Re: Weird session names

• Previous message: ryan: "Re: serious severe problems"
• In reply to: Steven L Umbach: "Re: Weird session names"
• Next in thread: Steven L Umbach: "Re: Weird session names"
• Reply: Steven L Umbach: "Re: Weird session names"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Tue, 25 Jan 2005 11:39:00 -0500

OK, we have it worked out.

Historically the internal network address at our company belonged to the
ISP that provided us with internet service. This was way before we had
NAT routers. Internal machines had real routable IP addresses.

Subsequently, the ISP went out of business, and we installed NAT routers
between us and the Internet, but we never changed the internal IP
addresses (since the router translates them to something else going
out). As a result, these truly bizarre names (to us) are really the
correct network names for the IP addresses we use internally.

Kevin

Steven L Umbach wrote:
> That is bizarre. Netstat -an of course shows IP addresses instead of names.
> The only other thing I can think of it to check the hosts file on the
> computer to see it there is an entry for
> play.battle.game.idle.rpgtechnologies for whatever reason. It would be
> interesting to try to ping play.battle.game.idle.rpgtechnologies to see if
> it resolves to local IP or ping localhost to see if it resolves to that
> name.--- Steve
>
>
> "Kevin Davidson" <kevin@qsinc.com> wrote in message
> news:%23a1KfWmAFHA.1524@TK2MSFTNGP09.phx.gbl...
>
>>We've looked at all of the connections. They are all legitimate file
>>shares or server connections. The local and the remote addresses are all
>>on the internal network. The ports are the usual ones for Microsoft SQL
>>Server, file sharing and http.
>>
>>The problem is the utterly bizarre names that appear on the netstat some
>>of the time. I can create a connection from my own machine to itself and
>>one end will show up as "play.battle.game.idle.rpgtechnologies.com". I
>>don't even LIKE RPG games, much less accessed such a site.
>>
>>Kevin
>>
>>Steven L Umbach wrote:
>>
>>>What is the local address port and the remote address/port?? Is the
>>>remote address on your internal lan? If you can, paste the netstat in a
>>>ply. --- Steve
>>>
>>>
>>>"Kevin Davidson" <kevin@qsinc.com> wrote in message
>>>news:e29Zr3kAFHA.2428@TK2MSFTNGP14.phx.gbl...
>>>
>>>
>>>>play.battle.game.idle.rpgtechnologies.com is the local address, not the
>>>>remote address. These connections are not to external machines, but
>>>>internal to our network; it's just that the local machines are getting
>>>>these crazy names.
>>>>
>>>>Thanks to the tcpview link. It's cool. I have some of the other
>>>>sysinternals utilities and they are all very useful.
>>>>
>>>>Kevin
>>>>
>>>>Steven L Umbach wrote:
>>>>
>>>>
>>>>>The ports involved for local and foreign address will give you more
>>>>>info. Try examining those computer as perhaps the user is connected to
>>>>>the internet initiating the connection. The first session example sounds
>>>>>like a connection to a game server somewhere possibly. I like to use the
>>>>>free tool from SysInternals called TCPView that will give you more
>>>>>detailed info on what processes/executables are involved with those
>>>>>connections. If this is seen on idle computers or servers that are not
>>>>>used for general internet browsing I would be more concerned and spyware
>>>>>and malware scans should be performed beyond normal schedules. A
>>>>>properly configured firewall should prevent uninitiated inbound
>>>>>connections to your network, though spyware and malware that is
>>>>>installed on a computer could start the connection from inside your
>>>>>network and be successful depending on the destination ports/protocols
>>>>>and the outbound restrictions on your firewall. --- Steve
>>>>>
>>>>>http://www.sysinternals.com/ntw2k/source/tcpview.shtml --- TCPView and
>>>>>link to SysInternals
>>>>>
>>>>>"Kevin Davidson" <kevin@qsinc.com> wrote in message
>>>>>news:u%23MGwMjAFHA.904@TK2MSFTNGP12.phx.gbl...
>>>>>
>>>>>
>>>>>
>>>>>>I did a netstat on my Windows 2000 Pro machine and saw some connections
>>>>>>that are probably legit from other machines on our company internal
>>>>>>network. However those machines are appearing with weird names.
>>>>>>
>>>>>>When we look at sessions using our Windows 2003 server, the weird names
>>>>>>appear on lots of our machines. The machine name is ok, but the session
>>>>>>name is strange. The session names are all in the form of an Internet
>>>>>>domain. Here are a couple of examples:
>>>>>>
>>>>>>play.battle.game.idle.rpgtechnologies.com
>>>>>>kau.tinggalkan.aku.setelah.semuanya.ku.serahkan.info
>>>>>>
>>>>>>(kau tinggalkan aku is a song title)
>>>>>>
>>>>>>Is this "normal" or do we have some kind of bug?
>>>>>>
>>>>>>Thanks in advance,
>>>>>>
>>>>>>Kevin
>>>>>
>>>>>
>
>

• Previous message: ryan: "Re: serious severe problems"
• In reply to: Steven L Umbach: "Re: Weird session names"
• Next in thread: Steven L Umbach: "Re: Weird session names"
• Reply: Steven L Umbach: "Re: Weird session names"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]