Strange netstat output
Joe Altman
fj at panix.com
Tue Nov 9 13:53:40 PST 2004
On Mon, Nov 08, 2004 at 11:20:03AM +0100, Jorn Argelo wrote:
> Hi folks,
>
> Recently I took notice about a strange netstat output within my LAN:
>
> [jorn at www] ~> netstat -ra
> Routing tables
>
> Internet:
> Destination Gateway Flags Refs Use Netif Expire
> default ACA80101.ipt.aol.c UGS 0 156153 rl0
> localhost localhost UH 2 539754 lo0
> ACA80100.ipt.aol.c link#1 UC 0 0 rl0
> ACA80101.ipt.aol.c 00:09:5b:a7:a4:3e UHLW 1 3918 rl0 790
> ACA80102.ipt.aol.c 00:10:a7:0d:6f:7f UHLW 0 325 rl0 1193
> ACA80104.ipt.aol.c localhost UGHS 0 0 lo0
> ACA801FF.ipt.aol.c ff:ff:ff:ff:ff:ff UHLWb 0 1091 rl0
> 192.168.2.105 localhost UGHS 0 0 lo0
>
>
> The ipt.aol.com is the one that's the problem. If I ping it, it returns this:
>
>
> PING ACA80102.ipt.aol.com (172.168.1.2): 56 data bytes
> 64 bytes from 172.168.1.2: icmp_seq=0 ttl=64 time=0.120 ms
> 64 bytes from 172.168.1.2: icmp_seq=1 ttl=64 time=0.149 ms
> 64 bytes from 172.168.1.2: icmp_seq=2 ttl=64 time=0.149 ms
> ^C
> --- ACA80102.ipt.aol.com ping statistics ---
> 3 packets transmitted, 3 packets received, 0% packet loss
> round-trip min/avg/max/stddev = 0.120/0.139/0.149/0.014 ms
> [jorn at www] ~>
>
> Which is my internal IP adress. If I ping ACA80104, it goes to 172.168.1.4. If
> I ping ACA80100, it says 172.168.1.100 and ACA801FF is the 172.168.1.255
> address (the broadcast address, if I recall my Cisco classes correctly).
Are you saying that you've used 172.168.1.2 for a host on your LAN?
If so:
04:43 PM: whois -h whois.arin.net 172.168.1.2
OrgName: America Online
OrgID: AOL
Address: 22000 AOL Way
City: Dulles
StateProv: VA
PostalCode: 20166
Country: US
NetRange: 172.128.0.0 - 172.191.255.255
CIDR: 172.128.0.0/10
The ipt machines are clients using AOL for connetivity, IIACI.
I think you mean to use:
172.16.0.0 through 172.31.255.255
> The 192.168.1.105 address is rather strange as well, because I'm not using
> that range on the router's DHCP server (Netgear FVS318, in case you want to know)
>
> So my question is, what are these? My firewall log (on the router) is showing
> some major blocking on port 445 and 135. It's not like one IP address is doing
> all the bad stuff; most of them are just random grabs from virus infected
> machines.
--
One million points of light shining on the new world-order model for
fascism and tyranny. Get in line.
More information about the freebsd-questions
mailing list