visual zone

Discussion in 'other firewalls' started by Bethrezen, Jul 14, 2002.

Thread Status:
Not open for further replies.
  1. Bethrezen

    Bethrezen Registered Member

    Joined:
    Apr 16, 2002
    Posts:
    546
    hi

    i saw another post about this some time ago and i decided to keep an eye on my logs and iv found a few suspect results

    my ip is usualy 213.122.xxx.xxx eachtime i log on
    how ever the suspect results have a diffrent ip 62.6.xxx.xxx

    and im just wondering if this could be evidence of someone using my computer conection as a proxie and if so how do i stop it

    now i know that it could be the fact that i just loged on and i got that persons ip but im prity sure that the sus reports happened some time after i loged on eg hapened say 30 min after i loged on

    help
     
  2. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Bethrezen,

    Got a log or screen cap?

    regards.

    paul
     
  3. jvmorris

    jvmorris Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    618
    As Paul says, a couple of illustrative log entries would be helpful.

    I have seen something like this on NIS/NPF event logs from time to time. (And, after a quick double-take, I figured out they were perfectly legitimate.)

    The ones I have seen have occurred on a PC serving as a LAN gateway between several other PCs and the Internet at large, using Microsoft's ICS in my case, but it could just as well be SHN or any or a number of other software routers. So, if one of the client PCs request a page from a website, it comes in(bound) to the gateway PC for forwarding to the website. In the logs, it would show as an inbound connection from 192.168.0.3 to 12.34.56.78:80, for example, and 12.34.56.78 would not be the IP address of the local machine.

    Now, this may not be the kind of situation you're seeing, but maybe it will suggest some other possibilities to you.
     
  4. Prince_Serendip

    Prince_Serendip Registered Member

    Joined:
    Apr 8, 2002
    Posts:
    819
    Location:
    Canada
    I have VisualZone too and went through the same thing a little while back. My ISP assigns my "IP" when I logon. I was getting probes from Kazaa for an IP I'd never seen before. It upset me until I learned what was going on. Now, whenever I logon to my ISP, I go to a site which shows my "IP" and then I know what it is for that session. I go to this site:

    http://www.geektools.com/cgi-bin/proxy.cgi

    Scroll down to the bottom of the page and it will show you your current IP. This link is also a whois proxy server, so you can check on the IP's you've gotten before. (The link above is the correct address. I always test my links to make sure they work, but it won't connect right now, not even from my bookmark. Hmmm!)
     
  5. Bethrezen

    Bethrezen Registered Member

    Joined:
    Apr 16, 2002
    Posts:
    546
    hi

    screen caps ?? whats that ??

    as for the log entrys i acidentley deleated the log but when i get another instance of it happening ill post the log entry
     
  6. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    You can check your own IP with TDS as well TDS > System Analyses > Get IP address; it shows all the IPs of your ISP and internal and lot of other tools.

    For your story, was it worse this last weekend? During this hackers conference i had more attacks then ever and saw in visual zone results often the same MAC addresses of the attackers but all time different IPs/DNSs so it looked like people's systems used as proxies.
     
  7. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Screen caps = screen captures. You capture the screen being up at the moment, save it as xx.jpg fe and publish it over here using the "attach" possibility at the bottom of each post.

    In case you encounter this again, feel free to posts the (relevant) log file and a screen cap.

    regards.

    paul
     
  8. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Mentioned above the same MAC addresses in all those alerts, while the IPs all differ.
    I've been told in some Windows versions people can change/fake MAC addresses. Anybody knows more about this?
    Could it be Win2000 or XP for instance come with a standard MAC 4444553547777 or 4444553540000 to name the most frequent codes?
    If so what is the value of MAC addresses anymore?
     
Thread Status:
Not open for further replies.