linksys router and ip 192.168.2.255 - Tilted Forum Project Discussion Community

bacon_masta · 06-08-2004, 08:37 AM

so my roomate and i have been using a linksys etherfast router for more than a year now (model BEFSR41) and through my sygate personal firewall pro logs, i discovered that my machine has been sending a huge amount of information to the ip 192.168.2.255. now i understand that this is a broadcast ip, but before very recently i was neither sending nor recieving information from this ip address. i was just wondering if and how this personal intranet ip could be hijacked from an external source and used to get information/attack computers on my home network. i updated the firmware of the router 3 days ago to prevent lan-side DoS exploits that i read about in a forum, but after reconfiguring my router these strange communications with 192.168.2.255 started. is there a problem, or am i just being paranoid?

mikec · 06-08-2004, 09:12 AM

.255 is the default location of where the router will send the log, if it is enabled. check that out.

hrdwareguy · 06-08-2004, 09:13 AM

First off, what is your IP address?

bacon_masta · 06-08-2004, 09:58 AM

the log is being sent to my machine, i try to keep my network on lockdown. my ip? on the network, or my isp ip for my network?

mikec · 06-08-2004, 10:12 AM

network IP (start, run, cmd, ipconfig /all)

bacon_masta · 06-08-2004, 01:00 PM

no idea which ip you wanted, so here's all the flow minus sensitive information

Windows IP Configuration

Host Name . . . . . . . . . . . . :
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . : launchmodem.com
Description . . . . . . . . . . . : 3Com 3C920 Integrated Fast Ethernet
Controller (3C905C-TX Compatible)
Physical Address. . . . . . . . . :
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 192.168.2.101
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.2.1
DHCP Server . . . . . . . . . . . : 192.168.2.1
DNS Servers . . . . . . . . . . . : 192.168.1.254
192.168.1.254
Lease Obtained. . . . . . . . . . : Tuesday, June 08, 2004 4:52:30 PM
Lease Expires . . . . . . . . . . : Wednesday, June 09, 2004 4:52:30 PM

hrdwareguy · 06-08-2004, 01:16 PM

Looks like your computer is broadcasting to your workgroup, but who know what.

I would make sure you have Anti-Virus with the latest virus defs installed and run a check. Also, you might want to get something like zone alarm and see if that will tell you what application is broadcasting.

ibis · 06-08-2004, 09:18 PM

Now that you've broadcasted you IP, I sure hope you've changed the default admin password

bacon_masta · 06-09-2004, 07:59 AM

broadcasting my network ip isn't an issue, 192.168.x.x are reserved for private networks by one of those ip delegation peoples, i would imagine a bazillion or so people have the same one (ok, a bit of an exageration on the bazillion). plus, the default pass was already changed, and i cut everything out of the message that could be used to compromise my system

btw, i already have free avg, and ntoskernel.exe was the prog broadcasting from my pc and accepting info from 192.168.2.255

EDIT upon further research i found that the program broadcasting to 192.168.2.255 was ndisuio.sys, a driver used by the wireless configuration service built into xp. no idea why it was on, but i stopped it and haven't had anymore transmissions to the ip. thanks for the help

06-08-2004, 08:37 AM	#1 (permalink)
bacon_masta Psycho Location: i live in the state of denial	linksys router and ip 192.168.2.255 so my roomate and i have been using a linksys etherfast router for more than a year now (model BEFSR41) and through my sygate personal firewall pro logs, i discovered that my machine has been sending a huge amount of information to the ip 192.168.2.255. now i understand that this is a broadcast ip, but before very recently i was neither sending nor recieving information from this ip address. i was just wondering if and how this personal intranet ip could be hijacked from an external source and used to get information/attack computers on my home network. i updated the firmware of the router 3 days ago to prevent lan-side DoS exploits that i read about in a forum, but after reconfiguring my router these strange communications with 192.168.2.255 started. is there a problem, or am i just being paranoid?

06-08-2004, 09:12 AM	#2 (permalink)
mikec I flopped the nutz... Location: Stratford, CT	.255 is the default location of where the router will send the log, if it is enabled. check that out. __________________ Until the 20th century, reality was everything humans could touch, smell, see, and hear. Since the initial publication of the charted electromagnetic spectrum, humans have learned that what they can touch, smell, see, and hear is less than one millionth of reality

06-08-2004, 09:13 AM	#3 (permalink)
hrdwareguy "Officer, I was in fear for my life" Location: Oklahoma City	First off, what is your IP address? __________________ Gun Control is hitting what you aim at Aim for the TFP, Donate Today

06-08-2004, 10:12 AM	#5 (permalink)
mikec I flopped the nutz... Location: Stratford, CT	network IP (start, run, cmd, ipconfig /all) __________________ Until the 20th century, reality was everything humans could touch, smell, see, and hear. Since the initial publication of the charted electromagnetic spectrum, humans have learned that what they can touch, smell, see, and hear is less than one millionth of reality

06-08-2004, 01:16 PM	#7 (permalink)
hrdwareguy "Officer, I was in fear for my life" Location: Oklahoma City	Looks like your computer is broadcasting to your workgroup, but who know what. I would make sure you have Anti-Virus with the latest virus defs installed and run a check. Also, you might want to get something like zone alarm and see if that will tell you what application is broadcasting. __________________ Gun Control is hitting what you aim at Aim for the TFP, Donate Today

06-08-2004, 09:58 AM	#4 (permalink)
bacon_masta Psycho Location: i live in the state of denial	the log is being sent to my machine, i try to keep my network on lockdown. my ip? on the network, or my isp ip for my network?

06-08-2004, 01:00 PM	#6 (permalink)
bacon_masta Psycho Location: i live in the state of denial	no idea which ip you wanted, so here's all the flow minus sensitive information Windows IP Configuration Host Name . . . . . . . . . . . . : Primary Dns Suffix . . . . . . . : Node Type . . . . . . . . . . . . : Unknown IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No Ethernet adapter Local Area Connection: Connection-specific DNS Suffix . : launchmodem.com Description . . . . . . . . . . . : 3Com 3C920 Integrated Fast Ethernet Controller (3C905C-TX Compatible) Physical Address. . . . . . . . . : Dhcp Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes IP Address. . . . . . . . . . . . : 192.168.2.101 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 192.168.2.1 DHCP Server . . . . . . . . . . . : 192.168.2.1 DNS Servers . . . . . . . . . . . : 192.168.1.254 192.168.1.254 Lease Obtained. . . . . . . . . . : Tuesday, June 08, 2004 4:52:30 PM Lease Expires . . . . . . . . . . : Wednesday, June 09, 2004 4:52:30 PM

06-08-2004, 09:18 PM	#8 (permalink)
ibis PIKE!	Now that you've broadcasted you IP, I sure hope you've changed the default admin password

06-09-2004, 07:59 AM	#9 (permalink)
bacon_masta Psycho Location: i live in the state of denial	broadcasting my network ip isn't an issue, 192.168.x.x are reserved for private networks by one of those ip delegation peoples, i would imagine a bazillion or so people have the same one (ok, a bit of an exageration on the bazillion). plus, the default pass was already changed, and i cut everything out of the message that could be used to compromise my system btw, i already have free avg, and ntoskernel.exe was the prog broadcasting from my pc and accepting info from 192.168.2.255 EDIT upon further research i found that the program broadcasting to 192.168.2.255 was ndisuio.sys, a driver used by the wireless configuration service built into xp. no idea why it was on, but i stopped it and haven't had anymore transmissions to the ip. thanks for the help Last edited by bacon_masta; 06-09-2004 at 10:24 AM..