March 28, 2024, 08:10:39 AM

Author Topic: Auditors were connected  (Read 7789 times)

randy_randy

  • Member
  • *
  • Posts: 6
Auditors were connected
« on: December 30, 2004, 03:18:42 PM »
I was running a scan and noticed a domain that I do not recognize on the list.  This unknown domain shows 1239 machines.  I cannot get any information from any of them except an occasional comment field.  How can I discover where this is coming from?

Komodo Support

  • Administrator
  • Member
  • *****
  • Posts: 2702
  • Dayton, Ohio, USA
Auditors were connected
« Reply #1 on: December 30, 2004, 07:41:07 PM »
Version 2 may help you determine what these are.  Since you're one of our customers, we will contact you through email about trying the new version.

randy_randy

  • Member
  • *
  • Posts: 6
Auditors were connected
« Reply #2 on: January 27, 2005, 08:06:19 PM »
Turns out there were some auditors in a back office with a laptop connected to our network.  They weren't attached to the domain and didn't have any rights to local systems but did pull an IP.  It was the domain of the laptop that I was seeing.  Not sure why it would report 1200+ machines, but no big deal.

Komodo Support

  • Administrator
  • Member
  • *****
  • Posts: 2702
  • Dayton, Ohio, USA
Auditors were connected
« Reply #3 on: January 27, 2005, 08:33:23 PM »
We've seen routers and other devices that reply to pings on several IPs even though no devices or computers are actually connected to them.  We're not sure why this is, but it may be security related, in the same way honeypot networks contain virtual machines that respond like a computer to allow you to easily detect hackers without damage to your real systems.  Almost always, even though the addresses return a ping, these IPs will also have an expired TTL (Time-to-Live).  In the latest version we've added a feature to help ignore these types of IP addresses.

Please let us know if we can be of any further assistance and we hope you enjoy version 2 when released.