Network breach? Help

LieutenantFrost

Junior Member
Sep 19, 2007
15
0
61
Need some experienced feedback.

Recently I noticed some "quirks" with the quality of my network. Netflix signal would degrade or stop all together, frequent disconnects from streaming and gaming services on my PC. Called Comcast and they said nothing to worry about. I remained doubtful.

My networking knowledge is very limited but Im trying to learn more. so I mapped my network and then removed all wireless devices from it. Phones tablets etc The only thing left connected is my Ethernet connected PC. but when I run a "arp -a" from the commandline it shows 2 different internet addresses both with the same physical address. Both are dynamic. One of these is my PC, the other internet address shows Falls Church Virginia.

I have reset my modem, changed the name & password of my home network, changed the name of my ethernet connection and yet this internet address remains.

Is there any reason for this? Comcast said they only saw my ip address as the one connected to the internet. Why is this other dynamic address there? What could it reference? my modem? my router?

Any help or just a point in the right direction would be much appreciated.
Thanks.
 

sinisterDei

Senior member
Jun 18, 2001
324
26
91
Er, I'm not sure I follow.

arp shows resolved mac address/IP address combinations, essentially a layer 2 lookup. You won't be able to see any mac addresses from outside your local network; in other words, if you have to go through a layer 3 IP gateway to get there, then all mac addresses 'resolve' to the gateway's mac address.

Maybe you can take pictures of what you're seeing? At this point, and I mean no offense, I think it's more likely that you're confused than compromised.
 

LieutenantFrost

Junior Member
Sep 19, 2007
15
0
61
My apologies, Im still trying to learn this stuff. Thank you for responding, I do appreciate it. This site won't let me post an image to show you what Im seeing so I'll type it out.

$ arp -a

Interface: 192.168.0.116 --- 0x8
Internet Address...............Physical Address............Type
20.20.20.1.........................00-1c-c0-6e-07-cb..........dynamic
192.168.0.119...................00-1c-c0-6e-07-cb..........dynamic
192.168.1.255...................ff--ff-ff-ff-ff-ff.....................static


My pc is the second dynamic address, why is that first one showing up if it is not a device that connected to my network?
 
Last edited:

sinisterDei

Senior member
Jun 18, 2001
324
26
91
Those IPs both correspond to your own PC. Do you have any kind of VPN software or privacy type software on your PC? That would be a likely scenario for this.
 

Gryz

Golden Member
Aug 28, 2010
1,551
203
106
Looks like malware on your PC.

You need to do some thorough scans. And/or wipe your HDD and install from scratch. Hopefully *after* you discovered how an attacker got in. Otherwise your machine might be infected again soon.

The address 20.20.20.1 seems to be way way too nice to have been chosen by chance.
Something has assigned a secondary ip-address to your PC's ethernet port.
They can use that address as the source ip-address of attacks against someone else.
Packets back to 20.20.20.1 will never ever make it back to your PC. So that address can't be used for anything useful.

Some other things you can check. See if your router has a webpage. Log into it. Hopefully your router keep statistics of the usage of your outgoing connection. Check the load. If you're not doing anything, the load should be zero. If it is higher, something is active on your PC.

What does "netstat -n" say ?

Install WireShark. Do nothing. Then start Wireshark and look at incoming and outgoing packets. See anything suspicious ? See anything using ip-address 20.20.20.1 ?

Run any virus-scanner or anti-malware software you can find.
I wouldn't stop if I were you, until I found something.

Edit:
It seems you are not the only one who is bothered by 20.20.20.1.
https://www.joesandbox.com/analysis/47754/0/executive
 
Last edited:

JackMDS

Elite Member
Super Moderator
Oct 25, 1999
29,471
387
126
About 2% of 20.20.20.x IPs are in Egypt.

The rest are in NY.

Most of 192.168.0.119 are form Montreal

None of the specific (192.168.0.119 and 20.20.20.1) points to anything Specific.

As a first measure disconnect the Router from the Internet.

Leave only one wired computer connected to it. Reset the Router to Factory values and the see what it shows.

If every thing is cleaned leave it as is (with one wired computer) then connect to the Modem and see what it is yielding).

That said if you did provide the info (model numbers) about What Modem is used and what Router, it will easy to help.


:cool:
 

sinisterDei

Senior member
Jun 18, 2001
324
26
91
About 2% of 20.20.20.x IPs are in Egypt.
...
Most of 192.168.0.119 are form Montreal
...

OK, a lot of misinformation here, not just from the quote but in general.

Firstly, 192.168.0.0/16 (in other words, 192.168.0.0 through 192.168.255.255) are part of the private, non-routable address range. It's an internal-only IP that will never be routed via any public internet. It's not "from Montreal".

Secondly, 20.20.20.1 is attached to his own machine, which means it's certainly not in Egypt or NY, unless the OP happens to be in either of those locations in which case it's simply a coincidence. It's certainly not part of the modem or router, because all traffic sent to that IP address is sent to the OP's own computer, not the router. Secondly, that IP address belongs to Microsoft. Not that it matters, because that IP address is *inside* his router, not outside. His router will not route packets from 20.20.20.1 to anything because it expects the inside if the network to be on 192.168.0.0/24.

Now then, it could easily be a VPN or Hamachi type connection simply reusing the 20.20.20.1 IP address, because while it is public it's not likely to be a public IP that any individual user needs to communicate with. It's attached to your own PC's NIC, or perhaps a virtual NIC of some sort. You should look at your routing table and see if any traffic is being forced down that connection. The command is simply "route print" in an elevated command prompt.
 

VirtualLarry

No Lifer
Aug 25, 2001
56,335
10,044
126
Could this have something to do with MS's Toredo IPv6 tunneling stuff, which is generally automagic in Windows 7 onwards.

What does an IPCONFIG /ALL show? (Most importantly, do you see VPN or "Virtual" adapters there that you don't immediately recognize? Could be signs of malware.

Another thought I had, was, are you running an "Internet Security Suite"? Maybe it's a local proxy for web/email scanning features of the security software.
 

Gryz

Golden Member
Aug 28, 2010
1,551
203
106
Secondly, 20.20.20.1 is attached to his own machine
Are we sure ?
According to the "arp -a" output the OP gave us, the PC itself has ip-address 192.168.0.116.
The weird ip-address 20.20.20.1 has mac-address 00-1c-c0-6e-07-cb.
But 00-1c-c0-6e-07-cb also claims to be ip-address 192.168.0.119.
What is 192.168.0.119 ? Is it also this PC (don't think so) ?
Is it the router ? They usually claim .1 or .254 as their address.
Is it another device ? If so, what ?

You can actually see which vendor owns which range of mac-addresses.
See e.g.: https://macvendors.com/
00-1c-c0-6e-07-cb belongs to Intel.

OP, please give us more info:
netstat -rn
netstat -n
ipconfig /all
 

sinisterDei

Senior member
Jun 18, 2001
324
26
91
Are we sure ?
According to the "arp -a" output the OP gave us, the PC itself has ip-address 192.168.0.116.
The weird ip-address 20.20.20.1 has mac-address 00-1c-c0-6e-07-cb.
But 00-1c-c0-6e-07-cb also claims to be ip-address 192.168.0.119.
What is 192.168.0.119 ? Is it also this PC (don't think so) ?

Sorry, I was going by his quote:
My pc is the second dynamic address
Keep in mind, he typed these and didn't copy-paste. I was assuming 192.168.0.119 was his IP and that there was a simple typo on the first line. Or maybe the typo was the second line, either way.

If his IP and the second dynamic address line up then all is well; if not then something else on the network - whatever is .119 - is also pretending to be 20.20.20.1.

Either way a route print would be nice to see if any traffic is actively being funneled at that IP rather than his proper gateway.
 

JackMDS

Elite Member
Super Moderator
Oct 25, 1999
29,471
387
126
One of the way to deal Logically with Online Help forum is to deduct the approximate level of knowledge of the OP from the way the question is asked.

In may case on Networking Forums the OPs defined their Network as "My network" with few points that give a verbal describe their psychological distress. But No real basic description of What My network consists of.

Many of the people here who give answers are knowledgeable and have thier own sophisticated Network.

So what they do? Base on lack of knowledge about the OP's Network they start with useless guessing. Once in a while by total blind luch provide functional answer that solve the issue but useless Most of the time.

The first part of my answer above was sort of Network sarcasm based on real Googling of the IP (unfortunately I forgot the emojis).

The My real function answer is what the OP should really do.

As a first measure disconnect the Router from the Internet.

Leave only one wired computer connected to it. Reset the Router to Factory values and the see what it shows.

If every thing is cleaned leave it as is (with one wired computer) then connect to the Modem and see what it is yielding).

That said if you did provide the info (model numbers) about What Modem is used and what Router, it will easy to help.


:cool:

Personally, at this Point I do not see VPN "blabbering" as real relevant help.


:cool:
 

sinisterDei

Senior member
Jun 18, 2001
324
26
91
...stuff JackMDS said...

Er, I guess we'll have to agree to disagree on our diagnostic methods. I didn't "start with useless guessing", I asked for evidence as to what the OP saw that raised his suspicion, in this case the output from the arp command. This was done so as to prevent useless guessing.

I also didn't start with unmarked sarcasm that most likely would *not* have been taken as such by a networking novice, and instead would likely have only caused further confusion. I'm not a networking novice and I certainly didn't catch it.

I saw the evidence posted by OP, posited a theory (VPN or Hamachi software) and requested follow-up information from the OP which hasn't materialized yet. Tis hardly VPN "blabbering" as you say.
 

killster1

Banned
Mar 15, 2007
6,208
475
126
JackMDS and his "sarcasm" i laughed alot and now have gone back into laughter. really i see no sarcasm in your post and laughed so much that you didnt go back and edit it after sinisterdei called you out on it. It was indeed confusing.. phewf ok hopefully i can stop laughing and get some work done now.

My Guess :p is that he has a extra switch or router plugged OR. (sounds like the xia type network ip for online gaming vpn kinda thing so can play multiplayer with someone else and have it look like a lan game) with 20.20.20.1 routing (i see lots of people set it up for a internal network) not going to cause problems because who cares about 20 range of iPs have nothing important on them.

I say go in type MSCONFIG uncheck all the stuff under startup .. see if your lan vpn netowrk goes away.
 

VirtualLarry

No Lifer
Aug 25, 2001
56,335
10,044
126
Yeah, could be "WTF Gaming Network" or something similar, that installed along side their motherboard utilities.