«

I run an old school NT server w/ about half a dozen windows and
linux boxes on my home LAN. All hard wired with static IP's.

I was just going through my router logs (linksys befsr41 v3 w/
updated firmware) and I noticed packets to and from IP
192.168.0.200. This IP is assigned to my network printer but
that printer is currently disconnected. I pinged the IP and
got replies!

As an aside, I also notice that some times the zonealarm
firewalls on my windoze machines will flag spooler sub system
for trying to access the internet zone. This usually happens
when I connect to a share on another machine. All my machines
are in the trusted zone (private ip block 192.168.0.0 -
192.168.0.256) so I see no need for the spooler to look else
where.

To top it all off, I also noticed that my routers DMZ was set
to the same IP (192.168.0.200) I recently set on of my boxes up
in the DMZ for some temporary torrent downloads (legal linux
distos) but the 192.168.0.200 ip was not the one I set up!

I disabled DMZ and rebooted the router but was still able to
ping the 192.168.0.200 address for over an hour before it
finally stopped responding.

I don't have a clue about why a device would respond to pings
when it is not even connected to the LAN nor why my DMZ address
would be automagically changed so I am assuming that somethings
been hacked. I can't find anything on the boxes, no rootkits,
spyware, virus's etc.

I know zonealarms not the best but I don't have cash to buy
anything better especially for NT server. Nevertheless, I
haven't had a problem with this set up in over six years. Any
ideas?

Thanks in advance,

Deb

On Wed, 27 Aug 2008 04:10:28 GMT, Deb <> wrote:

>I run an old school NT server w/ about half a dozen windows and
>linux boxes on my home LAN. All hard wired with static IP's.
>
>I was just going through my router logs (linksys befsr41 v3 w/
>updated firmware) and I noticed packets to and from IP
>192.168.0.200. This IP is assigned to my network printer but
>that printer is currently disconnected. I pinged the IP and
>got replies!
>
>As an aside, I also notice that some times the zonealarm
>firewalls on my windoze machines will flag spooler sub system
>for trying to access the internet zone. This usually happens
>when I connect to a share on another machine. All my machines
>are in the trusted zone (private ip block 192.168.0.0 -
>192.168.0.256) so I see no need for the spooler to look else
>where.
>
>To top it all off, I also noticed that my routers DMZ was set
>to the same IP (192.168.0.200) I recently set on of my boxes up
>in the DMZ for some temporary torrent downloads (legal linux
>distos) but the 192.168.0.200 ip was not the one I set up!
>
>I disabled DMZ and rebooted the router but was still able to
>ping the 192.168.0.200 address for over an hour before it
>finally stopped responding.
>
>I don't have a clue about why a device would respond to pings
>when it is not even connected to the LAN nor why my DMZ address
>would be automagically changed so I am assuming that somethings
>been hacked. I can't find anything on the boxes, no rootkits,
>spyware, virus's etc.
>
>I know zonealarms not the best but I don't have cash to buy
>anything better especially for NT server. Nevertheless, I
>haven't had a problem with this set up in over six years. Any
>ideas?


192.168.x.x

is not going anywhere over the Internet because its a non
routable block. You should have run tracert which may
have been interesting.

DMZ's are best avoided.
--
Jim Watt
http://www.gibnet.com

On Wed, 27 Aug 2008 04:10:28 GMT, Deb <> wrote:

>I run an old school NT server w/ about half a dozen windows and
>linux boxes on my home LAN. All hard wired with static IP's.
>
>I was just going through my router logs (linksys befsr41 v3 w/
>updated firmware) and I noticed packets to and from IP
>192.168.0.200. This IP is assigned to my network printer but
>that printer is currently disconnected. I pinged the IP and
>got replies!
>
>As an aside, I also notice that some times the zonealarm
>firewalls on my windoze machines will flag spooler sub system
>for trying to access the internet zone. This usually happens
>when I connect to a share on another machine. All my machines
>are in the trusted zone (private ip block 192.168.0.0 -
>192.168.0.256) so I see no need for the spooler to look else
>where.
>
>To top it all off, I also noticed that my routers DMZ was set
>to the same IP (192.168.0.200) I recently set on of my boxes up
>in the DMZ for some temporary torrent downloads (legal linux
>distos) but the 192.168.0.200 ip was not the one I set up!
>
>I disabled DMZ and rebooted the router but was still able to
>ping the 192.168.0.200 address for over an hour before it
>finally stopped responding.
>
>I don't have a clue about why a device would respond to pings
>when it is not even connected to the LAN nor why my DMZ address
>would be automagically changed so I am assuming that somethings
>been hacked. I can't find anything on the boxes, no rootkits,
>spyware, virus's etc.
>
>I know zonealarms not the best but I don't have cash to buy
>anything better especially for NT server. Nevertheless, I
>haven't had a problem with this set up in over six years. Any
>ideas?


192.168.x.x

is not going anywhere over the Internet because its a non
routable block. You should have run tracert which may
have been interesting.

DMZ's are best avoided.
--
Jim Watt
http://www.gibnet.com

On Wed, 27 Aug 2008 04:10:28 GMT, Deb wrote:

> I run an old school NT server w/ about half a dozen windows and
> linux boxes on my home LAN. All hard wired with static IP's.
>
> I was just going through my router logs (linksys befsr41 v3 w/
> updated firmware) and I noticed packets to and from IP
> 192.168.0.200. This IP is assigned to my network printer but
> that printer is currently disconnected. I pinged the IP and
> got replies!
>
> As an aside, I also notice that some times the zonealarm
> firewalls on my windoze machines will flag spooler sub system
> for trying to access the internet zone. This usually happens
> when I connect to a share on another machine. All my machines
> are in the trusted zone (private ip block 192.168.0.0 -
> 192.168.0.256) so I see no need for the spooler to look else
> where.
>
> To top it all off, I also noticed that my routers DMZ was set
> to the same IP (192.168.0.200) I recently set on of my boxes up
> in the DMZ for some temporary torrent downloads (legal linux
> distos) but the 192.168.0.200 ip was not the one I set up!
>
> I disabled DMZ and rebooted the router but was still able to
> ping the 192.168.0.200 address for over an hour before it
> finally stopped responding.
>
> I don't have a clue about why a device would respond to pings
> when it is not even connected to the LAN nor why my DMZ address
> would be automagically changed so I am assuming that somethings
> been hacked. I can't find anything on the boxes, no rootkits,
> spyware, virus's etc.
>
> I know zonealarms not the best but I don't have cash to buy
> anything better especially for NT server. Nevertheless, I
> haven't had a problem with this set up in over six years. Any
> ideas?
>
> Thanks in advance,
>
> Deb

Are you MAC filtering?
--
http://www.bushflash.com/idiot.html

On Wed, 27 Aug 2008 04:10:28 GMT, Deb wrote:

> I run an old school NT server w/ about half a dozen windows and
> linux boxes on my home LAN. All hard wired with static IP's.
>
> I was just going through my router logs (linksys befsr41 v3 w/
> updated firmware) and I noticed packets to and from IP
> 192.168.0.200. This IP is assigned to my network printer but
> that printer is currently disconnected. I pinged the IP and
> got replies!
>
> As an aside, I also notice that some times the zonealarm
> firewalls on my windoze machines will flag spooler sub system
> for trying to access the internet zone. This usually happens
> when I connect to a share on another machine. All my machines
> are in the trusted zone (private ip block 192.168.0.0 -
> 192.168.0.256) so I see no need for the spooler to look else
> where.
>
> To top it all off, I also noticed that my routers DMZ was set
> to the same IP (192.168.0.200) I recently set on of my boxes up
> in the DMZ for some temporary torrent downloads (legal linux
> distos) but the 192.168.0.200 ip was not the one I set up!
>
> I disabled DMZ and rebooted the router but was still able to
> ping the 192.168.0.200 address for over an hour before it
> finally stopped responding.
>
> I don't have a clue about why a device would respond to pings
> when it is not even connected to the LAN nor why my DMZ address
> would be automagically changed so I am assuming that somethings
> been hacked. I can't find anything on the boxes, no rootkits,
> spyware, virus's etc.
>
> I know zonealarms not the best but I don't have cash to buy
> anything better especially for NT server. Nevertheless, I
> haven't had a problem with this set up in over six years. Any
> ideas?
>
> Thanks in advance,
>
> Deb

Are you MAC filtering?
--
http://www.bushflash.com/idiot.html

Ari <> wrote in
news::

> On Wed, 27 Aug 2008 04:10:28 GMT, Deb wrote:
>
>> I run an old school NT server w/ about half a dozen windows and
>> linux boxes on my home LAN. All hard wired with static IP's.
>>
>> I was just going through my router logs (linksys befsr41 v3 w/
>> updated firmware) and I noticed packets to and from IP
>> 192.168.0.200. This IP is assigned to my network printer but
>> that printer is currently disconnected. I pinged the IP and
>> got replies!
>>
>> As an aside, I also notice that some times the zonealarm
>> firewalls on my windoze machines will flag spooler sub system
>> for trying to access the internet zone. This usually happens
>> when I connect to a share on another machine. All my machines
>> are in the trusted zone (private ip block 192.168.0.0 -
>> 192.168.0.256) so I see no need for the spooler to look else
>> where.
>>
>> To top it all off, I also noticed that my routers DMZ was set
>> to the same IP (192.168.0.200) I recently set on of my boxes up
>> in the DMZ for some temporary torrent downloads (legal linux
>> distos) but the 192.168.0.200 ip was not the one I set up!
>>
>> I disabled DMZ and rebooted the router but was still able to
>> ping the 192.168.0.200 address for over an hour before it
>> finally stopped responding.
>>
>> I don't have a clue about why a device would respond to pings
>> when it is not even connected to the LAN nor why my DMZ address
>> would be automagically changed so I am assuming that somethings
>> been hacked. I can't find anything on the boxes, no rootkits,
>> spyware, virus's etc.
>>
>> I know zonealarms not the best but I don't have cash to buy
>> anything better especially for NT server. Nevertheless, I
>> haven't had a problem with this set up in over six years. Any
>> ideas?
>>
>> Thanks in advance,
>>
>> Deb
>
> Are you MAC filtering?


No MAC filtering here, I change hardware fairly often and it just adds
one
more thing to keep track of. BTW, 6-10 machines is a bit overkill for 2
users. So, I strive to keep a balance between security and convienence.


>192.168.x.x

>is not going anywhere over the Internet because its a non
>routable block. You should have run tracert which may
>have been interesting.

Of course, 192.168.x.x is not routable thats why we use it for internal,
right? I will run a trace route if the issue comes up again. In fact,
if I find time I may set up the situation again so that I can run a
trace.


>DMZ's are best avoided.
I disabled the DMZ, it was just a temporay setup in order to do a legal
torrent download. (I ran a web server farm for 12 years...) so, sometimes
for somethings, and in some situations it really can't be avoided.
But you right, DMZ is often full of bad news.

I am still really curious as to how an IP that is unassinged responds to
ping. That is the question here. Also why does my router logs show LAN
traffic to and from this IP! My guess is that it has something to do
with
the NT domain and spooler trying to find the missing printer. Still a
weird one overall... and I don't care much for guesses anyway.

Hey thanks for the help, it's much a appreciated.


Deb

Ari <> wrote in
news::

> On Wed, 27 Aug 2008 04:10:28 GMT, Deb wrote:
>
>> I run an old school NT server w/ about half a dozen windows and
>> linux boxes on my home LAN. All hard wired with static IP's.
>>
>> I was just going through my router logs (linksys befsr41 v3 w/
>> updated firmware) and I noticed packets to and from IP
>> 192.168.0.200. This IP is assigned to my network printer but
>> that printer is currently disconnected. I pinged the IP and
>> got replies!
>>
>> As an aside, I also notice that some times the zonealarm
>> firewalls on my windoze machines will flag spooler sub system
>> for trying to access the internet zone. This usually happens
>> when I connect to a share on another machine. All my machines
>> are in the trusted zone (private ip block 192.168.0.0 -
>> 192.168.0.256) so I see no need for the spooler to look else
>> where.
>>
>> To top it all off, I also noticed that my routers DMZ was set
>> to the same IP (192.168.0.200) I recently set on of my boxes up
>> in the DMZ for some temporary torrent downloads (legal linux
>> distos) but the 192.168.0.200 ip was not the one I set up!
>>
>> I disabled DMZ and rebooted the router but was still able to
>> ping the 192.168.0.200 address for over an hour before it
>> finally stopped responding.
>>
>> I don't have a clue about why a device would respond to pings
>> when it is not even connected to the LAN nor why my DMZ address
>> would be automagically changed so I am assuming that somethings
>> been hacked. I can't find anything on the boxes, no rootkits,
>> spyware, virus's etc.
>>
>> I know zonealarms not the best but I don't have cash to buy
>> anything better especially for NT server. Nevertheless, I
>> haven't had a problem with this set up in over six years. Any
>> ideas?
>>
>> Thanks in advance,
>>
>> Deb
>
> Are you MAC filtering?


No MAC filtering here, I change hardware fairly often and it just adds
one
more thing to keep track of. BTW, 6-10 machines is a bit overkill for 2
users. So, I strive to keep a balance between security and convienence.


>192.168.x.x

>is not going anywhere over the Internet because its a non
>routable block. You should have run tracert which may
>have been interesting.

Of course, 192.168.x.x is not routable thats why we use it for internal,
right? I will run a trace route if the issue comes up again. In fact,
if I find time I may set up the situation again so that I can run a
trace.


>DMZ's are best avoided.
I disabled the DMZ, it was just a temporay setup in order to do a legal
torrent download. (I ran a web server farm for 12 years...) so, sometimes
for somethings, and in some situations it really can't be avoided.
But you right, DMZ is often full of bad news.

I am still really curious as to how an IP that is unassinged responds to
ping. That is the question here. Also why does my router logs show LAN
traffic to and from this IP! My guess is that it has something to do
with
the NT domain and spooler trying to find the missing printer. Still a
weird one overall... and I don't care much for guesses anyway.

Hey thanks for the help, it's much a appreciated.


Deb

On Thu, 28 Aug 2008 18:08:18 GMT, Deb wrote:

> I am still really curious as to how an IP that is unassinged responds to
> ping. That is the question here. Also why does my router logs show LAN
> traffic to and from this IP! My guess is that it has something to do
> with
> the NT domain and spooler trying to find the missing printer. Still a
> weird one overall... and I don't care much for guesses anyway.

What are the chances that this offline printer IP was hacked and there
was a real computer on the other side?

On Thu, 28 Aug 2008 18:08:18 GMT, Deb wrote:

> I am still really curious as to how an IP that is unassinged responds to
> ping. That is the question here. Also why does my router logs show LAN
> traffic to and from this IP! My guess is that it has something to do
> with
> the NT domain and spooler trying to find the missing printer. Still a
> weird one overall... and I don't care much for guesses anyway.

What are the chances that this offline printer IP was hacked and there
was a real computer on the other side?

On Fri, 29 Aug 2008 03:05:39 GMT, Deb <> wrote:

>It is all so obvious that unconnected devices are not pingable nor do
>they show up in router logs (both incoming/outgoing.) I'm just trying to
>understand how this occured...

if you can recreate the situation again, do so and then
start removing devices physically until you find out which
one is using that address, and then investigate why.
--
Jim Watt
http://www.gibnet.com