spoon Posted July 19, 2009 Report Share Posted July 19, 2009 every time i plug in the LAN into my computer,"iana" will ping 255.255.255.255 which seems to be located on my computer,and the source is :172.24.1.* ,where * is mutiple hits at the same time. i don't know if this is normal,so i banned the range 172.16.0.0 to 172.31.255.255 on the fire wall settings.and it seems now that my my DHCP is not working ok, My ip can not be automatic assiened : (is it normal to receive icmp from these adresses above?PS: 1 :how can i close 224.0.0.* communications on my computer?? and keep 239.255.250 away from my arp? 2:and if i saw a user like "spid"+ number ,(the number changes) making a big operation list on the SQL server on my machine,in several minutes,but 3 or 5 times in 3 days,and saw some very very unusuall agressive querries in the list,could i track back who the hell is "spid"?! i can not copy out the log from my SQL,does this indicate that my computer is totally fried? is it safe to ping the computer named spid? and why my sql log the computer name rather than it's ip address? 3: can i make my arp list as clean as possible,i.e,left only my gateway?beacuse strange things keep hapening to my computer.is it nessary for my DHCP server to appear in my arp table? because i was sending data to unknown adresses,may be a router,may be a ARP tech based lan tool software,and may be a virus infected computer or even the virus ,but i just want this not to happen.and could it possible that my DHCP server was infected by some virus??? look,the unknown user logged into my sql many times,and this is not so funny.and what if this is not a human but a virus still on my machine or in the local network? and this is also why i am so eager to keep my arp table as clean as possible : ( Quote Link to post Share on other sites
jcl Posted July 19, 2009 Report Share Posted July 19, 2009 every time i plug in the LAN into my computer,"iana" will ping 255.255.255.255 which seems to be located on my computer,and the source is :172.24.1.* ,where * is mutiple hits at the same time. i don't know if this is normal,so i banned the range 172.16.0.0 to 172.31.255.255 on the fire wall settings.and it seems now that my my DHCP is not working ok, My ip can not be automatic assiened : (is it normal to receive icmp from these adresses above?255.255.255.255 is the local broadcast address. 172.16/12 is reserved for private use. Odds are that 255.255.255.255 'pings' are DHCP traffic and the source is your DHCP server. IOW, you filtered your own network.PS: 1 :how can i close 224.0.0.* communications on my computer?? and keep 239.255.250 away from my arp?Filter multicast traffic and stick Post-it on your monitor so you'll know what to undo.2:and if i saw a user like "spid"+ number ,(the number changes) making a big operation list on the SQL server on my machine,in several minutes,but 3 or 5 times in 3 days,and saw some very very unusuall agressive querries in the list,could i track back who the hell is "spid"?!"spid <number>" is probably a session ID. If this is MS SQL, you can use the sp_who stored procedure to look up the user and host associated with the session. 3: can i make my arp list as clean as possible,i.e,left only my gateway?beacuse strange things keep hapening to my computer.ARP usually isn't responsible for strange things.is it nessary for my DHCP server to appear in my arp table?It's going to, regardless.and could it possible that my DHCP server was infected by some virus???There's no reason to believe that it is, but, sure, it's possible.look,the unknown user logged into my sql many times,and this is not so funny.and what if this is not a human but a virus still on my machine or in the local network?Then you have another problem. Quote Link to post Share on other sites
spoon Posted July 19, 2009 Author Report Share Posted July 19, 2009 255.255.255.255 is the local broadcast address. 172.16/12 is reserved for private use. Odds are that 255.255.255.255 'pings' are DHCP traffic and the source is your DHCP server. IOW, you filtered your own network.it is a ms-sql server and i do not know where the problem is so i have banned my DHCP from pinging me.i am afraid that it brings in some other ARP adress.and i think i am going to send packages to every arp adress in this table .yet i can not confirm if the sql was injected by human hand or automated virus,and what if the virus take advantage of the arp table to spread? i am in a local network,and the computers are many.at least i need to confirm where the attack was lanched,to know who should i put into black list.i can not just ban the whole word and sink all the data passby,even worse,i am thinking some one faked a set of servers in the local network to do unauthorised data interception,because if i understand corectly,our gateway should BE well firewall protected. Quote Link to post Share on other sites
spoon Posted July 19, 2009 Author Report Share Posted July 19, 2009 well,this is what happens: as soon as i allowed my DHCP to ping in,another adress which seems to be in our local ip-range pinged in too.so i got the "UNKNOWN OBJECT" in my arp table.what the F..?? Quote Link to post Share on other sites
jcl Posted July 19, 2009 Report Share Posted July 19, 2009 it is a ms-sql server and i do not know where the problem is so i have banned my DHCP from pinging me.i am afraid that it brings in some other ARP adress.Why are you afraid of that?yet i can not confirm if the sql was injected by human hand or automated virusHave you considered the possibility that it's completely benign? Do you know what whatever it was was doing?and what if the virus take advantage of the arp table to spread?Nearly everything you can do on a network takes advantage of the ARP table.at least i need to confirm where the attack was lanched,to know who should i put into black list.You need to confirm that you've been attacked first.well,this is what happens: as soon as i allowed my DHCP to ping in,another adress which seems to be in our local ip-range pinged in too.so i got the "UNKNOWN OBJECT" in my arp table.what the F..??I have no idea what that means. What do you mean "ping in" and what are you using to view the ARP table? Quote Link to post Share on other sites
spoon Posted July 19, 2009 Author Report Share Posted July 19, 2009 (edited) Have you considered the possibility that it's completely benign? Do you know what whatever it was was doing?so you are indicating the server should be accessed by someone,or some thing i completely unknow 5 times in 3 days? and the data should be modified?what if there are massive data inside this server? i am working with an none safe tool to store my data?this is a PC,not a com or org server.which means there should not be a targeted visit.and this is what bothers me a lot.Why are you afraid of that?well ,when seeing 2 people coming up to you ,one you've already known and the seconed you do not know,with out any official introdution,will you trust the second guy?PS:you people all use linux? Edited July 19, 2009 by lantance Quote Link to post Share on other sites
jcl Posted July 20, 2009 Report Share Posted July 20, 2009 so you are indicating the server should be accessed by someone,or some thing i completely unknow 5 times in 3 days?So you figured out what user owned the sessions you saw in the log?and the data should be modified? what if there are massive data inside this server? i am working with an none safe tool to store my data?The server should be secured and backed up.well ,when seeing 2 people coming up to you ,one you've already known and the seconed you do not know,with out any official introdution,will you trust the second guy?The ARP table maps layer 3 addresses onto layer 2 addresses. That's it. Having an entry in the table doesn't imply that a host is trusted.PS:you people all use linux?Not everyone, no. In any case, I think everyone here uses Windows. Quote Link to post Share on other sites
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.