unknown ip address in wallwatcher

I have a private network

192.168.1.1 gateway ..200 access point ..205 access point then 4 DHCP addresses that start at 100

I am getting a 192.168.1.52 in my wallwatcher log from

63.224.157.64 (U S WEST Internet Services)

and

24.216.183.13 (Charter Communications CHTR-HSA-1BLK (NET-24-216-0-0-1) 24.216.0.0 - 24.216.255.255)

How can they secure an ip on my internal network?

Reply to
cyberstarone
Loading thread data ...

Thanks.

I'd like to know that to. I put an example of the wallwatcher log below. But the .52 is there - like 20-30 times. THERE IS NO MACHINE ON MY NETWORK WITH THAT IP. My desktop is 192.168.1.100 and my wireless notebook is .101.

2005/10/27 00:05:14.24 I tcp 24.216.183.13 6346 192.168.1.52 2010

My routers do not support WAP. I have 128 bit WEP.

FURTHER, MY DHCP TABLE > snipped-for-privacy@hotmail.com wrote in news:1130421739.452603.316480

Reply to
cyberstarone

snipped-for-privacy@hotmail.com wrote in news:1130421739.452603.316480 @g14g2000cwa.googlegroups.com:

You're getting 192.168.1.52. What are you talking about? Either there is a machine on your network that has that LAN IP address or there is not a machine on your LAN that has that IP that you know about.

Well, if this is a wireless network that you have which I'll assume .200 access point means WAP, then why not if you have not secured the wireless network properly?

Anyone can obtain a DHCP or static IP from you wireless network and use your network if you don't take measures to prevent the access. In addition to that since the 192.168.1.52 is on the same IP part of

192.168.1, he or she may have been all over your LAN machines that use the 192.168.1 if those machines are not protected too.

If there is a router in play and it has wireless MAC filtering, you may want to start using that feature.

Some basics

formatting link
Duane :)

Reply to
Duane Arnold

from the WW documentation :

An Inbound log record means an unsolicited message arrived at your Router, and was discarded. The Router only allows responses to Outbound messages to pass through to your computers, except when you are using a DMZ computer. The fact that the Router has recorded Inbounds is cause for comfort, not alarm: it caught, blocked, and discarded those records, so they never reached or harmed your computers.

The WAN and subnet addresses are used by WW and WRV when you decide to not display Inbounds to the WAN or LAN. Any Inbound traffic that the Router redirects to the DMZ or port forwards to a specified local computer will show that computer's LAN address in the "Local IP Address" column. All other Inbound traffic will show the WANaddress in that column. If you're not using a DMZ or port forwarding, all Inbounds should show the WAN address. Everything with a WAN address was blocked by the Router; everything with a LAN address was passed through to the specified machine.

Maybe your router does this port forwarding.

Reply to
goofy

snipped-for-privacy@hotmail.com wrote in news: snipped-for-privacy@f14g2000cwb.googlegroups.com:

What are you hollering for? If you know anything which you don't seem to know, then you would know that when a static IP is used on the router, it's NOT going to be recorded in the DHCP table, since the IP of

192.168.1.52 is NOT a DHCP IP it's a static IP it is not going to be recorded. DHCP IP(s) on your router start at 192.168.1.100 for whatever the count you have set for the router, which the count is probably the *DEFAULT* out of the box setting, to issue DHCP IP(s) to machines. DHCP IP(s) are going to be recorded in the DHCP table and STATIC IP(s) are not going to be recorded. Static IP(s) on the router and that's any IP that is not issued by the DHCP server are static IP(s). So if the DHCP issue count is 5 then 192.168.1.100-192.168.1.105 are DHCP IP(s) THAT ARE GOING TO BE RECORDED IN THE DHCP TABLE LINKED TO A NIC'S MAC. STATIC IP(S) ARE NOT RECORDED IN THE DHCP TABLE --- YOU GOT IT!

Your little trifling wireless network has been *hacked* by someone who is using a static IP on your router. At least you're watching the logs and know that something is not RIGHT!

Duane :)

Reply to
Duane Arnold

Time to upgrade; WEP isn't very secure. You should move up to WPA, at the least. BTW, "WAP" means "Wireless Access Point"; which would be your

192.168.1.200 and 192.168.1.205 devices. "WPA" means "Wi-Fi Protected Access", a security encryption scheme used on WAPs.

Which, as Duane shows, does not prevent somebody from using any IP address outside of the range of your DHCP assigned IP address, but within the scope of your LAN IP addresses. Assuming your router at 192.168.1.1 is a Linksys router, and you have the factory default configuration, your DHCP range is

192.168.1.100 to 192.168.1.150 (fifty devices), but your LAN scope is 192.168.1.1 to 191.168.1.254 (IP address 192.168.1.1, subnet mask 255.255.255.0). Any neighbor, or passerby, who can crack your WEP security (which is not terribly hard to do) can associate to your WLAN and assign themselves IP address within the scope of your LAN IP addresses. Using a MAC filter can mitigate that, somewhat. Using WPA security is much more certain.
Reply to
NormanM

"Using WPA security is much more certain. "

Okay, does that mean I need to buy new wireless routers that support WPA?

Reply to
cyberstarone

well, that is a possibility. But you can buy software/hardware is much as you like, but that makes a computer not safe. You have to understand at least a little bit about what you are doing. You have to read the manual and change some router defaults. Make your router so secure as possible; a "hacker" would try another router. There are a lot of unprotected routers!

Reply to
goofy

Reply to
Rick Larson

Thanks I have a BEFSR41v4 firmware version 1.04.02 here and before I tried the tip from a firewall newsgroup, I could not see the Linksys logs in the Wallwatcher. I read in a thread there how to enable this. You need to enable DMZ and forward to a unused IP in my case 192.168.1.50. Now you must enable logging and specify the logging IP address 192.168.1.100 or 255 for all computers and you will see stuff in your incoming log. I would appreciate any suggestions to make the use of DMZ not needed or easier. Rick

Reply to
Rick Larson

Rick Larson wrote in news: snipped-for-privacy@4ax.com:

It doesn't sound right. I have used WW on Linksys and Watchguard and the DMZ never came into play. However instead of broadcasting the the Linksys log to all machines 192.168.1.255 I think was the all machines broadcast IP, I did point it to a static IP the computer was using that had WW running.

Duane :)

Reply to
Duane Arnold

What do you mean with "secure an IP"?

Yours, VB.

Reply to
Volker Birk

Dou you mean "my access points do not support WPA"? Then you should use an encrypted VPN.

Yours, VB.

Reply to
Volker Birk

You shouldn't need to use a DMZ to collect logs from a BEFSR41, but you do have to make sure the router will send the logs to the LAN address that does the logging. The router's LOGGING page has to have logging enabled, and you have to supply either the specific LAN address of the computer that will collect the logs, or "255.255.255.255" to broadcast the logs to all the LAN stations.

If you give the router a specific address and the router subsequently changes the LAN address assignments, the logs will be sent to the wrong computer, and logging will seem to have stopped. This happens from time to time on my own system, so my router is set to "broadcast" to avoid the problem.

Reply to
newsgroups

Volker Birk wrote in news: snipped-for-privacy@news.uni-ulm.de:

That's just a way of speaking sometimes in the English lanauage. What is meant by the *secure an IP* is *obtain an IP*.

Duane :)

Reply to
Duane Arnold

Have you tried sending a help email to the WW guy who wrote the program and he sometimes frequents this NG? It may work for you but it doesn't make any sense. What the DMZ has to do with the logging makes no sense. I too had a problem with the log being broadcasted to the machine that had WW running on the XP Pro machine when the SP install enabled the XP FW and that blocked the port that WW needed open on the machine that BlackIce running on the machine knew to allow traffic on the inbound port that WW needed. So, I disabled the XP FW and the logging started working but that was after the WW guy saw my post about the WW had stopped showing the syslog data from the router in the NG. Maybe, that's your problem is that a personal FW or some other packet filter is blocking the inbound traffic to WW normally and you're circumventing the problem by doing what you're doing. It's just a guess.

On a small home network, you broadcasting to a DHCP IP a machine may get like 192.168.1.100 may not be a problem for you as the machine on a small LAN will most likely get the .100 DHCP IP over and over due to the NIC's MAC. But the machine could get a different IP with WW running and there you go. That's why I like to configure the computer's NIC to use a router's static IP like 192.168.1.50 and configure the router to broadcast the log to 192.168.1.50 as an example.

Duane :)

Reply to
Duane Arnold

Before you Freak out and say "I'm Hacked".

Do you use XP? Remote Desktop or RDP connection? (Any type of the Windows Terminal services Connection?)

These use there own scheme for creating dynamically assigned addressing to dismiss ip comflicts. this 192.168.1.52 is a common assignment by Windows terminal services introduced by default in XP versions.

There are many reasons for one thing in computers. It takes more than one post to determine you've been hacked.

Please address this issue before you can diagnose further.

Good luck

Sent via Archivaty.com

Reply to
Burr

snipped-for-privacy@hawaii.rr-dot-com.no-spam.invalid (Burr) wrote in news:1K2dncYGX7gk2uLenZ2dnUVZ snipped-for-privacy@giganews.com:

???????????????????????

You would think one would know if he or she were using the above. And there is nothing to say that someone couldn't activate RDS on XP or install an RDS application on the machine to *hack* it.

Duane :)

Reply to
Duane Arnold

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.