Need help of a NETWORK ADMIN - tech question but trust me, MAJOR political import!!!

[Jim March]

Folks, I've got a computer that's trying (and failing) to make contact with *something* at an IP address of 192.168.2.4 - I can't ping it, I can't make any contact with it so far. I need to know who owns that number (or subnet) and swear to God, I need it *STAT*. I'm fairly geeky but I haven't had to deal with this.

Tried pinging 192.168.2.0, 192.168.2.1, several others, nothing. This is WAY hot, can't say what it's about yet. HELP!?

 

[Keaner]

192.168 is a local subnet. It is another computer on your network that is pinging/being pinged.

Most routers assign a 192.168.0.1 to themselves, and assign numbers after that to following machines. If you have a wireless router, it may be time to start MAC address filtering!

 

[ocabj]

192.168.*.* is a private subnet. No one owns it. It's reserved for private use and is not allocated for Internet use.

 

[ocabj]

BTW: Here's the ranges for private use IP address.

Class A: 10.0.0.0 - 10.255.255.255
(Subnet mask: 255.0.0.0)

Class B: 172.16.0.0 - 172.31.255.255
(Subnet mask: 255.255.0.0)

Class C: 192.168.0.0 - 192.168.255.255
(Subnet mask: 255.255.255.0)

As far as why the computer is trying to contact that specific IP address, you may want to check it for viruses/worms/trojans/spyware.

 

[Keaner]

Yep, everything OcabJ said was correct.

You most definitely want to run a virus scan, and a spybot cleaner (spybot search and destroy, adaware, spysweeper, etc). All are available for free, or cheaply online. (Spybot and Adaware are free, security.kolla.de, and lavasoft.com)

 

[shermacman]

Ditto the above. If you have one point of access to the internet like a cable modem or DSL line, you get one public address. If you want a bunch of computers and printers in your house or office to share that one point of access then they need to be on a private sub-net like 192.168.xxx.xxx. They are called are 'non-routable' because they don't work out in the wild. So the good news is that it can't be someone outside of your point of access, it has to be in-house. In other words...you are probably pinging yourself! Of course if you have an unsecured wireless router or if the Black Box Boys have physically connected into your wiring, then all bets are off.

 

[why_me]

assuming you have a wireless router

do you have weps enabled?
some body war chalked your router and is trying to discover other nodes on your network

 

[jnojr]

Jim - the more important question is what is trying to access that IP? Sounds like you may have some kind of spyware trying to phone home. Assuming you use Windows, try netstat. Handle http://www.sysinternals.com/ntw2k/freeware/handle.shtml may help, too.

I'm on AIM and YIM with the same username. Feel free to IM me if you want..

 

[Jim March]

Wait.

I did a WHOIS on this:

Search results for: 192.168.2.4

OrgName: Internet Assigned Numbers Authority
OrgID: IANA
Address: 4676 Admiralty Way, Suite 330
City: Marina del Rey
StateProv: CA
PostalCode: 90292-6695
Country: US

NetRange: 192.168.0.0 - 192.168.255.255
CIDR: 192.168.0.0/16
NetName: IANA-CBLK1
NetHandle: NET-192-168-0-0-1
Parent: NET-192-0-0-0-0
NetType: IANA Special Use
NameServer: BLACKHOLE-1.IANA.ORG
NameServer: BLACKHOLE-2.IANA.ORG
Comment: This block is reserved for special purposes.
Comment: Please see RFC 1918 for additional information.
Comment:
RegDate: 1994-03-15
Updated: 2002-09-16

OrgAbuseHandle: IANA-IP-ARIN
OrgAbuseName: Internet Corporation for Assigned Names and Number
OrgAbusePhone: +1-310-301-5820
OrgAbuseEmail: [email protected]

OrgTechHandle: IANA-IP-ARIN
OrgTechName: Internet Corporation for Assigned Names and Number
OrgTechPhone: +1-310-301-5820
OrgTechEmail: [email protected]

# ARIN WHOIS database, last updated 2004-12-05 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.

OK, now talk to me. What the hell is going on here?

This is a Diebold-supplied central vote tabulator trying to do this!!! In Florida. DO NOT spread this beyond this board, let's get to the bottom of this, OK?

The error message from a Windows event log (WinNT, SP6?) reads something like:

-----------
the DHCP server issued a NACK to the client for the address request

client 0001A8C00100502C070C07 for the address (192.168.2.4)
-----------

What the hell is up here?

Note that this box has a bank of modems attached that are only turned on during a two-hour window after polls close. Is this thing trying to make contact with the outside world over those modems, which is mebbe what the DHCP is all about?

Is "0001A8C00100502C070C07" an Ethernet address maybe?

 

[mtnbkr]

Does this computer use VPN or something similar to connect to a remote network (teleworker's machine, laptop, etc)? If so, the remote network might house 192.168.*.*.

What port is the computer trying to use when contacting that host? Knowing the port might help to determine if this is in any way legitimate since many malwares use odd ports.

Chris

 

[taliv]

nothing unusual is happening here. i'm not going to go into a discourse on networking, but your diebold machine is simply asking for an IP address that's outside the range configured on your DHCP server. odds are, you recently moved the diebold machine from a network where IT WAS 192.168.2.4, only, it doesn't know it got moved, so it's still asking for its old address. DHCP is sending a (Negative ACKnowledgement) which says it can't have that ip address anymore.

sorry to disappoint,

 

[Jim March]

OK. The only LEGIT connection to the outside world a GEMS/Diebold box is supposed to make are incoming modem connections via a Digiboard and modem bank. The thing is supposed to take in data from voting terminals (touchscreen, optical scan, doesn't matter) right after the polls close so that "early results" can be fed to the press. Then people hand-carry the memory cards (PCMCIA, basically "electronic ballot boxes") in from the field and they upload those to the GEMS tabulator via PCs connected to Ethernet straight to the GEMS box.

I can't see any legit reason for the central box to initiate a DHPC connection to anything else, across modem or Ethernet.

Am I missing any legit reason for these errors?

OR: is it just waiting for those modems to go live, erroring out once in a while in the meantime, so it can initiate an outside connection?

If the latter, that is WAY bad news!!!

 

[jnojr]

You'll get the same results from whois 10.1.1.1 or 172.20.1.1

If you're interested in who owns that machine, you'll need to know more about the network the machine is supposed to be connecting to. I could have a 192.168.2.4 on my network, and you could have one on yours. Heck, everybody could use 192.168.2.4... that address space is non-routable on a public network. It's only valid across a private net.

 

[Jim March]

OK. Wait. Break it down so I'm sure I know what's up: is this thing trying to make an Ethernet connection? Or a modem connection? Or it's just bad settings flopping around?

Help me out here. Why is it doing this?

 

[BrokenPaw]

Jim,

The 192.168.x.x series of addresses are (as several posted above) reserved for private use. What that means in layman's terms is this:

If you have a private network in your home or business, you should make use of addresses in one of the private reserved blocks (192.168.x.x, 172.16.x.x, or 10.x.x.x), so that, if at a later time, your network becomes attached to the internet, your internal packets will not be inadvertently propagated to other hosts on the internet.

The routers at ISPs are smart enough to know that packets to or from those addresses should not be forwarded.

Taliv's correct; the box used to live on a network where its address was 192.168.2.4, and that address was issued by a DHCP server. Because DHCP-issued addresses are supposed to survive reboots, and expire after a specified time interval, the box is attempting to re-acquire the "lease" it held on the address.

"0001A8C00100502C070C07" is the physical address id of the network card in the box. It's called the MAC (Media Access Controller) address, and is unique to the individual network adapter card.

Interestingly, MAC addresses are traceable to the manufacturer of the network card itself. In this case:

Welltech Computer Co., Ltd.
13F-4, no. 150, Jian Yi Road
Chung-Ho 235, Taipei
TAIWAN TAIWAN R.O.C.
TAIWAN, REPUBLIC OF CHINA


-BP

 

[Igloodude]

It sounds like something is requesting it's IP of 192.168.2.4 from the Diebold DHCP server. Check your remote access log, and look around at the PCs (if there aren't too many) and see if any are maintaining that IP address via IPCONFIG. Another way of doing it would be to give another machine an IP of 192.168.2.5 and try pinging .4 from it.

0001A8C00100502C070C07 is too long for a MAC address, must be a machine name of some sort.

Is DHCP service running on the Diebold machine? Probably is, in order to hand out addresses to all the modem connections and PCs. Sounds like a misconfigured client to me, if an unauthorized machine was trying to inject itself into the LAN it wouldn't have an existing DHCP address reserved already.

 

[Jim March]

Let's be clear: It's not supposed to be connected to a network - not outside of a few PCs uploading memory cards, and that bank of modems (which dial IN, never out, according to the manuals.

The Ethernet to a few local machines is never supposed to be gatewayed anywhere else. And that's always the way it's supposed to be - this is a central vote tabulator for God's sake.

Under THOSE circumstances, is this normal?

 

[RevDisk]

Jim,

There is no way a "modem only" box is supposed to be accessing ethernet. The real question is what network it was connected to. Are these Diebold machines pre-programmed at a central facility via ethernet?

You could try asking Diebold for their internal network topography, but I doubt they'd give it to you. Even if they did, the numbers change rather often in DCHP. That's the point of DCHP. The IP number is not the important point when you're dealing with private networks. It's learning what private network. That number doesn't connect to the Internet, so you'd never see it from the outside.

If it's really sensitive, Jim, find a local geek and show it to them. Anything on the Internet is as public as a billboard in Times Square.

 

[Jim March]

Brokenpaw: nothing else on the small Ethernet segment it might properly be on would possibly be a DHCP server. This machine (with this error) would thus be a DHCP server.

Would this error be normal for a DHCP server? Or is this thing trying to become a *client*?

 

[taliv]

click start, run and type "cmd" and hit enter.

now type "ipconfig /all"

look for the MAC address you listed above. whatever interface that's associated with is what's trying to get an IP address. my guess is it's the built-in ethernet interface on a SOYO motherboard.


the thing though, is that it won't attempt to contact the DHCP server unless there is a cable plugged in and the link is lit. if you don't know of a legit reason for the diebold machine to contact anything, then why did you plug a cable into it?

 

[mtnbkr]

What port is this thing trying to use? The port will tell you more than the IP address (many ports are commonly used for specific services such as port 80 for Http).

Chris

 

[Jim March]

There is no way a "modem only" box is supposed to be accessing ethernet. The real question is what network it was connected to. Are these Diebold machines pre-programmed at a central facility via ethernet?

Hmmmm. Possible. But this box has been in this county for...*years*. Over 4. If it was making a client connection back when it was in Diebold's shop, then was shipped to this county, would it still be "screaming" after all this time!?

 

[pbhome71]

Jim,

You should get a copy of EtheReal. It will sniff the wire and decode the packet.

It is a freeware from www.ethereal.com. When you get the trace, may be we can do more.

-Pat

 

[Jim March]

Sigh. We don't have the ability to run commands. All we got is this damned log.

 

[RevDisk]

Under THOSE circumstances, is this normal?

If a computer is supposed to be rigged for modem only, no. There is no reason for any IP settings to exist, let alone specific IP addresses. If for some reason some software needed a local ethernet loopback, it'd use 127.0.0.1.

That said, there are reasons why someone might have misconfigured IP addresses. But it doesn't sound like a voting only machine that hypothetically modem only should have it. I'd vote that something is not normal.