Tools for tracing IP
Bill Nash
plug-discuss@lists.plug.phoenix.az.us
Thu, 11 Apr 2002 18:21:30 +0700 (GMT-7)
Unplug your network cable, open a command prompt, and type 'ipconfig
/renew' (assuming you're using DHCP on your network.)
Let it time out, and look at that address again.
If you aren't using DHCP, and all your machines are statically assigned,
you've got a box somewhere on your lan assigning it's own IP address
because it can't find a DHCP server. Happy hunting.
- billn
On Thu, 11 Apr 2002 alandd@mindspring.com wrote:
> On my Win98 box here at work I recently installed ZoneAlarm so I could catch any "funny" apps going out to the internet without me knowing. Today ZoneAlarm has been yelling every couple of hours about attempted NetBIOS connections from an IP outside our company NAT firewall. This puzzles me greatly. Ping and traceroute from the Win98 box to the IP come back without a domain name and with "Destination host unreachable" errors.
>
> I assume my PC has been "zombified" and the "master" is outside trying to get in. I don't know how it is doing this through the NAT. I have not seen any unknown programs trying to get out through ZoneAlarm.
>
> Not being experienced in tracking these things, I don't know what else I can learn about this when all I have is the IP address. What tools or resources are available in Linux to find out where this port scan is coming from and what on my computer would want to answer?
>
> Details------------
> Summary:
> Source IP: 169.254.101.152
> Source ports: 4335, 4615, 4618, 4621, 4995, 4998, 3626, 3632
> My IP (behind firewall/NAT):192.168.200.xxx
> My port: 139
>
> ZoneAlarm Log text:
> type,date,time,source,destination,transport
> FWIN,2002/04/11,10:12:00 -7:00 GMT,169.254.101.152:4335,192.168.200.xxx:139,TCP (flags:S)
> FWIN,2002/04/11,10:13:55 -7:00 GMT,169.254.101.152:4615,192.168.200.xxx:139,TCP (flags:S)
> FWIN,2002/04/11,10:13:55 -7:00 GMT,169.254.101.152:4618,192.168.200.xxx:139,TCP (flags:S)
> FWIN,2002/04/11,10:13:55 -7:00 GMT,169.254.101.152:4621,192.168.200.xxx:139,TCP (flags:S)
> FWIN,2002/04/11,12:59:47 -7:00 GMT,169.254.101.152:4995,192.168.200.xxx:139,TCP (flags:S)
> FWIN,2002/04/11,12:59:47 -7:00 GMT,169.254.101.152:4998,192.168.200.xxx:139,TCP (flags:S)
> FWIN,2002/04/11,16:28:38 -7:00 GMT,169.254.101.152:3626,192.168.200.xxx:139,TCP (flags:S)
> FWIN,2002/04/11,16:28:38 -7:00 GMT,169.254.101.152:3632,192.168.200.xxx:139,TCP (flags:S)
> ________________________________________________
> See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't post to the list quickly and you use Netscape to write mail.
>
> PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>