.

What are these wierd IP addresses?

<<

bobby_here

Newbie
Newbie

Posts: 14

Joined: Sat Jun 02, 2012 4:04 pm

Post Thu Jun 14, 2012 4:49 pm

What are these wierd IP addresses?

I was looking at my Ipredator VPN traffic in Wireshark using ppp0 and I am confused.

There were many connections to and from my machine using different protocols even when I am not using any Internet-based programs.

Here are some examples:

ICMP (my IP connects to their IPs but their IPs do not connect to my IP) - all "destination unreachable".

Whois shows I am connecting to (for example):

Comcast Cable Communications
Hungarian Telecom
Telefonica de Espana
UCOM Corp (Japan)
TENET (Ukraine)

TCP  (my IP contacts their IPs and their IPs contact my IP).

Whois shows the connections are between (for example).

NC Numericable S.A. (France)
Charter Communications (USA)
Saudi Telecoms

UDP (their IPs connect to my IP but my IP does not connect to their IPs).

Whois shows their connections are from (for example):

Verizion Internet
HINET (Taiwan)
Arrowhead (Denmark)

Do you know what these IPs might represent?  I am not manually (e.g. via HTTP) connecting to any of these networks.

Thanks!
<<

Triban

User avatar

Hero Member
Hero Member

Posts: 620

Joined: Fri Feb 19, 2010 4:17 pm

Post Thu Jun 14, 2012 8:50 pm

Re: What are these wierd IP addresses?

Are you running Bit Torrent software or anything other P2P software?  The possibility is that your system has been compromised.  Is there any data in the packets?
Certs: GCWN
(@)Dewser
<<

MrTuxracer

User avatar

Newbie
Newbie

Posts: 47

Joined: Fri Dec 30, 2011 4:25 am

Location: Germany

Post Fri Jun 15, 2012 5:48 am

Re: What are these wierd IP addresses?

You can try "netstat -aon" and then use the PIDs to find out which application(s) is(are) establishing these connections.

Since I do not know IPredator (just the facts from their website)...the traffic is probably related to their network infrastructure ?

Regards.
eCPPT, HP ASE (Networking), LPIC-1, OSCP, WCSP
http://www.rcesecurity.com
<<

MaXe

User avatar

Hero Member
Hero Member

Posts: 671

Joined: Tue Aug 17, 2010 9:49 am

Post Fri Jun 15, 2012 8:47 am

Re: What are these wierd IP addresses?

I suggest you use the Microsoft sysinternals such as Process Monitor and Process Explorer: http://technet.microsoft.com/en-us/sysi ... s/bb795533 and perhaps some of their other tools: http://technet.microsoft.com/en-us/sysi ... s/bb795532

It's impossible to say what the traffic is for, if it's incoming connections that are dropped by your computer (or firewall) it's most likely the background noise of the Internet, if it's outgoing connections from your computer it could be traffic related to torrents, Tor, etc.

Use netstat -nao and the task manager to identify which pids are doing what as MrTuxracer said. You can enable viewing the PIDs in the Task Manager by opening the View menu, clicking Select Columns, and then ticking PID (Process Identifier) on.

You can also use the console (cmd.exe) with the following command: tasklist

That should keep you busy for a while  ;D
I'm an InterN0T'er
<<

Dark_Knight

User avatar

Sr. Member
Sr. Member

Posts: 294

Joined: Mon Aug 11, 2008 7:03 pm

Post Fri Jun 15, 2012 9:28 am

Re: What are these wierd IP addresses?

Check out ProcessHacker http://processhacker.sourceforge.net/
Have a look at the network tab to see the ports in use by the different services. The tool is similar to those mentioned above but it has a lot more to offer.
Last edited by Dark_Knight on Fri Jun 15, 2012 9:30 am, edited 1 time in total.
CEH, OSCP, GPEN, GWAPT, GCIA
http://sector876.blogspot.com
<<

MaXe

User avatar

Hero Member
Hero Member

Posts: 671

Joined: Tue Aug 17, 2010 9:49 am

Post Sat Jun 16, 2012 12:42 am

Re: What are these wierd IP addresses?

I just remembered that when I saw the topic, I thought you were going to discuss / ask about hijacked IP-space and servers located in the 1.0.0.0/8 range :-)

Edit:
I've had a few weird IP's trying to connect to my home equipment or servers a couple of years ago. One of them was 1.1.1.1  ;D
I'm an InterN0T'er
<<

bobby_here

Newbie
Newbie

Posts: 14

Joined: Sat Jun 02, 2012 4:04 pm

Post Fri Jun 29, 2012 2:23 pm

Re: What are these wierd IP addresses?

The VPN provider finally replied.

"I guess without VPN you are on a private IP so you don't see such traffic as it
hits your NAT router. With VPN you are on a public IP so any connection attempt hits your interface."

That just about makes sense to me.

If anyone is interested I've included a small (200 entry) wireshark file.

I am 109.205.169.5.  The wireshark file shows:

ICMP (my VPN IP to many other IPs) - always "destination unreachable - port unreachable".

WHOIS shows my ICMP traffic to:

Oriental Cable Network Co (China)
Charter Communications (USA)
MarocTelecom (Morocco)
Telenor Norge (Norway)
RCS & RDS (Romania)

TCP (their IPs to my VPN IP and my VPN IP then responds to their IPs).

WHOIS shows TCP traffic to and from:

Hetzner Online (Germany)
BVNET (Argentina)

UDP (their IPs to my VPN IP).

WHOIS shows their UDP traffic to me from:

Oriental Cable Network Co (China)
TurkTelekom (Turkey)
Bulgarian Telecommunications Company (Bulgaria)
103.2.208.5 (an IP with no WHOIS record)
Cablevision AR (Argentina)

Hopefully it will be interesting to someone...

Return to Other

Who is online

Users browsing this forum: No registered users and 2 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software