Tracing an IP address

[Gareth1978]

We've got a situation whereby some Windows 98 workstations that we've got can access the internet when they shouldn't be able to. To cut a long story short we've found out that they are accessing through a certain IP address that isn't the proxy server or the router in fact it's not even within the IP range for this site. When you ping it you get a reply back does anyone know any way of tracing this IP i.e. finding out where it is..........

I will try to explain more clearly if needs be.

Thanks in anticipation

 

[MattWray]

You can do a tracert to it or pathping. You can also scan it with a scanner like Languard, that will tell you some more info if it is not totally firewalled.
I must say though, this sounds very strange...

Thanks,

Matt Wray
MCSE, MCSA, MCP, CCNA

http://www.sss-steel.com

http://www.total-tec.com

 

[pansophic]

How are you filtering access to the Internet? Are you using a proxy server? If so, are you blocking everyone EXCEPT the proxy server from accessing port 80 and 443 outbound? If not, then you are only blocking the people who choose to use your proxy server (unless you are doing a transparent proxy). There is also a decent article/discussion in the Security forum on tunneling traffic outbound through a firewall. Nothine earthshattering, it has been used for years, but it is a decent primer on tunneling.

Take a look at Sam Spade

http://www.samspade.org/

it will get you the information that I believe you are looking for.

Here is a dump of yahoo.com by IP address:

dns 64.58.79.230

64.58.79.230 has valid reverse DNS of w1.rc.vip.dcx.yahoo.com

whois -h magic 64.58.79.230

Trying whois -h whois.arin.net 64.58.79.230

Cable & Wireless DC2-1 (NET-64-58-64-0-1)
64.58.64.0 - 64.58.95.255
Yahoo EC17-1-YAHOO1 (NET-64-58-76-0-1)
64.58.76.0 - 64.58.79.255

# ARIN WHOIS database, last updated 2003-06-03 21:05
# Enter ? for additional hints on searching ARIN's WHOIS database.

traceroute 64.58.79.230

Do not contact either Los Nettos (ln.net) or Centergate Research Group (centergate.com) based on the results of this traceroute.

3 130.152.80.30 5.330 ms isi-1-lngw2-pos.ln.net [AS226] Los Nettos origin AS
4 198.172.117.161 4.921 ms ge-2-3-0.a02.lsanca02.us.ra.verio.net [AS2914] Verio
5 129.250.46.121 10.036 ms ge-1-2-0.a00.lsanca02.us.ra.verio.net [AS2914] Verio
6 129.250.29.120 7.332 ms xe-1-0-0-4.r20.lsanca01.us.bb.verio.net (DNS error) [AS2914] Verio
7 129.250.2.9 7.532 ms p16-0-0-0.r00.lsanca01.us.bb.verio.net [AS2914] Verio
8 208.173.57.21 9.915 ms bpr1-so-6-0-0.LosAngeles.cw.net
9 208.172.44.93 10.003 ms dcr1-so-3-3-0.Anaheim.cw.net
10 206.24.226.100 83.566 ms dcr2-loopback.Washington.cw.net
11 206.24.238.166 73.584 ms bhr1-pos-10-0.Sterling1dc2.cw.net
12 216.109.66.91 74.920 ms csr12-ve241.Sterling2dc3.cw.net [AS3967] Exodus Communications
13 216.109.84.166 77.203 ms DNS error [AS3967] Exodus Communications
14 216.109.120.177 77.196 ms ge-0-3-0-p38.msr1.dcn.yahoo.com [AS17110] Yahoo Inc.
15 216.109.120.190 98.828 ms vl43.bas1.dcx.yahoo.com [AS17110] Yahoo Inc.
16 64.58.79.230 80.238 ms w1.rc.vip.dcx.yahoo.com [AS17110] Yahoo Inc.


pansophic

 

[andrewflagg]

without knowing much more of the network configuration and the workstation configuration, i would recommend going to those workstations and logging a tracert to an an external internet address like google.com and note the path.

perform this like an audit so you have to check a few computers in every department to ensure they don't have some sort of proxy of their own in place.