D
D
Dmitry Treiserov2019-03-21 09:54:03
Computer networks
Dmitry Treiserov, 2019-03-21 09:54:03

Why do I see a bunch of other networks outside my factory, moreover my country?

past two threads.
1) IP “floats” in the domain network (without Internet access). How to catch and remove him?
2) Same MAC on multiple IPs. How to find the source of the problem?
generally left DHCP was replaced this morning. and became 116.0.168.1
I decided to check the entire range of the network. There were many responses. but 117 is the best.
when accessing this network, it accepts the name of the computer and the domain of the person who accesses it
5c9311e8a16a5418784346.jpeg5c9311ef2eef0552743987.jpeg
IN 117 SUBNET I SEE DEVICES TO WHICH I CAN CONNECT,
5c93155256686508238272.jpeg
then I gave a trace to 117 IP
C:\Users\sysadmin>tracert 117.0.168.1 Tracert
route to sysadmin.* **.ru [117.0.168.1]
with a maximum number of hops 30:
1 <1 ms <1 ms <1 ms 192.168.0.1**
2 5 ms 4 ms 4 ms net238-252.perm.ertelecom.ru [46.146.238.252]
3 5 ms 4 ms 4 ms ae0-435.bbr01.perm.ertelecom.ru [212.33.233.105]
4 33 ms 47 ms 33 sap-b3-link.telia.net [62.115.148.174]
6 41 ms 41 ms 41 ms s-bb4-link.telia.net [80.91.250.99] 7 62 ms 62 ms 62 ms ffm-bb4-link.telia.net [62.115.138.105] 8 81 ms 81 ms 81 ms mei-b1-link.telia. net [62.115.112.231] 9 214 ms 214 ms 214 ms snge-b1-link.telia.net [62.115.141.147] 10 229 ms 237 ms 243 ms 62.115.60.18 ]
11 279 ms 266 ms 275 ms sysadmin.***.ru [27.68.248.29]
12 260 ms 262 ms 271 ms sysadmin.***.ru [27.68.232.9]
13 274 ms 263 ms 271 ms sysadmin.*** .ru [27.68.255.33]
14 279 ms 275 ms 256 ms sysadmin.***.ru [27.68.229.50]
15 271 ms 281 ms 295 ms sysadmin.***.ru [117.0.168.1]

Trace completed.
then we scanned the network range 27.68.*.*
about 20,000 nodes we see online 8 of them are known and active (we can access them, go in) we
requested an arp table there, all the left networks from the MAC of our bridge, well, I'm not surprised)
WHAT TO DO? )

Answer the question

In order to leave comments, you need to log in

6 answer(s)
D
Dmitry Treiserov, 2019-06-10
@Tracerov

hint000 , Anatoly , BasiC2k , Talyan , CityCat4 ,
guys, in general the answer was like this!
On Saturday I raised vlans on Mikrotiks. Lord, what a hemorrhoids) and while chopping off the equipment again caught this elusive IP hard cornered it by disabling ports) and then victory! Basically like you all said. in general, a worm-pi .... p turned out to be a running line. before that, I already knew that they wildly spam DHCP on the network, and how BE I was more than sure that it was them. now he proved it to himself. in general, for those who encounter such a trouble. in my case, the installation of a wifi router helped, which by default has ....0.50 IP as well as DHCP Alerts and the best way to disable patch cords and identify where the "intruder" is located. thank you all for your help! Thank you all for your patience. We got a very interesting story)

N
nApoBo3, 2019-03-23
@nApoBo3

Looked at the previous threads. You are mixing tracer, ping, dhcp, network scanning all in one pile.
Judging by the first topic, there is an alternative dhcp in your network. It should be understood that this is not necessarily the server itself, it can be realy. At the same time, it can be either your relay due to configuration errors, or the "left" one.
But you should understand that if the dhcp address is not on your subnet, it may be two different hosts. Those. a host on your subnet or relay received a dhcp broadcast request from you, responded to you, and presented itself with a specific ip. But since this ip is not in your subnet, traffic to it will go through the gateway, so you can go to a completely different node.
Example:
I raise dhcp in your network and manually assign it ip yandex. You got an address and are trying to ping my ip, but the traffic will go to the gateway and the gateway will send it to yandex and the yandex node will answer you.
You need to find dhcp on the network that "does dirty tricks" to you. First, look at the wireshark mak address that answers you. Try to find it on switches. In the worst case, narrow the domain, you can even physically turn off the switches or insert a well-configured Mikrotik into the cut.

B
BasiC2k, 2019-03-21
@BasiC2k

Perhaps your network has video surveillance elements from the Chinese set. Some network cameras and recorders can raise DHCP. The settings of such a device may be reset to "default" due to a power failure.

D
Diman89, 2019-03-21
@Diman89

From the very beginning, I didn’t follow it, as an option: make a rule on the router to drop dhcp packets that do not come from LAN

A
Alexey Nikolaev, 2019-03-21
@Heian

I'm surprised no one has answered this before, but... it could be a virus.

A
Anatoly, 2019-03-21
@Tolly

The provider does not have a locale, such as a beeline?
Perhaps someone connected a second Internet channel, and confused WAN with LAN.
What's stopping you from finding a third-party DHCP? "arp -a" has not been canceled))
...
change admin

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question