Home | Community | Message Board


The Spore Depot
Please support our sponsors.

General Interest >> Science and Technology

Welcome to the Shroomery Message Board! You are experiencing a small sample of what the site has to offer. Please login or register to post messages and view our exclusive members-only content. You'll gain access to additional forums, file attachments, board customizations, encrypted private messages, and much more!

Jump to first unread post. Pages: 1
OfflinePhyl
old hand
Registered: 01/18/00
Posts: 597
Loc: United Kingdom
Last seen: 7 years, 2 months
Network Monitor on Win2K Pro - Any TCP/IP Buffs out there?
    #1910707 - 09/12/03 08:37 PM (13 years, 2 months ago)

I'm running an IIS based web server on win2K Pro, and have recently been getting some really odd hack attempts (HTTP propfind and options headers) that are coming from ip addresses that look like they're internal to my network (192.168.0.x) but which don't actually exist. I wanted to install network monitor at examine the packets and try and work out what's going on, but it seems it's only available in W2k server (Thanks microshaft.. very useful).

Do any of you know of any free software that does basically the same thing, or have any suggestions on how I can get to the bottom of this? I'm assuming it's one person whose IP I can ban on my firewall if I can find out what it is, but without network monitor I dunno how I can do that as the server only logs the internal address. It's odd I've never come across anything like this before.


Post Extras: Print Post  Remind Me! Notify Moderator
Invisibledjfrog
omgws!!!1!

Registered: 10/23/00
Posts: 3,710
Re: Network Monitor on Win2K Pro - Any TCP/IP Buffs out there? [Re: Phyl]
    #1910827 - 09/12/03 09:39 PM (13 years, 2 months ago)

some MS engineer posted this somewhere else

"
WinPcap is a public domain set of utilities for this, although I haven't
used them personally. It looks like you need to use a tool on top of
WinPcap, either 'Analyzer' or 'WinDump'. The first is a UI, the second is a
command line app. Do a search for for all three (WinPcap, Analyzer, and
WinDump) and I believe you'll find what you need.
"

Maybe that will help u? I've never messed with it, I just use netmon (buahaha)


Post Extras: Print Post  Remind Me! Notify Moderator
OfflineScarfmeister
Thrill Seeker
Registered: 10/31/02
Posts: 8,127
Loc: The will to power
Last seen: 3 years, 23 days
Re: Network Monitor on Win2K Pro - Any TCP/IP Buffs out there? [Re: djfrog]
    #1911953 - 09/13/03 05:52 AM (13 years, 2 months ago)

Doesn't sound like a hack attempt to me since its coming from a private address.
Donwload Network probe or some other free protocol analyzer if you wish to dig deeper.




--------------------
--------------------
We're the lowest of the low, the scum of the fucking earth!


Post Extras: Print Post  Remind Me! Notify Moderator
OfflinePhyl
old hand
Registered: 01/18/00
Posts: 597
Loc: United Kingdom
Last seen: 7 years, 2 months
Re: Network Monitor on Win2K Pro - Any TCP/IP Buffs out there? [Re: Scarfmeister]
    #1912173 - 09/13/03 10:50 AM (13 years, 2 months ago)

Cheers for the pointers to the software.

If it's not a hack attempt, have you got any idea what's going on? Check out the log below. 192.168.0.10 doesn't exist on my network. I've got 4 computers, 2 have static addresses (X.2 and X.3) and 2 use dhcp with a range from X.15 to X.200. Like I said I've never seen anything like this before, it's really odd.

[09-08-2003 - 00:03:31] ---------------- Initializing UrlScan.log ----------------
[09-08-2003 - 00:03:31] -- Filter initialization time: [08-18-2003 - 20:49:11] --
[09-08-2003 - 00:03:31] Client at 172.189.95.215: URL contains extension '.ida', which is disallowed. Request will be rejected. Site Instance='1', Raw URL='/default.ida'
[09-08-2003 - 17:19:05] Client at 192.168.0.10: Sent verb 'OPTIONS', which is not specifically allowed. Request will be rejected.
[09-08-2003 - 17:19:14] Client at 192.168.0.10: Sent verb 'PROPFIND', which is not specifically allowed. Request will be rejected.
[09-08-2003 - 17:19:14] Client at 192.168.0.10: Sent verb 'PROPFIND', which is not specifically allowed. Request will be rejected.
[09-08-2003 - 17:19:20] Client at 192.168.0.10: Sent verb 'PROPFIND', which is not specifically allowed. Request will be rejected.
[09-08-2003 - 17:19:23] Client at 192.168.0.10: Sent verb 'OPTIONS', which is not specifically allowed. Request will be rejected.
[09-08-2003 - 17:19:29] Client at 192.168.0.10: Sent verb 'PROPFIND', which is not specifically allowed. Request will be rejected.
[09-08-2003 - 17:19:29] Client at 192.168.0.10: Sent verb 'OPTIONS', which is not specifically allowed. Request will be rejected.
[09-08-2003 - 17:19:32] Client at 192.168.0.10: Sent verb 'PROPFIND', which is not specifically allowed. Request will be rejected.
[09-08-2003 - 17:19:38] Client at 192.168.0.10: Sent verb 'PROPFIND', which is not specifically allowed. Request will be rejected.
[09-08-2003 - 17:19:38] Client at 192.168.0.10: Sent verb 'OPTIONS', which is not specifically allowed. Request will be rejected.
[09-08-2003 - 17:19:38] Client at 192.168.0.10: Sent verb 'PROPFIND', which is not specifically allowed. Request will be rejected.
[09-08-2003 - 17:19:41] Client at 192.168.0.10: Sent verb 'PROPFIND', which is not specifically allowed. Request will be rejected.
[09-08-2003 - 17:19:47] Client at 192.168.0.10: Sent verb 'PROPFIND', which is not specifically allowed. Request will be rejected.
[09-08-2003 - 17:19:50] Client at 192.168.0.10: Sent verb 'PROPFIND', which is not specifically allowed. Request will be rejected.
[09-08-2003 - 17:19:53] Client at 192.168.0.10: Sent verb 'PROPFIND', which is not specifically allowed. Request will be rejected.
[09-08-2003 - 17:20:16] Client at 192.168.0.10: Sent verb 'OPTIONS', which is not specifically allowed. Request will be rejected.
[09-08-2003 - 17:26:26] Client at 192.168.0.10: Sent verb 'OPTIONS', which is not specifically allowed. Request will be rejected.


Post Extras: Print Post  Remind Me! Notify Moderator
Invisibledjfrog
omgws!!!1!

Registered: 10/23/00
Posts: 3,710
Re: Network Monitor on Win2K Pro - Any TCP/IP Buffs out there? [Re: Phyl]
    #1912435 - 09/13/03 01:26 PM (13 years, 2 months ago)

I did a google search on 'default.ida', it suggests the Code Red virus is looking for vulnerable IIS servers.


Post Extras: Print Post  Remind Me! Notify Moderator
OfflineSeussA
Error: divide byzero

Folding@home Statistics
Registered: 04/27/01
Posts: 23,480
Loc: Caribbean
Last seen: 25 days, 22 hours
Re: Network Monitor on Win2K Pro - Any TCP/IP Buffs out there? [Re: djfrog]
    #1917711 - 09/15/03 11:18 AM (13 years, 2 months ago)

It would help if you could get the MAC address and see if it matches to any of the active interfaces from your networked clients. Run 'ipconfig /all' from cmd on each of your windows clients and ensure that none of the interfaces are at 192.168.0.10. I have seen windows XP do some very odd things with networking and addresses when the network bridge is enabled.

You might also try unplugging your network from the WAN and see if the requests continue. That at least will tell you if they are from inside or outside your LAN. The 192.168.0.0 class B is not supposed to route, but I have seen misconfigured routers that allow traffic to pass through on that network.

The code-red thing was (probing for .ida) was from an outside address of 172.189.95.215 and seems unrelated to the following traffic from 192.168.0.10.

Of course, your real problem is that you are running Micro$oft products in the first place. Your best solution would be to switch to a real OS such as Solaris, or even Linux, and a real web server such as Zeus, or even Apache.


--------------------
Just another spore in the wind.


Post Extras: Print Post  Remind Me! Notify Moderator
Jump to top. Pages: 1

General Interest >> Science and Technology

Similar ThreadsPosterViewsRepliesLast post
* IPX over TCP/IP? OJK 931 4 09/13/06 09:43 PM
by Therapy
* Fucking port forwarding torrent client oink protocol tcp ip ucp ejahg grrrrrrr Irradiated_Feces 2,559 12 12/04/05 03:01 PM
by i_eat_planets
* wirless router/network problems
( 1 2 all )
demiu5 1,973 24 08/01/07 06:07 PM
by delta9
* IP Address Question
( 1 2 all )
Madtowntripper 2,231 20 02/12/08 07:26 PM
by justin340
* your ip address in a network Xeluc 725 6 11/21/07 06:21 AM
by Seuss
* ip question John 411 1 11/26/04 01:00 PM
by andjor
* ip adress randomizer nihilistism 5,829 15 09/09/07 12:18 AM
by OJK
* I have IP addresses of people that send me viruses .... What to do with them. JettaJay 877 11 12/21/04 02:35 AM
by JettaJay

Extra information
You cannot start new topics / You cannot reply to topics
HTML is disabled / BBCode is enabled
Moderator: Lana, trendal, Diploid, automan
1,016 topic views. 0 members, 5 guests and 2 web crawlers are browsing this forum.
[ Toggle Favorite | Print Topic | Stats ]
Search this thread:
Original Seeds Store - Cannabis Seeds
Please support our sponsors.

Copyright 1997-2016 Mind Media. Some rights reserved.

Generated in 0.05 seconds spending 0.003 seconds on 14 queries.