[Dshield] incoming traffic from 192.168.0.1 ????

Eric Rosander erosander at matrixns.com
Thu Jul 26 16:29:32 GMT 2001


A spoofed address or nmap decoy was my first thought.

-----Original Message-----
From: dshield-admin at dshield.org [mailto:dshield-admin at dshield.org]On
Behalf Of Jay Wren
Sent: Thursday, July 26, 2001 8:29 AM
To: 'dshield at dshield.org'
Subject: RE: [Dshield] incoming traffic from 192.168.0.1 ????


It could very well be a spoofed ip?

-J

-----Original Message-----
From: patv at monmouth.com [mailto:patv at monmouth.com]
Sent: Thursday, July 26, 2001 11:30 AM
To: dshield at dshield.org
Subject: RE: [Dshield] incoming traffic from 192.168.0.1 ????


Don't be so quick on dismissing this.  The original email specifcally stated
that it isn't the ip for his lan.  Additionally, I've gotten scans from
reserved ip addresses before.  I don't know how it was done (although I have
some suspicions), but it is real.

Pat

> 192.168 is the range of reserved class C nets.  These are not routable
and
> are commonly used for private LANs that are generally masqueraded by
> firewalls or proxy servers.  Check to see if this is not just the
internal
> interface address of your linksys.  I haven't used that product.  But
that
> would not surprise me.  In any event, there is no point worrying about
> a threat from that address.  It is not routable on the 'net anyway.
> BTW,
the
> reserved nets are 10.0.0.0 (class A), 172.16-31.0.0 (class Bs) and
> 192.168.0-255.0 (class Cs).
>
> -----Original Message-----
> From: dshield-admin at dshield.org [mailto:dshield-admin at dshield.org]On
> Behalf Of airratt
> Sent: Tuesday, July 24, 2001 3:01 PM
> To: dshield at dshield.org
> Subject: Re: [Dshield] incoming traffic from 192.168.0.1 ????
>
>
> My dig of that IP 192.168.0.1 is :BLACKHOLE.ISI.EDU
>
>
> ----- Original Message -----
> From: "Marty Keane" <mkeane89 at pacbell.net>
> To: <dshield at dshield.org>
> Sent: Tuesday, July 24, 2001 3:49 PM
> Subject: [Dshield] incoming traffic from 192.168.0.1 ????
>
>
> > Hello all,
> >
> > I'm new to the list so I hope I'm on target with my question. I'm
using
> > the linksys
> > router with the latest firmware with a windows 98 machine. I just
> > started logging my incoming traffic to the firewall and recently
> > found something very disturbing. Hopefully there's a simple
> > explanation. Here are the entries AM (PST)
> >
> > remote addr
> > remote port                local port
> >
--------------------------------------------------------------------------
> --------------
> >
> > 11:26:51  (first three entries)
> >
> > 169.254.61.126
> > 137                            137
> > 192.168.0.1
> > 137                            137
> > adsl-64-160-96-149.dsl.bkfd14.pacbell.net
> > 137                            137
> >
> > 11:27:19 (remaining entries)
> >
> > 169.254.61.126
> > 137                            137
> > 192.168.0.1
> > 137                            137
> > adsl-64-160-96-149.dsl.bkfd14.pacbell.net
> > 137                            137
> > 192.168.0.1
> > 137                            137
> > 169.254.61.126
> > 137                            137
> >
> > My apologies if there is some other formal way of raising this
> > issue, but the fact that it's an internal looking address has me
> > concerned. I'm aware of the
net-bios
> > issue with windows
> > machines and I've cloaked my router. One last note is that
> > 192.168.0.1 is neither my router's ip nor an ip of a machine on my
> > LAN.
> >
> > Any insight would be greatly appreciated! Right now I've got my LAN
down
> > and I
> > am afraid to bring it up until I know what's going on :-/
> >
> >
> > Marty
> >
> > _______________________________________________
> > Dshield mailing list
> > Dshield at dshield.org
> > To change your subscription options (or unsubscribe), see:
> http://www1.dshield.org/mailman/listinfo/dshield
>
> _______________________________________________
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see:
> http://www1.dshield.org/mailman/listinfo/dshield
>
> _______________________________________________
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see:
http://www1.dshield.org/mailman/listinfo/dshield
>


---------------------------------------------
This message was sent using MI-Webmail.
No matter where you are, never lose touch.
Get your Email using MI-Webmail.
http://www.monmouth.com/


_______________________________________________
Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:
http://www1.dshield.org/mailman/listinfo/dshield

_______________________________________________
Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:
http://www1.dshield.org/mailman/listinfo/dshield




More information about the list mailing list