Strange IP address post boot

  • Thread starter Thread starter John Jakus
  • Start date Start date
J

John Jakus

I am having a problem with several machines. I run a NetWare network. In
the login scripts, the users are connected to servers depending on their
current network address. I have 3 machine that are not working because
the network address is not correct pre login. I have a internal 192
network that all system use. They get their addresses from DHCP. On
these three machines they have an addresses of:

81.192.255.13
18.52.86.120
103.25.192.209

before getting to the desktop. Once the system is logged on then the
address is the correct one assigned by DHCP. I can't figure where these
address are coming from. I noticed on one machine that if I login as an
Admin the address is correct pre login and is only incorrect for the
main user of the machine. Perhaps a problem with the profile?

Any suggestion on where to look to find where these numbers are
originating. SpyWare? Trojan?

Thanks,

John Jakus
 
That is bizarre. Those are public IP addresses too. I would consider those computers
compromised since you have no good explanation. To change an IP address requires
system or admin rights. I would isolate them and run a thorough virus/trojan/parasite
scan being sure to use updated definitions as of today. To try to get a clue as what
is going on, download some helpful tools from SysInternals. TCPView, Process
Explorer, and Autoruns. Start with TCPView to see if you can find and unusual process
using a port on the computer and it may help to compare results to a known "clean"
like configured computer. Then you can use Process Explorer to find out more about
any process you find and Autoruns to see if there are startup programs in the system
that should not be. Starting in safe mode with networking may help to bypass the
problem for attempted repairs or further investigation, though a complete reinstall
is best option if these computers are compromised. If you find specific executables
involved you may want to search http://www.google.com or a place like
http://securityresponse.symantec.com/ to find out more information. --- Steve

http://www.sysinternals.com/ntw2k/source/tcpview.shtml
 
Looks like the network is hacked. First IP belongs to MIT, the second one to
Morocco, and the last one is reserved by IANA at all.
 
Jetro said:
Looks like the network is hacked. First IP belongs to MIT, the second one to
Morocco, and the last one is reserved by IANA at all.
Click to expand...
This is interesting. If I create a new account on the machines, this
does not happen. It's only on older accounts. If I rename the profile,
delete the account and recreate the account fresh, the problem still
occurs. It's like some sort of vulnerability, trojan, worm or spyware
did this a awhile back but it's not active anymore, so it doesn't affect
new accounts. I will rebuild the two workstations but one is a server.
What a pain!

Thanks,

John Jakus
 
It's really interesting. Only 3 machines and only pre-existed older user
accounts... Is Netware server keeping roaming profiles? It might be a
timebomb and snowball if it would be the server.
 
Jetro said:
It's really interesting. Only 3 machines and only pre-existed older user
accounts... Is Netware server keeping roaming profiles? It might be a
timebomb and snowball if it would be the server.
Click to expand...
No I'm not keeping roaming profiles yet. I am just now settting up
ZENworks and that will be a feature added at a later date. I just
noticed this didn't happen when DLU setup a test account. Very
interesting. It's like the account registry entries are not removed when
I delete the account and profiles. When the account is recreated, the
entries still exist.
 
Try install Looklan utility on any machine. The entire network IP and
hostnames are listed on a report. Try your best.
 
Back
Top