Quantcast
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Need help of a NETWORK ADMIN - tech question but trust me, MAJOR political import!!!

Discussion in 'Legal' started by Jim March, Dec 6, 2004.

Thread Status:
Not open for further replies.
  1. Jim March

    Jim March Member

    Joined:
    Dec 24, 2002
    Messages:
    8,732
    Location:
    SF Bay Area
    Folks, I've got a computer that's trying (and failing) to make contact with *something* at an IP address of 192.168.2.4 - I can't ping it, I can't make any contact with it so far. I need to know who owns that number (or subnet) and swear to God, I need it *STAT*. I'm fairly geeky but I haven't had to deal with this.

    Tried pinging 192.168.2.0, 192.168.2.1, several others, nothing. This is WAY hot, can't say what it's about yet. HELP!?
     
  2. Keaner

    Keaner Member

    Joined:
    Sep 16, 2004
    Messages:
    392
    Location:
    Hillsboro, OR
    192.168 is a local subnet. It is another computer on your network that is pinging/being pinged.

    Most routers assign a 192.168.0.1 to themselves, and assign numbers after that to following machines. If you have a wireless router, it may be time to start MAC address filtering!
     
  3. ocabj

    ocabj Member

    Joined:
    Jan 22, 2003
    Messages:
    2,383
    Location:
    Riverside, CA
    192.168.*.* is a private subnet. No one owns it. It's reserved for private use and is not allocated for Internet use.
     
  4. ocabj

    ocabj Member

    Joined:
    Jan 22, 2003
    Messages:
    2,383
    Location:
    Riverside, CA
    BTW: Here's the ranges for private use IP address.

    Class A: 10.0.0.0 - 10.255.255.255
    (Subnet mask: 255.0.0.0)

    Class B: 172.16.0.0 - 172.31.255.255
    (Subnet mask: 255.255.0.0)

    Class C: 192.168.0.0 - 192.168.255.255
    (Subnet mask: 255.255.255.0)

    As far as why the computer is trying to contact that specific IP address, you may want to check it for viruses/worms/trojans/spyware.
     
  5. Keaner

    Keaner Member

    Joined:
    Sep 16, 2004
    Messages:
    392
    Location:
    Hillsboro, OR
    Yep, everything OcabJ said was correct.

    You most definitely want to run a virus scan, and a spybot cleaner (spybot search and destroy, adaware, spysweeper, etc). All are available for free, or cheaply online. (Spybot and Adaware are free, security.kolla.de, and lavasoft.com)
     
  6. shermacman

    shermacman Member

    Joined:
    Dec 30, 2002
    Messages:
    1,754
    Ditto the above. If you have one point of access to the internet like a cable modem or DSL line, you get one public address. If you want a bunch of computers and printers in your house or office to share that one point of access then they need to be on a private sub-net like 192.168.xxx.xxx. They are called are 'non-routable' because they don't work out in the wild. So the good news is that it can't be someone outside of your point of access, it has to be in-house. In other words...you are probably pinging yourself! Of course if you have an unsecured wireless router or if the Black Box Boys have physically connected into your wiring, then all bets are off.
     
  7. why_me

    why_me member

    Joined:
    Dec 3, 2004
    Messages:
    681
    assuming you have a wireless router

    do you have weps enabled?
    some body war chalked your router and is trying to discover other nodes on your network
     
  8. jnojr

    jnojr Member

    Joined:
    Mar 19, 2004
    Messages:
    1,095
    Location:
    Reston, VA
    Jim - the more important question is what is trying to access that IP? Sounds like you may have some kind of spyware trying to phone home. Assuming you use Windows, try netstat. Handle http://www.sysinternals.com/ntw2k/freeware/handle.shtml may help, too.

    I'm on AIM and YIM with the same username. Feel free to IM me if you want..
     
  9. Jim March

    Jim March Member

    Joined:
    Dec 24, 2002
    Messages:
    8,732
    Location:
    SF Bay Area
    Wait.

    I did a WHOIS on this:

    OK, now talk to me. What the hell is going on here?

    This is a Diebold-supplied central vote tabulator trying to do this!!! In Florida. DO NOT spread this beyond this board, let's get to the bottom of this, OK?

    The error message from a Windows event log (WinNT, SP6?) reads something like:

    -----------
    the DHCP server issued a NACK to the client for the address request

    client 0001A8C00100502C070C07 for the address (192.168.2.4)
    -----------

    What the hell is up here?

    Note that this box has a bank of modems attached that are only turned on during a two-hour window after polls close. Is this thing trying to make contact with the outside world over those modems, which is mebbe what the DHCP is all about?

    Is "0001A8C00100502C070C07" an Ethernet address maybe?
     
  10. mtnbkr

    mtnbkr Member

    Joined:
    Dec 25, 2002
    Messages:
    3,108
    Location:
    Manassas, Va
    Does this computer use VPN or something similar to connect to a remote network (teleworker's machine, laptop, etc)? If so, the remote network might house 192.168.*.*.

    What port is the computer trying to use when contacting that host? Knowing the port might help to determine if this is in any way legitimate since many malwares use odd ports.

    Chris
     
  11. taliv

    taliv Moderator

    Joined:
    Oct 23, 2004
    Messages:
    22,063
    nothing unusual is happening here. i'm not going to go into a discourse on networking, but your diebold machine is simply asking for an IP address that's outside the range configured on your DHCP server. odds are, you recently moved the diebold machine from a network where IT WAS 192.168.2.4, only, it doesn't know it got moved, so it's still asking for its old address. DHCP is sending a (Negative ACKnowledgement) which says it can't have that ip address anymore.

    sorry to disappoint,
     
  12. Jim March

    Jim March Member

    Joined:
    Dec 24, 2002
    Messages:
    8,732
    Location:
    SF Bay Area
    OK. The only LEGIT connection to the outside world a GEMS/Diebold box is supposed to make are incoming modem connections via a Digiboard and modem bank. The thing is supposed to take in data from voting terminals (touchscreen, optical scan, doesn't matter) right after the polls close so that "early results" can be fed to the press. Then people hand-carry the memory cards (PCMCIA, basically "electronic ballot boxes") in from the field and they upload those to the GEMS tabulator via PCs connected to Ethernet straight to the GEMS box.

    I can't see any legit reason for the central box to initiate a DHPC connection to anything else, across modem or Ethernet.

    Am I missing any legit reason for these errors?

    OR: is it just waiting for those modems to go live, erroring out once in a while in the meantime, so it can initiate an outside connection?

    If the latter, that is WAY bad news!!!
     
  13. jnojr

    jnojr Member

    Joined:
    Mar 19, 2004
    Messages:
    1,095
    Location:
    Reston, VA
    You'll get the same results from whois 10.1.1.1 or 172.20.1.1

    If you're interested in who owns that machine, you'll need to know more about the network the machine is supposed to be connecting to. I could have a 192.168.2.4 on my network, and you could have one on yours. Heck, everybody could use 192.168.2.4... that address space is non-routable on a public network. It's only valid across a private net.
     
  14. Jim March

    Jim March Member

    Joined:
    Dec 24, 2002
    Messages:
    8,732
    Location:
    SF Bay Area
    OK. Wait. Break it down so I'm sure I know what's up: is this thing trying to make an Ethernet connection? Or a modem connection? Or it's just bad settings flopping around?

    Help me out here. Why is it doing this?
     
  15. BrokenPaw

    BrokenPaw Member

    Joined:
    Dec 30, 2002
    Messages:
    413
    Location:
    Manassas, VA
    Jim,

    The 192.168.x.x series of addresses are (as several posted above) reserved for private use. What that means in layman's terms is this:

    If you have a private network in your home or business, you should make use of addresses in one of the private reserved blocks (192.168.x.x, 172.16.x.x, or 10.x.x.x), so that, if at a later time, your network becomes attached to the internet, your internal packets will not be inadvertently propagated to other hosts on the internet.

    The routers at ISPs are smart enough to know that packets to or from those addresses should not be forwarded.

    Taliv's correct; the box used to live on a network where its address was 192.168.2.4, and that address was issued by a DHCP server. Because DHCP-issued addresses are supposed to survive reboots, and expire after a specified time interval, the box is attempting to re-acquire the "lease" it held on the address.

    "0001A8C00100502C070C07" is the physical address id of the network card in the box. It's called the MAC (Media Access Controller) address, and is unique to the individual network adapter card.

    Interestingly, MAC addresses are traceable to the manufacturer of the network card itself. In this case:

    Welltech Computer Co., Ltd.
    13F-4, no. 150, Jian Yi Road
    Chung-Ho 235, Taipei
    TAIWAN TAIWAN R.O.C.
    TAIWAN, REPUBLIC OF CHINA


    -BP
     
  16. Igloodude

    Igloodude Member

    Joined:
    Sep 24, 2004
    Messages:
    733
    Location:
    southern NH
    It sounds like something is requesting it's IP of 192.168.2.4 from the Diebold DHCP server. Check your remote access log, and look around at the PCs (if there aren't too many) and see if any are maintaining that IP address via IPCONFIG. Another way of doing it would be to give another machine an IP of 192.168.2.5 and try pinging .4 from it.

    0001A8C00100502C070C07 is too long for a MAC address, must be a machine name of some sort.

    Is DHCP service running on the Diebold machine? Probably is, in order to hand out addresses to all the modem connections and PCs. Sounds like a misconfigured client to me, if an unauthorized machine was trying to inject itself into the LAN it wouldn't have an existing DHCP address reserved already.
     
  17. Jim March

    Jim March Member

    Joined:
    Dec 24, 2002
    Messages:
    8,732
    Location:
    SF Bay Area
    Let's be clear: It's not supposed to be connected to a network - not outside of a few PCs uploading memory cards, and that bank of modems (which dial IN, never out, according to the manuals.

    The Ethernet to a few local machines is never supposed to be gatewayed anywhere else. And that's always the way it's supposed to be - this is a central vote tabulator for God's sake.

    Under THOSE circumstances, is this normal?
     
  18. RevDisk

    RevDisk Member

    Joined:
    Apr 27, 2004
    Messages:
    1,737
    Location:
    Pennsylvania
    Jim,

    There is no way a "modem only" box is supposed to be accessing ethernet. The real question is what network it was connected to. Are these Diebold machines pre-programmed at a central facility via ethernet?

    You could try asking Diebold for their internal network topography, but I doubt they'd give it to you. Even if they did, the numbers change rather often in DCHP. That's the point of DCHP. The IP number is not the important point when you're dealing with private networks. It's learning what private network. That number doesn't connect to the Internet, so you'd never see it from the outside.

    If it's really sensitive, Jim, find a local geek and show it to them. Anything on the Internet is as public as a billboard in Times Square.
     
  19. Jim March

    Jim March Member

    Joined:
    Dec 24, 2002
    Messages:
    8,732
    Location:
    SF Bay Area
    Brokenpaw: nothing else on the small Ethernet segment it might properly be on would possibly be a DHCP server. This machine (with this error) would thus be a DHCP server.

    Would this error be normal for a DHCP server? Or is this thing trying to become a *client*?
     
  20. taliv

    taliv Moderator

    Joined:
    Oct 23, 2004
    Messages:
    22,063
    click start, run and type "cmd" and hit enter.

    now type "ipconfig /all"

    look for the MAC address you listed above. whatever interface that's associated with is what's trying to get an IP address. my guess is it's the built-in ethernet interface on a SOYO motherboard.


    the thing though, is that it won't attempt to contact the DHCP server unless there is a cable plugged in and the link is lit. if you don't know of a legit reason for the diebold machine to contact anything, then why did you plug a cable into it?
     
  21. mtnbkr

    mtnbkr Member

    Joined:
    Dec 25, 2002
    Messages:
    3,108
    Location:
    Manassas, Va
    What port is this thing trying to use? The port will tell you more than the IP address (many ports are commonly used for specific services such as port 80 for Http).

    Chris
     
  22. Jim March

    Jim March Member

    Joined:
    Dec 24, 2002
    Messages:
    8,732
    Location:
    SF Bay Area
    Hmmmm. Possible. But this box has been in this county for...*years*. Over 4. If it was making a client connection back when it was in Diebold's shop, then was shipped to this county, would it still be "screaming" after all this time!?
     
  23. pbhome71

    pbhome71 Member

    Joined:
    Nov 11, 2003
    Messages:
    897
    Jim,

    You should get a copy of EtheReal. It will sniff the wire and decode the packet.

    It is a freeware from www.ethereal.com. When you get the trace, may be we can do more.

    -Pat
     
  24. Jim March

    Jim March Member

    Joined:
    Dec 24, 2002
    Messages:
    8,732
    Location:
    SF Bay Area
    Sigh. We don't have the ability to run commands. All we got is this damned log.
     
  25. RevDisk

    RevDisk Member

    Joined:
    Apr 27, 2004
    Messages:
    1,737
    Location:
    Pennsylvania
    If a computer is supposed to be rigged for modem only, no. There is no reason for any IP settings to exist, let alone specific IP addresses. If for some reason some software needed a local ethernet loopback, it'd use 127.0.0.1.

    That said, there are reasons why someone might have misconfigured IP addresses. But it doesn't sound like a voting only machine that hypothetically modem only should have it. I'd vote that something is not normal.
     
Thread Status:
Not open for further replies.

Share This Page