Mysterious activity @ phantom IP address

Netgear Wgr614 wireless broadband router
May 16, 2010 at 06:00:44
Specs: Windows XP
I have a network with a NetGear WGR614v9 router in the center. I have been examining the contents of the log inside the NetGear router and I have discovered some entries in the log that I am having difficulty explaining. Here is a sample:

[LAN access from remote] from 94.67.101.114:23524 to 192.168.0.127:47811 Saturday, May 15,2010 23:36:45
[LAN access from remote] from 115.133.36.110:10684 to 192.168.0.127:47811 Saturday, May 15,2010 23:36:42
[LAN access from remote] from 166.166.204.102:4752 to 192.168.0.127:58707 Saturday, May 15,2010 23:36:40
[LAN access from remote] from 69.140.106.37:57403 to 192.168.0.127:58707 Saturday, May 15,2010 23:36:31

The problem is that my DHCP list and network do not contain any computer, or other device at the 192.168.0.127 IP address. I may have had a BOT type virus on my system, so I am wondering if it could have been spoofing this address somehow. I have run the probes found at Gibson Research "Shields Up," and they report all my ports are hidden from the outside. Can anyone shed any light on what may be going on with these probes to this phantom address? Thanks!


See More: Mysterious activity @ phantom IP address

Report •


#1
May 16, 2010 at 07:17:46
Download, update & run anti malware from malwarebytes.org

How do you know when a politician is lying? His mouth is moving.


Report •

#2
May 16, 2010 at 22:56:21
Thanks - this I have done. Malwarebytes is a great utility. However, I'm still trying to learn why I'm getting network traffic to an IP address that is not in my DHCP assigned IP list???

Report •

#3
May 17, 2010 at 02:05:59
Eh, take a packet capture at the gateway and look??

Might need a better router...

Could just be faulty software though. I saw some network monitoring software once telling me I had traffic going to a strange government ip (so said the whois!), after looking around forever, I finally figured out the problem - The software wasn't identifying IP only traffic, and was pulling that packet from some STP broadcast - not even an IP packet, those bits just happened to be a valid IP, and just so happened to be in a netblock that made me s--- myself.

hah, funny story though...

Anyway, do a packet capture and look for traffic from that host - how else are you going to tell?


Report •

Related Solutions

#4
May 17, 2010 at 03:58:37
A packet capture is a good idea but I'm willing to bet that there is some malware on that machine. That's the most likely way that the packets are arriving at 192.168.1.127 In other words, they are being requested.

Run netstat -ano from a command prompt. I bet you see that IP address with those high port numbers in the local address column. Usually but not always, high port numbers are source ports, not destination ports. The source is your PC.

Running tasklist might be a good idea too.

How do you know when a politician is lying? His mouth is moving.


Report •


Ask Question