Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Strange activity at high noon 1

Status
Not open for further replies.

hrswift

MIS
Sep 24, 2003
48
US
I've noticed network performance degrading right around lunch time for the past few weeks. I chalked it up to people enjoying their favorite soaps while they eat their lunch. Using Netscout I looked into it and I see many servers and workstations hitting an IP address 12.120.26.206. Lots of packets. It settels down around 1:30 so it only lasts a little over an hour. I tried looking up the owner of the IP address and it shows AT&T Worldnet. I assume it's an ISP somewhere. What could this strange activity be?

Thanks in advance
 
Who complains when you block that site? Is this a online back program running?

James P. Cottingham
[sup]I'm number 1,229!
I'm number 1,229![/sup]
 
Nobody has complained yet. No online back programs. I blocked it this morning and now I have a new IP address that's popping up 63.240.236.48
 
Whois.arin.net. Does your company purchase services from this comoany?
 
Those are both interesting IP addresses, but no record seems to be found, other than they seem to be part of an AT&T network. Doing a set of lookups starting with a root server ultimately points you to an AT&T nameserver, but there is no reverse lookup, which makes me think it may be a residential customer.

From a post previous: whois arin.net, I am not sure if that was a question or not. Arin stands for the American Registry for Internet Numbers (if that is the right term). It is one of the three (?) main Internet Registrars and is the one that handles North America.

 
ok I admit I know very little about these issues. a google search of the listed ip numbers include att and whois arin.net in both instances. Some further looking reveals that in 2002 micro soft was providing an app to track down the source of an attack on a server using whoisarin.net. I took a guess that this may be automated by 2010 and that a anti virus program may be the source of the packets sent. I was hoping someone would answer who knew the answer, rather than me who cannot spell company.
 
NetRange: 63.240.0.0 - 63.242.255.255
CIDR: 63.242.0.0/16, 63.240.0.0/15
OriginAS:
NetName: CERFNET-BLK-5
NetHandle: NET-63-240-0-0-1
Parent: NET-63-0-0-0-0
NetType: Direct Allocation
NameServer: CBRU.BR.NS.ELS-GMS.ATT.NET
NameServer: DBRU.BR.NS.ELS-GMS.ATT.NET
NameServer: CMTU.MT.NS.ELS-GMS.ATT.NET
NameServer: DMTU.MT.NS.ELS-GMS.ATT.NET
Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
RegDate: 1999-11-03
Updated: 2001-08-06
Ref:

OrgName: CERFnet
OrgId: CERF
Address: 5738 Pacific Center Blvd
City: San Diego
StateProv: CA
PostalCode: 92121
Country: US
RegDate: 1989-04-18
Updated: 2003-08-12
Ref:
OrgTechHandle: NETWO10-ARIN
OrgTechName: Network Provisioning
OrgTechPhone: +1-800-876-2373
OrgTechEmail: iptool@attens.com
OrgTechRef:
RTechHandle: CERF-HM-ARIN
RTechName: ATand T Enhanced Network Services
RTechPhone: +1-858-812-5000
RTechEmail: notify@attens.com
RTechRef:
the above information: Is provided by arin.net? Or,is arin.netthe owner of the address?
 
The above infomration would have been provided by Arin.net. I appologize if I wasn't clearer on this in my earlier post.

The owner is CERFnet. It looks like their contact is the Network Provisioning department at +1-800-876-2373 (plus their email and physical address. Based on the name server information CBRU.BR.NS.ELS-GMS.ATT.NET, it looks like this is a subsidiary of AT&T. The name server is a sub domain of att.net, which if you go to with a web browser is AT&T's home page.

A little more digging shows that cerf.net is part of AT&T and apparently handles part of their network infrastructure.

Back to the original topic, it looks to me like you have an application, perhaps an unintended visitor, that is trying to phone home.


 
Good question. If he is/were running Linux I would suggest using netstat to see what the current and recent open connections are. This would tell you the process, user, and the to and from location.

Does Windows support something similar?
 
TCPView has shown that the IP addresses associated with this is Framework Services (slick little tool). This is a Mcafee EPO process. I guess this is the workstations and servers looking for updates. I will adjust the time of day that it searches for updates. It can and has created bottlenecks in my network that slows or stops the normal day to day worker activity.
Thank all of you for your assistance
 
Kind of funny. The first call I made after discovering the IP addresses and odd traffic flow was Mcafee support. They were clueless. I even gave them the their IP addresses in question.
 
I was hoping it was a juicy adult site and you could bust some people and then tell us all about it. Mcafee - that's pretty boring.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top