I'd turn off the portal change mac thing for now. I'd bet there's a wrong variable type and it's looping around.
Josh Luthman Office: 937-552-2340 Direct: 937-552-2343 1100 Wayne St Suite 1337 Troy, OH 45373 On Mar 8, 2015 3:24 PM, "That One Guy" <[email protected]> wrote: > I can replicate the issue, I opened a ticket with powercode, just want > input since weekend support is billable. > Yes, powercode is pretty much a big DHCP server with reservations, > customers have static reservations, the portal allows them to change their > MAC address if they change their device. > > Ive never seen this IP space before. the red flag is that that Commerzbank > is affiliated with bitcoin mining, not that that industry has any nefarious > activity going on ever (maybe powercode way back in Utah had been using the > spare processing power on their customers billing servers to mine bitcoins, > it would explain how come billing servers always ran heavy) > > Im just suspicious by nature of anything I dont recognize, and when its > made a change to a system housing customer data, I get really nervous. Our > firewall is pretty restrictive in what actually gets to the billing server. > Thats where Im headed next, to review those logs > > > > On Sun, Mar 8, 2015 at 2:13 PM, Josh Luthman <[email protected]> > wrote: > >> Customers replace the 1 MAC they get in the event they change their >> router or sometimes PCs. This is done with DHCP leases. >> >> Josh Luthman >> Office: 937-552-2340 >> Direct: 937-552-2343 >> 1100 Wayne St >> Suite 1337 >> Troy, OH 45373 >> >> On Sun, Mar 8, 2015 at 3:12 PM, Chuck McCown <[email protected]> wrote: >> >>> Why would a customer be changing or updating a MAC? >>> How are your IPs assigned? NAT? Radius? >>> >>> *From:* That One Guy <[email protected]> >>> *Sent:* Sunday, March 08, 2015 1:06 PM >>> *To:* [email protected] >>> *Subject:* [AFMUG] Powercode oddity - Commerzbank Ip space >>> >>> I am able to replicate a small issue we are having, trying to make the >>> decision of whether it looks like a security issue or just a bug. >>> >>> Through powercode, there are two ways to update equipment, through our >>> interface, where we select all the details and through the customer portal >>> where all the customers can do is update their MAC address. >>> >>> no problems with our end. >>> >>> However, when a customer updates their MAC address, it is assigning IP >>> space that apparently belongs to this Commerzbank IP space 208.74.54.100 >>> and 208.74.54.99. >>> >>> This IP space is absolutely not in our system, and wouldnt route >>> naturally on our network >>> >>> Net Range 208.74.52.0 - 208.74.55.255 CIDR 208.74.52.0/22 >>> Name DKIB-USA Handle NET-208-74-52-0-1 Parent NET208 (NET-208-0-0-0-0 >>> <http://whois.arin.net/rest/net/NET-208-0-0-0-0.html>) Net Type Direct >>> Assignment Origin AS Organization Commerzbank AG (COMMER-109 >>> <http://whois.arin.net/rest/org/COMMER-109.html>) >>> >>> My initial thoughts are this is some bug in powercode. >>> >>> Paranoid me is that our system is somehow compromised and rerouting >>> illegitimate traffic somehow. Customer is down, so not through them. but >>> something like TOR rerouting or some other magician script for the axis of >>> evil. >>> >>> Anybody have any ideas on this? I am debating taking our billing server >>> offline, but would hate to take such an extreme measure for what could >>> amount to nothing more than a fat finger from a programmer. >>> >>> -- >>> If you only see yourself as part of the team but you don't see your >>> team as part of yourself you have already failed as part of the team. >>> >> >> > > > -- > If you only see yourself as part of the team but you don't see your team > as part of yourself you have already failed as part of the team. >
