The Ethical Hacker Network - What are these wierd IP addresses?

bobby_here

Newbie

Offline

Posts: 14

What are these wierd IP addresses?

« on: June 14, 2012, 04:49:56 PM »

I was looking at my Ipredator VPN traffic in Wireshark using ppp0 and I am confused.

There were many connections to and from my machine using different protocols even when I am not using any Internet-based programs.

Here are some examples:

ICMP (my IP connects to their IPs but their IPs do not connect to my IP) - all "destination unreachable".

Whois shows I am connecting to (for example):

Comcast Cable Communications
Hungarian Telecom
Telefonica de Espana
UCOM Corp (Japan)
TENET (Ukraine)

TCP (my IP contacts their IPs and their IPs contact my IP).

Whois shows the connections are between (for example).

NC Numericable S.A. (France)
Charter Communications (USA)
Saudi Telecoms

UDP (their IPs connect to my IP but my IP does not connect to their IPs).

Whois shows their connections are from (for example):

Verizion Internet
HINET (Taiwan)
Arrowhead (Denmark)

Do you know what these IPs might represent? I am not manually (e.g. via HTTP) connecting to any of these networks.

Thanks!


	Logged

3xban

Hero Member

Offline

Posts: 605

Re: What are these wierd IP addresses?

« Reply #1 on: June 14, 2012, 08:50:53 PM »

Are you running Bit Torrent software or anything other P2P software? The possibility is that your system has been compromised. Is there any data in the packets?


	Logged

Certs: GCWN
(@)Dewser

MrTuxracer

Newbie

Offline

Posts: 43

Re: What are these wierd IP addresses?

« Reply #2 on: June 15, 2012, 05:48:58 AM »

You can try "netstat -aon" and then use the PIDs to find out which application(s) is(are) establishing these connections.

Since I do not know IPredator (just the facts from their website)...the traffic is probably related to their network infrastructure ?

Regards.


	Logged

eCPPT, HP ASE (Networking), LPIC-1, OSCP, WCSP
www.inshell.net

MaXe

Hero Member

Offline

Posts: 669

I've just upgraded myself to a cyborg muahahaa!!1

Re: What are these wierd IP addresses?

« Reply #3 on: June 15, 2012, 08:47:38 AM »

I suggest you use the Microsoft sysinternals such as Process Monitor and Process Explorer: http://technet.microsoft.com/en-us/sysinternals/bb795533 and perhaps some of their other tools: http://technet.microsoft.com/en-us/sysinternals/bb795532

It's impossible to say what the traffic is for, if it's incoming connections that are dropped by your computer (or firewall) it's most likely the background noise of the Internet, if it's outgoing connections from your computer it could be traffic related to torrents, Tor, etc.

Use netstat -nao and the task manager to identify which pids are doing what as MrTuxracer said. You can enable viewing the PIDs in the Task Manager by opening the View menu, clicking Select Columns, and then ticking PID (Process Identifier) on.

You can also use the console (cmd.exe) with the following command: tasklist

That should keep you busy for a while Grin


	Logged

I'm an InterN0T'er

Dark_Knight

Sr. Member

Offline

Posts: 292

Re: What are these wierd IP addresses?

« Reply #4 on: June 15, 2012, 09:28:26 AM »

Check out ProcessHacker http://processhacker.sourceforge.net/
Have a look at the network tab to see the ports in use by the different services. The tool is similar to those mentioned above but it has a lot more to offer.


« Last Edit: June 15, 2012, 09:30:42 AM by Dark_Knight »	Logged

CEH, OSCP, GPEN, GWAPT, GCIA
http://sector876.blogspot.com

MaXe

Hero Member

Offline

Posts: 669

I've just upgraded myself to a cyborg muahahaa!!1

Re: What are these wierd IP addresses?

« Reply #5 on: June 16, 2012, 12:42:59 AM »

I just remembered that when I saw the topic, I thought you were going to discuss / ask about hijacked IP-space and servers located in the 1.0.0.0/8 range :-)

Edit:
I've had a few weird IP's trying to connect to my home equipment or servers a couple of years ago. One of them was 1.1.1.1 Grin


	Logged

I'm an InterN0T'er

bobby_here

Newbie

Offline

Posts: 14

Re: What are these wierd IP addresses?

« Reply #6 on: June 29, 2012, 02:23:18 PM »

The VPN provider finally replied.

"I guess without VPN you are on a private IP so you don't see such traffic as it
hits your NAT router. With VPN you are on a public IP so any connection attempt hits your interface."

That just about makes sense to me.

If anyone is interested I've included a small (200 entry) wireshark file.

I am 109.205.169.5. The wireshark file shows:

ICMP (my VPN IP to many other IPs) - always "destination unreachable - port unreachable".

WHOIS shows my ICMP traffic to:

Oriental Cable Network Co (China)
Charter Communications (USA)
MarocTelecom (Morocco)
Telenor Norge (Norway)
RCS & RDS (Romania)

TCP (their IPs to my VPN IP and my VPN IP then responds to their IPs).

WHOIS shows TCP traffic to and from:

Hetzner Online (Germany)
BVNET (Argentina)

UDP (their IPs to my VPN IP).

WHOIS shows their UDP traffic to me from:

Oriental Cable Network Co (China)
TurkTelekom (Turkey)
Bulgarian Telecommunications Company (Bulgaria)
103.2.208.5 (an IP with no WHOIS record)
Cablevision AR (Argentina)

Hopefully it will be interesting to someone...


	Logged

Pages: [1] Go Up

« previous next »