×
INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!
  • Students Click Here

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Students Click Here

Strange activity at high noon

Strange activity at high noon

Strange activity at high noon

(OP)
I've noticed network performance degrading right around lunch time for the past few weeks. I chalked it up to people enjoying their favorite soaps while they eat their lunch. Using Netscout I looked into it and I see many servers and workstations hitting an IP address 12.120.26.206. Lots of packets. It settels down around 1:30 so it only lasts a little over an hour. I tried looking up the owner of the IP address and it shows AT&T Worldnet. I assume it's an ISP somewhere. What could this strange activity be?

Thanks in advance

RE: Strange activity at high noon

Who complains when you block that site? Is this a online back program running?  

James P. Cottingham
I'm number 1,229!
I'm number 1,229!

RE: Strange activity at high noon

(OP)
Nobody has complained yet. No online back programs. I blocked it this morning and now I have a new IP address that's popping up 63.240.236.48

RE: Strange activity at high noon

Whois.arin.net.  Does your company purchase services from this comoany?

RE: Strange activity at high noon

(OP)
Nope

RE: Strange activity at high noon

Those are both interesting IP addresses, but no record seems to be found, other than they seem to be part of an AT&T network.  Doing a set of lookups starting with a root server ultimately points you to an AT&T nameserver, but there is no reverse lookup, which makes me think it may be a residential customer.

From a post previous: whois arin.net, I am not sure if that was a question or not.  Arin stands for the American Registry for Internet Numbers (if that is the right term). It is one of the three (?) main Internet Registrars and is the one that handles North America.

 

RE: Strange activity at high noon

ok I admit I know very little about these issues. a google search of the listed ip numbers include att and whois arin.net in both instances. Some further looking reveals that in 2002 micro soft was providing an app to track down the source of an attack on a server using whoisarin.net.  I took a guess that this may be automated by 2010 and that a anti virus program may be the source of the packets sent.  I was hoping someone would answer who knew the answer, rather than me who cannot spell company.     

RE: Strange activity at high noon

NetRange: 63.240.0.0 - 63.242.255.255
CIDR: 63.242.0.0/16, 63.240.0.0/15
OriginAS:
NetName: CERFNET-BLK-5
NetHandle: NET-63-240-0-0-1
Parent: NET-63-0-0-0-0
NetType: Direct Allocation
NameServer: CBRU.BR.NS.ELS-GMS.ATT.NET
NameServer: DBRU.BR.NS.ELS-GMS.ATT.NET
NameServer: CMTU.MT.NS.ELS-GMS.ATT.NET
NameServer: DMTU.MT.NS.ELS-GMS.ATT.NET
Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
RegDate: 1999-11-03
Updated: 2001-08-06
Ref: http://whois.arin.net/rest/net/NET-63-240-0-0-1


OrgName: CERFnet
OrgId: CERF
Address: 5738 Pacific Center Blvd
City: San Diego
StateProv: CA
PostalCode: 92121
Country: US
RegDate: 1989-04-18
Updated: 2003-08-12
Ref: http://whois.arin.net/rest/org/CERF

OrgTechHandle: NETWO10-ARIN
OrgTechName: Network Provisioning
OrgTechPhone: +1-800-876-2373
OrgTechEmail: iptool@attens.com
OrgTechRef: http://whois.arin.net/rest/poc/NETWO10-ARIN

RTechHandle: CERF-HM-ARIN
RTechName: ATand T Enhanced Network Services
RTechPhone: +1-858-812-5000
RTechEmail: notify@attens.com
RTechRef: http://whois.arin.net/rest/poc/CERF-HM-ARIN

the above information: Is provided by arin.net? Or,is  arin.netthe owner of the address?  

RE: Strange activity at high noon

The above infomration would have been provided by Arin.net.  I appologize if I wasn't clearer on this in my earlier post.

The owner is CERFnet.  It looks like their contact is the Network Provisioning department at +1-800-876-2373 (plus their email and physical address.  Based on the name server information CBRU.BR.NS.ELS-GMS.ATT.NET, it looks like this is a subsidiary of AT&T.  The name server is a sub domain of att.net, which if you go to with a web browser is AT&T's home page.

A little more digging shows that cerf.net is part of AT&T and apparently handles part of their network infrastructure.  

Back to the original topic, it looks to me like you have an application, perhaps an unintended visitor, that is trying to phone home.


 

RE: Strange activity at high noon

Somebody connecting to his remote (home) PC???

RE: Strange activity at high noon

Good question.  If he is/were running Linux I would suggest using netstat to see what the current and recent open connections are.  This would tell you the process, user, and the to and from location.  

Does Windows support something similar?
 

RE: Strange activity at high noon

Yes, Windows does have NetStat. See this for info. However, you might prefer TCPView.
 

James P. Cottingham
I'm number 1,229!
I'm number 1,229!

RE: Strange activity at high noon

(OP)
TCPView has shown that the IP addresses associated with this is Framework Services (slick little tool). This is a Mcafee EPO process. I guess this is the workstations and servers looking for updates. I will adjust the time of day that it searches for updates. It can and has created bottlenecks in my network that slows or stops the normal day to day worker activity.
Thank all of you for your assistance

RE: Strange activity at high noon

(OP)
Kind of funny. The first call I made after discovering the IP addresses and odd traffic flow was Mcafee support. They were clueless. I even gave them the their IP addresses in question.  

RE: Strange activity at high noon

I was hoping it was a juicy adult site and you could bust some people and then tell us all about it.  Mcafee - that's pretty boring.

Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members! Already a Member? Login

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close