Strange Routes

[thelowlyone]

Hi everyone,

I recently did a route print on a Windows 2003 Server running Windows Media Services. There are a lot of IPs in there that don't belong to me. And when I delete them "new" ones are added about an hour later all from the same IP range. What does this mean? Is someone trying to take my content?

[Sparda]

What do you mean by 'route print'?

[Operator]

route print is a windows command line tool to show the current routing table and add/remove routes etc. like the route command in Linux.

seems weird that routes would be adding themselves. you say from the same subnet so its not the same routes each time? and when are they re-added? after a reboot? restarting a program?

[thelowlyone]

Thanks for the replies. The routes are added ~1 hour after I remove them. And yes they're not the same routes but are from the same IP range (ex. they all start with 66.xxx.xxx.xxx). I don't do anything and they just "appear" about an hour after I remove them. Is my server compromised?

[Operator]

interesting. if there being re-added exactly an hour after you remove them i would suspect some program is doing it. check to see what processes are running etc and look for anything that does not look normal. also check event logs all tha usual stuff.

[Deveant]

also i suggest randomly googl'ing one of the IP's, such as in google just type "x.x.x.x" and see if it comes up being zombie, or such.

[thelowlyone]

Thanks for the suggestions. Will try when I get home.

[thelowlyone]

Its been a few days now and there the problem seems to have solved itself. The routes are no longer being added. I found that the IPs belong to a ISP in Canada. Thanks for all the help though.

[Operator]

kool, glad to here its fixed