Security breach on the network - urgent help needed

papachumba

papachumba

papachumba

Associate
Joined
14 Jan 2003
Posts
139
Location
london
Ok, for the past few days I noticed some slowdowns/funny stuff happening on my network. So i turn the sniffer on (etherboy - gfx interface) and it shows me an IP 151.168.16.127 connected to the network (has been for the last couple days). Basically it seems all the PCs are communicating with this IP - even though whois returns what seems like a private ADSL address.

The funniest thing is if I run ethereal, this IP does not even show up.

Could anyone shed some light on this?
what should i do next to try and stop this?
I dont want to ban the IP on the firewall as it might happen again.
I am planning to install a software firewall on one of the machines, blocking everything and then tracing which applications are trying to access the internet... Any more suggestions?
shot.gif

All PCs have antivirus installed, theres a linux firewall on the way to internet.
By the way look at the fat line going to 192.168.0.5 Thats the mail server.
 
papachumba said:
Ok, for the past few days I noticed some slowdowns/funny stuff happening on my network. So i turn the sniffer on (etherboy - gfx interface) and it shows me an IP 151.168.16.127 connected to the network (has been for the last couple days). Basically it seems all the PCs are communicating with this IP - even though whois returns what seems like a private ADSL address.

The funniest thing is if I run ethereal, this IP does not even show up.

Could anyone shed some light on this?
what should i do next to try and stop this?
I dont want to ban the IP on the firewall as it might happen again.
I am planning to install a software firewall on one of the machines, blocking everything and then tracing which applications are trying to access the internet... Any more suggestions?

All PCs have antivirus installed, theres a linux firewall on the way to internet.
By the way look at the fat line going to 192.168.0.5 Thats the mail server.
Click to expand...

That IP address is for Raytheon (I think they make weapons for the US government), I think they're coming to get you.
 
OrgName: Raytheon Company
OrgID: RAYTHE-20
Address: 2501 W. University Dr.
City: McKinney
StateProv: TX
PostalCode: 75070
Country: US

NetRange: 151.168.0.0 - 151.168.255.255
CIDR: 151.168.0.0/16
NetName: RAYTHEON-NET-151
NetHandle: NET-151-168-0-0-1
Parent: NET-151-0-0-0-0
NetType: Direct Assignment
NameServer: BOS-SERVICE1.RAYTHEON.COM
NameServer: DFW-SERVICE1.RAYTHEON.COM
NameServer: LAX-SERVICE1.RAYTHEON.COM
Comment:
RegDate:
Updated: 2001-07-17

RTechHandle: ZR46-ARIN
RTechName: Raytheon Company
RTechPhone: +1-972-952-7808
RTechEmail: ********@ext.ray.com
 
theres a program called tcp mon, that shows what applications is using what ports to where. You can also get Bitdefender from Microsoft. That will do the trick aswell as it monitors ports with applications to addresses.
 
this is just weird, its permanently connected to our mail server,
You mentioned raytheon

if i do an IP lookup from dnsstuff.com website it gives me:
Code: 
IP address:                     151.198.16.127
Reverse DNS:                    pool-151-198-16-127.mad.east.verizon.net.
Reverse DNS authenticity:       [Verified]
ASN:                            6995
ASN Name:                       VRIS-6995
IP range connectivity:          2
Registrar (per ASN):            ARIN
Country (per IP registrar):     US [United States]
Country Currency:               USD [United States Dollars]
Country IP Range:               151.192.0.0 to 151.207.255.255
Country fraud profile:          Normal
City (per outside source):      Newark, New Jersey
Country (per outside source):   US [United States]
Private (internal) IP?          No
IP address registrar:           whois.arin.net
Known Proxy?                    No
Link for WHOIS:                 151.198.16.127
 
papachumba said:
this is just weird, its permanently connected to our mail server,
You mentioned raytheon

if i do an IP lookup from dnsstuff.com website it gives me:
Click to expand...

Do a whois:

Sp00n said:
OrgName: Raytheon Company
OrgID: RAYTHE-20
Address: 2501 W. University Dr.
City: McKinney
StateProv: TX
PostalCode: 75070
Country: US

NetRange: 151.168.0.0 - 151.168.255.255
CIDR: 151.168.0.0/16
NetName: RAYTHEON-NET-151
NetHandle: NET-151-168-0-0-1
Parent: NET-151-0-0-0-0
NetType: Direct Assignment
NameServer: BOS-SERVICE1.RAYTHEON.COM
NameServer: DFW-SERVICE1.RAYTHEON.COM
NameServer: LAX-SERVICE1.RAYTHEON.COM
Comment:
RegDate:
Updated: 2001-07-17

RTechHandle: ZR46-ARIN
RTechName: Raytheon Company
RTechPhone: +1-972-952-7808
RTechEmail: ********@ext.ray.com
Click to expand...
 
from dnsstuff.com

Code: 
Location: United States [City: Newark, New Jersey]


Using 0 day old cached answer (or, you can get fresh results).
Hiding E-mail address (you can get results with the E-mail address).

Verizon Internet Services Inc. VIS-151-196 (NET-151-196-0-0-1) 
                                  151.196.0.0 - 151.205.255.255
Verizon Internet Services VZ-DSLDIAL-MDSNNJ-1 (NET-151-198-6-0-1) 
                                  151.198.6.0 - 151.198.29.255

# ARIN WHOIS database, last updated 2007-03-12 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.
 
You must log in or register to reply here.
Back
Top Bottom