7:00 GMT,169.254.101.152:3626,192.168.200.xxx:139,TCP (flags:S)
> FWIN,2002/04/11,16:28:38 -7:00 GMT,169.254.101.152:3632,192.168.200.xxx:139,TCP (flags:S)
> ________________________________________________
> See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't post to the list quickly and you use Netscape to write mail.
>
> PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>
********************************************************************
* You don't tug on Superman's cape, you don't spit into the wind.. *
* You don't pull the mask off the ol' Lone Ranger, *
* And you don't mess around with the Sysadmin's workstation. *
********************************************************************