10.0.0.128 ????

Does anybody recognise that IP?

I recently started logging the modem activity on my Windows98 machine and I find that I seem to be sending information out to that host at 7 second intervals

When I restricted it's access my connection continued to function but I noticed Microsoft UK pinged me a few times and it then changed from 10.0.0.128 to 10.0.1.128. It leaves through ports 2000 to 3000.

My firewall says that it's comming from a system32 process.

Is it some kind of netbios communication? Or does anybody recognise this as an exploit please?

(I'm worried in case it's a trojan process)

i believe that's a local ip address. are you on a lan?

Aren't IPs in the 10.X.X.X block private or internal IPs? I know that when I do a trace route, I hit such an IP right after my router; I think it's the modem's IP. Seems like Windows is just talking to the modem to ensure it's there. I'm guessing though.

I'm positive it's another machine. I only have one computer on that network.

When I did an echo request it took considerably longer than it should if it was talking to the modem.

Whois records identify this as part of an IANA reserved block of addresses intended for, quote, "Special purposes".

i think its some loopback type of deal, i just cant remember exactly. i know its not somebody whose cracked your machine. maybe mhirsch will know.

the 10.0.0. address space is assigned to you for your internal infrastructure, so it's most likely to be coming from your router. It couldn't be coming from the WAN side, so check your LAN - it might be worth scanning the offending IP with nmap or somesuch to see what's running at that location. I just did ran that on my router and got quite an amusing guess

christo