Q
Problem solve Get help with specific problems with your technologies, process and projects.

Have I experienced a Windows security breach?

Seeing strange IP addresses in an event log could mean many things. Is a Windows security breach one of them? Find out here.

Why are so many strange IP addresses in our route print table? Does this indicate a Windows security breach? We have two domain controllers, and the primary domain controller shows the highest number of strange IP addresses. We also have a firewall installed on our network environment.
This could be related to DNS resolution being done on the server (which it likely is). Have you tried to browse or otherwise connect to some of the addresses you're seeing? There's also a chance that some type of malware is on the machine creating these entries. Have you tried flushing your route table? Try doing that (after-hours to minimize problems of course) to see if/when the entries come back. Beyond that, the best way to troubleshoot this is to install/run a good network analyzer (such as OmniPeek or Sniffer Pro) on the server – or a monitor/span/mirror port on your switch – and see who's talking to what. It's always pretty shocking just how much is happening on the network that you'd otherwise never know about.

Dig Deeper on Windows legacy operating systems

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.

-ADS BY GOOGLE

SearchVirtualDesktop

SearchWindowsServer

Close