Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Someone got past our firewall

Status
Not open for further replies.
GlenJohnson

GlenJohnson

MIS
Aug 2, 2001
5,203
0
0
US
We have a firewall that was installed by an outside party. We also have a VPN router that assigns IP's of 172.16.30.x when someone tunnels in. When I go to my entire network in network neighborhood, I've got the usual Novell Domain, our W2K domain, and now SGACOM domain with a pc of snw867. I can ping snw867 and come back with a reply of 172.16.10.29. I can check my vpn and it shows NO active sessions. How has this person gotten in? Using Languard, I've found a username of cnelson, with 2 accounts, admin and guest which has been disabled. Has anybody seen this before? Thanks. Glen A. Johnson
Johnson Computer Consulting
MCP W2K
glen@johnsoncomputers.us

Want to get great answers to your Tek-Tips questions? Have a look at FAQ219-2884
"Since we cannot know all that there is to be known about anything,
we ought to know a little about everything."
Blaise Pascal
 
Sort by date Sort by votes
Is there a chance that someone brought in (into the wan) a laptop or new pc? Sounds like someone made thier PC a workgroup computer and they just snagged an address from the vpn.. just a thought.. "tis better to remain silent and be thought of as a fool..
then open your mouth and remove all doubt" Mark Twain

"I should of been a doctor.." Me
 
Upvote 0 Downvote
We also have a VPN router that assigns IP's of 172.16.30.x when someone tunnels in. Wrong IP address, but thanks. Makes me think that possibly someone did bring in a laptop. Glen A. Johnson
Johnson Computer Consulting
MCP W2K
glen@johnsoncomputers.us

Want to get great answers to your Tek-Tips questions? Have a look at FAQ219-2884
"Since we cannot know all that there is to be known about anything,
we ought to know a little about everything."
Blaise Pascal
 
Upvote 0 Downvote
can you ping any other components on the x.x.10 subnet? like .1 through .30?

ha ha - this is where those fun little 3rd party IP scanners come in handy! "tis better to remain silent and be thought of as a fool..
then open your mouth and remove all doubt" Mark Twain

"I should of been a doctor.." Me
 
Upvote 0 Downvote
tracert to the IP - does it help at all? Try GFI LanGuard and you may get a username or more details.
 
Upvote 0 Downvote
can you ping any other components on the x.x.10 subnet? like .1 through .30? Did that, that's how I came up with the IP address. Pinged SNW867 to get the IP, which showed me it wasn't coming through the firewall. Logged onto the vpn and found no active sessions, which is what I expected since it wasn't a 172.16.30.x address.
tracert to the IP - does it help at all? Try GFI LanGuard and you may get a username or more details.
Used LanGaurd to find username of cnelson, (Who does not work here), and found 2 accounts, Admin and guest, (Which was disabled.) LanGaurd also showed 5 open ports, 25 = SMTP, 110 = Pop3, 135 = epmap, 139 = Netbios-ssn, and 445 = Microsoft-Ds. I sent a net send to the IP address telling the person to call me at my work number, and about an hour later, they disappeared. Tracert didn't give me anything to help. Thanks, all.






Glen A. Johnson
Johnson Computer Consulting
MCP W2K
glen@johnsoncomputers.us

Want to get great answers to your Tek-Tips questions? Have a look at FAQ219-2884
"Since we cannot know all that there is to be known about anything,
we ought to know a little about everything."
Blaise Pascal
 
Upvote 0 Downvote
Do you know SNW867 mac-address? May be it in your local network? Append ip-address from network 172.16.10.xx to your own PC, ping 172.16.10.29 and run "arp -a". In ARP cache you may see MAC-address for SNW867.
Next, you may try to determine port of the local switch to which SNW867 is connected.
 
Upvote 0 Downvote
It sounds JUST like someone has either managed to get their machine to log into a workgroup rather than your Domain or they have as mentioned bought in a Laptop and pluged it into the LAN (probably running Win2k or XP because this will just appear, where as a Win9x or NT laptop would need to do a IPCONFIG /Release and IPCONFIG /Renew and reboot to gain a presence on the LAN from the range of IPs from the Router)

If you can PING it, it is probably still on and active (you can prove this by trying to browse onto it using an Admin share across the Network like \\snw867\C$ which is a hidden share that only Admins can access) and as such you could probably send a NET SEND message to tell them to call you or alert them to your presence.
 
Upvote 0 Downvote
c$ asked for a username and password. Net send to the IP did work. Told them to call me, whoever it was never did. Still checking into it. Thanks. Glen A. Johnson
Johnson Computer Consulting
MCP W2K
glen@johnsoncomputers.us

Want to get great answers to your Tek-Tips questions? Have a look at FAQ219-2884
"Since we cannot know all that there is to be known about anything,
we ought to know a little about everything."
Blaise Pascal
 
Upvote 0 Downvote
Could it be that someone from the company that setup your firewall left themselves a backdoor?
 
Upvote 0 Downvote
If your Administrator account and password cannot access it then this machine has probably not been on your LAN before (or the local machine admin accounts on all of your machines have different passwords to your Domain Admin accounts)

This would probably indicate someone has plugged their own laptop into the LAN, and i bet they S*** them selves when they got the message.

I am still inclinded to rule out a back door route for someone because it is too obvious.

For this sort of route a hacker would have Spoofed an IP address and machine name to remain undetected amoungst the regular machines.
 
Upvote 0 Downvote
Guess what. Over the holiday shutdown, the boss set up a machine for a person that leases space at a different plant that's on the same network. He just failed to tell anybody or document it. He just returned from vacation today, and when I showed him the printout from langaurd, and he didn't seem to know anything about it. When I later asked him if we should contact the outside person that installed the firewall, he suddenly remembered that user name, and told me what he had done. God I love upper management.

[flame] Glen A. Johnson
Johnson Computer Consulting
MCP W2K
glen@johnsoncomputers.us

Want to get great answers to your Tek-Tips questions? Have a look at FAQ219-2884
"Since we cannot know all that there is to be known about anything,
we ought to know a little about everything."
Blaise Pascal
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

DTGMI
  • Locked
  • Question
WIN 10 Pro PC & Adding back to our Network
Replies
0
Views
90
DTGMI
DTGMI
ALVader
  • Locked
  • Question
Should firewall also be a ntp server
Replies
0
Views
31
ALVader
ALVader
DanielUK
  • Locked
  • Question
RPC server unavailable if Windows Firewall on, ok if off?
Replies
0
Views
26
DanielUK
DanielUK
grofaty
  • Locked
  • Question
iptables like firewall for Windows
Replies
6
Views
133
strongm
strongm
mopacfan
  • Locked
  • Question
How can I forward Port 80 to our web server using Routing & Remote Access?
Replies
0
Views
26
mopacfan
mopacfan

Part and Inventory Search

Sponsor

Back
Top