Jump to content

Odd remote hosts


Pwnd2Pwnr
 Share

Recommended Posts

I was running ettercap on a clients business network and found these remote hosts... are any of these a great concern>? I know that kerberos encryption is being used... but what about the others? I just found this strange... how bout you guys?

Network Information

==================================================

IP address : 18.85.44.59

OrgName: Massachusetts Institute of Technology

OrgId: MIT-2

Address: Room W92-167

Address: 77 Massachusetts Avenue

City: Cambridge

StateProv: MA

PostalCode: 02139-4307

Country: US

RegDate:

Updated: 2012-04-27

Ref: http://whois.arin.net/rest/org/MIT-2

DISTANCE : 17

TYPE : REMOTE host

FINGERPRINT :

OPERATING SYSTEM : UNKNOWN

PORT : UDP 123 | ntp []

NOTES ON CONNECTION: http://www.speedguide.net/ip/18.85.44.59

==================================================

==================================================

IP address : 24.124.0.251

OrgName: WideOpenWest Finance LLC

OrgId: WOPW

Address: 1674 Frontenac Rd

City: Naperville

StateProv: IL

PostalCode: 60563

Country: US

RegDate: 2002-04-10

Updated: 2012-01-12

Ref: http://whois.arin.net/rest/org/WOPW

NOTES ON CONNECTION: http://www.speedguide.net/ip/24.124.0.251 , http://www.bloomberg.com/news/2012-07-12/wideopenwest-sells-1-02-billion-of-debt-to-finance-knology-deal.html

end

start

CustName: Sunflower Broadband

Address: 1 Riverfront Plaza

Address: Suite 301

City: Lawrence

StateProv: KS

PostalCode: 66044

Country: US

RegDate: 2006-03-31

Updated: 2013-03-19

Ref: http://whois.arin.net/rest/customer/C01318887

end

DISTANCE : 12

TYPE : REMOTE host

FINGERPRINT :

OPERATING SYSTEM : UNKNOWN

PORT : UDP 123 | ntp []

==================================================

==================================================

IP address : 155.101.3.114

OrgName: University of Utah

OrgId: UNIVER-15-Z

Address: University of Utah

Address: Netcom

Address: 585 Komas

City: Salt Lake City

StateProv: UT

PostalCode: 84108

Country: US

RegDate: 2010-05-13

Updated: 2011-09-24

Ref: http://whois.arin.net/rest/org/UNIVER-15-Z

NOTES ON CONNECTION: http://ip.robtex.com/155.101.3.114.html

DISTANCE : 16

TYPE : REMOTE host

FINGERPRINT :

OPERATING SYSTEM : UNKNOWN

PORT : UDP 123 | ntp []

==================================================

==================================================

IP address : 199.7.51.72

Hostname : ocsp.verisign.com

DISTANCE : 16

TYPE : REMOTE host

FINGERPRINT : 1FFE:05B4:FF:WS:0:0:1:0:A:2C

OPERATING SYSTEM : unknown fingerprint (please submit it)

NEAREST ONE IS : Novell NetWare 3.12 - 5.00

PORT : TCP 80 | http []

==================================================

==================================================

IP address : 199.7.52.72

Hostname : evsecure-ocsp.verisign.com

DISTANCE : 17

TYPE : REMOTE host

FINGERPRINT : 1FFE:05B4:FF:WS:0:0:1:0:A:2C

OPERATING SYSTEM : unknown fingerprint (please submit it)

NEAREST ONE IS : Novell NetWare 3.12 - 5.00

PORT : TCP 80 | http []

==================================================

==================================================

IP address : 208.53.158.34

OrgName: FDCservers.net

OrgId: FDCSE

Address: 141 W Jackson Blvd. #1135

City: Chicago

StateProv: IL

PostalCode: 60604

Country: US

RegDate: 2003-05-20

Updated: 2012-03-28

Ref: http://whois.arin.net/rest/org/FDCSE

DISTANCE : 10

TYPE : REMOTE host

FINGERPRINT :

OPERATING SYSTEM : UNKNOWN

PORT : UDP 123 | ntp []

==================================================

Link to comment
Share on other sites

I really mean no offense by this post so forgive me if I come across as an asshole.

If you have to ask the question you just did, you really shouldn't be jacked into a clients network without supervision by someone with much better understanding, especially if you're playing with packets. Even those of us who have a good understanding of the workings of what we're playing with bring stuff down from time to time and I'd question your ability to put something right should you click the wrong button and hijack HSRP or cause a spanning tree loop or some other madness.

Now the bit you were after:

PORT : UDP 123 | ntp []

PORT : TCP 80 | http []

Judging by this, I'd assume those boxes are NTP and HTTP servers.

NTP is network time protocol, lots of applications utilize it so it's not a big deal.

HTTP is a standard web server port. Could just be someone browsing the internet. If you have any concerns about these (a lot of botnet C&C's are http nowadays) then my suggestion would be a proper analysis with wireshark or something else which will allow you to see the packets.

Hope this helps. :)

Link to comment
Share on other sites

LOL... it has been a forts age since I have been on the server end... so I am kicking off some rust.

j4k3: I have a great understanding on how things work (and I know better than mess with a switch spanning tree). I merely watched outgoing traffic. No harm done. I thoroughly research everything before I touch anything. I know you did not mean to come across like a jerk; but I do know my way around a network.

I am just asking the community if there would be something that I should be on a lookout.. because only the wise learns from others :) . I did not set up the server... but their machine was riddled with rogueware and malware. I am just doing some Recon.

Newbi3: This is on a client machine... I got to see what the jack a** did to their server... but it is a mess. It has warning logs backed up for days... errrr....

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...